 |  |  |  |  |  |  |  |
Application Data Folder...
Thread Solved
 |
•
•
Join Date: May 2004
Posts: 401
Reputation: 
Solved Threads: 0
Posting Pro in Training
Hi all,
I have been getting a lot of trojans lately which is pissing me off.
Does anyone know if the folder called Application data located in
C:\Documents and Settings\Administrator\Application Data\GridSoftDupe needs to be on the computer.
In that bloody Grid Soft folder there was a trojan & I see other .exe files in there & want to just delete the folder.
Any help you can give me would be great.
Thanks
Michelle
I have been getting a lot of trojans lately which is pissing me off.
Does anyone know if the folder called Application data located in
C:\Documents and Settings\Administrator\Application Data\GridSoftDupe needs to be on the computer.
In that bloody Grid Soft folder there was a trojan & I see other .exe files in there & want to just delete the folder.
Any help you can give me would be great.
Thanks
Michelle
Review all of our open job positions
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
•
•
Join Date: Feb 2004
Posts: 9,924
Reputation: 
Solved Threads: 709
Sounds like a LOP infection.
First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm
First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: May 2004
Posts: 401
Reputation:
Solved Threads: 0
Posting Pro in Training
Hey Crunchie,
Long time now talk
I have another post I typed up w/ your name in it
Ok, I searched for all of those & none are there.
Deleting just the file won't do the trick?
Thanks
Michelle
Long time now talk
I have another post I typed up w/ your name in it
Ok, I searched for all of those & none are there.
Deleting just the file won't do the trick?
Thanks
Michelle
Review all of our open job positions
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
•
•
Join Date: Feb 2004
Posts: 9,924
Reputation:
Solved Threads: 709
Did you try the LOP remover link? It is better (IMO) to do that first . There are usually more than the one entry.
. There are usually more than the one entry. Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: May 2004
Posts: 401
Reputation:
Solved Threads: 0
Posting Pro in Training
Ok, I did that, but how do I know if it worked?
I also DLed HJT b/c when I got a new computer 6 months ago it was lost.
Should I run it & send you the code?
I don't even remember how after all this time LOL
Thanks
Michelle
I also DLed HJT b/c when I got a new computer 6 months ago it was lost.
Should I run it & send you the code?
I don't even remember how after all this time LOL
Thanks
Michelle
Review all of our open job positions
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
•
•
•
•
Originally Posted by ep2002
Ok, I did that, but how do I know if it worked?
I also DLed HJT b/c when I got a new computer 6 months ago it was lost.
Should I run it & send you the code?
I don't even remember how after all this time LOL
Thanks
Michelle
Close any open browser windows, press the Scan and save log button, and then copy the contents of the log that comes up and paste it here.
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
•
•
Join Date: May 2004
Posts: 401
Reputation:
Solved Threads: 0
Posting Pro in Training
Logfile of HijackThis v1.99.1
Scan saved at 5:23:47 AM, on 7/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
D:\Program Files\Live Human\LiveHuman.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\AVPersonal\AVGNT.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\mail.com\mcalert.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
D:\Personal Assistant\assistant.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\notepad.exe
D:\Program Files\Microsoft Office\Office\Winword.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\FlashFXP\flashfxp.exe
D:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Microsoft Office\Office\excel.exe
C:\WINNT\system32\notepad.exe
D:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\63yrq29d.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8BA903A2-1CDE-A443-C538-E9065B7ED526} - C:\DOCUME~1\ADMINI~1\APPLIC~1\PHONED~1\Bleh Copy.exe
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MessengerPlus3] "d:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE
O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
O4 - HKLM\..\Run: [LiveHuman] D:\Program Files\Live Human\LiveHuman.exe /S
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Personal Assistant] D:\Personal Assistant\assistant.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus3] "d:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: CorelCENTRAL Alarms.LNK = D:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Personal Assistant.lnk = D:\Personal Assistant\assistant.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Get Gutcheck - file://C:\Program Files\Gutcheck/ebay.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.0/ebie.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Scan saved at 5:23:47 AM, on 7/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
D:\Program Files\Live Human\LiveHuman.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\AVPersonal\AVGNT.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\mail.com\mcalert.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
D:\Personal Assistant\assistant.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\notepad.exe
D:\Program Files\Microsoft Office\Office\Winword.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\FlashFXP\flashfxp.exe
D:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Microsoft Office\Office\excel.exe
C:\WINNT\system32\notepad.exe
D:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\63yrq29d.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8BA903A2-1CDE-A443-C538-E9065B7ED526} - C:\DOCUME~1\ADMINI~1\APPLIC~1\PHONED~1\Bleh Copy.exe
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MessengerPlus3] "d:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE
O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
O4 - HKLM\..\Run: [LiveHuman] D:\Program Files\Live Human\LiveHuman.exe /S
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Personal Assistant] D:\Personal Assistant\assistant.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus3] "d:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: CorelCENTRAL Alarms.LNK = D:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Personal Assistant.lnk = D:\Personal Assistant\assistant.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Get Gutcheck - file://C:\Program Files\Gutcheck/ebay.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.0/ebie.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Review all of our open job positions
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
•
•
Join Date: Feb 2004
Posts: 9,924
Reputation:
Solved Threads: 709
Download Omegakiller from here. Run the program from it's own folder and allow it to remove any malware it finds.
==========
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.
Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Empty the Recycle Bin.
=========
Reboot when done and post another log please.
==========
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.
Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Empty the Recycle Bin.
=========
Reboot when done and post another log please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: May 2004
Posts: 401
Reputation:
Solved Threads: 0
Posting Pro in Training
Ok, here's what I've done.
I tried to delete all the files *.tmp as I did about 2 wks. ago, but just like 2 wks. ago I couldn't delte a ton of them b/c it says there is a shared violation.
It took me forever to try & delete them several at a time to get to the ones that weren't shared. Is there not another way or to make sure they aren't shared?
Same thing happened with this folder... C:\Documents and Settings\Administrator\Local Settings\Temp
Here's the log file from the Omega Killers. I'm not sure it did anything...
- This is an automatically created log of OmegaKillers output
- Please visit http://www.short-media.com/forum/forumdisplay.php?f=57
- for further assistance.
Running pass number: 1
- enumerating modules
- Downloader.HC module found
c:\documents and settings\administrator\local settings\temp\sta1b89.exe
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\admini~1\locals~1\temp\sta1b89.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- found infection: messengerplus3
- deleted.
- found infection: forkholeencheart
- deleted.
- found infection: forkholeencheart
- deleted.
- scanning executable variants
- scanning BHO's
- infected BHO: {8BA903A2-1CDE-A443-C538-E9065B7ED526}
- removed
- infected BHO: {8BA903A2-1CDE-A443-C538-E9065B7ED526}
- removed
- scanning toolbars
Running pass number: 2
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\admini~1\locals~1\temp\eredacgf.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
Running pass number: 3
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\admini~1\locals~1\temp\ndzjqlhi.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
Running pass number: 4
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\admini~1\locals~1\temp\nguqfmjs.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
Running pass number: 5
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\admini~1\locals~1\temp\pfxoayqj.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
- no infections found, system clean on pass number: 5 ...
- all done ...
-------------------------------
I just deleted the Recycle bin, but there were only 52 items in it. I'll reboot & then come back.
Thanks
Michelle
I tried to delete all the files *.tmp as I did about 2 wks. ago, but just like 2 wks. ago I couldn't delte a ton of them b/c it says there is a shared violation.
It took me forever to try & delete them several at a time to get to the ones that weren't shared. Is there not another way or to make sure they aren't shared?
Same thing happened with this folder... C:\Documents and Settings\Administrator\Local Settings\Temp
Here's the log file from the Omega Killers. I'm not sure it did anything...
- This is an automatically created log of OmegaKillers output
- Please visit http://www.short-media.com/forum/forumdisplay.php?f=57
- for further assistance.
Running pass number: 1
- enumerating modules
- Downloader.HC module found
c:\documents and settings\administrator\local settings\temp\sta1b89.exe
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\admini~1\locals~1\temp\sta1b89.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- found infection: messengerplus3
- deleted.
- found infection: forkholeencheart
- deleted.
- found infection: forkholeencheart
- deleted.
- scanning executable variants
- scanning BHO's
- infected BHO: {8BA903A2-1CDE-A443-C538-E9065B7ED526}
- removed
- infected BHO: {8BA903A2-1CDE-A443-C538-E9065B7ED526}
- removed
- scanning toolbars
Running pass number: 2
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\admini~1\locals~1\temp\eredacgf.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
Running pass number: 3
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\admini~1\locals~1\temp\ndzjqlhi.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
Running pass number: 4
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\admini~1\locals~1\temp\nguqfmjs.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
Running pass number: 5
- killing Internet Explorer
- enumerating modules
- scanning bookmarks
- scanning desktop icons
- scanning and deleting browser hijacks
- scanning running processes..
- infection in memory: c:\docume~1\admini~1\locals~1\temp\pfxoayqj.exe
- process terminated.
- file removed.
- removing process startup key
- scanning startup processes
- scanning executable variants
- scanning BHO's
- scanning toolbars
- no infections found, system clean on pass number: 5 ...
- all done ...
-------------------------------
I just deleted the Recycle bin, but there were only 52 items in it. I'll reboot & then come back.
Thanks
Michelle
Review all of our open job positions
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
•
•
Join Date: May 2004
Posts: 401
Reputation:
Solved Threads: 0
Posting Pro in Training
Ahh, just so you know, I don't use IE unless forced to by some site that hasn't validated their site so I can use it with FF.
When I opened FF, something changed my homepage & NEVER EVER has FF done that to me, I've only had that problem w/ IE, so something I just did did that
Here's the new HJT file....
Logfile of HijackThis v1.99.1
Scan saved at 8:50:34 PM, on 7/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
D:\Program Files\Live Human\LiveHuman.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\AVPersonal\AVGNT.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\mail.com\mcalert.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINNT\system32\ntvdm.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
D:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
D:\Personal Assistant\assistant.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bxqdtteyylwmnirz.net/KvSH...x3tGK1TaF3.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exoticpublishing.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.ruwbdnyzenxkifj.uk/KvSHKSMIXgKohV8jqYHkPYR27NpxlgxCOglVdjEDUjo.jpg");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\63yrq29d.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\63yrq29d.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE
O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
O4 - HKLM\..\Run: [LiveHuman] D:\Program Files\Live Human\LiveHuman.exe /S
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Personal Assistant] D:\Personal Assistant\assistant.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ballrule] C:\DOCUME~1\ADMINI~1\APPLIC~1\GRIDSO~1\LINK FAST FLAW.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = D:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Personal Assistant.lnk = D:\Personal Assistant\assistant.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Get Gutcheck - file://C:\Program Files\Gutcheck/ebay.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.0/ebie.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Thanks
Michelle
When I opened FF, something changed my homepage & NEVER EVER has FF done that to me, I've only had that problem w/ IE, so something I just did did that
Here's the new HJT file....
Logfile of HijackThis v1.99.1
Scan saved at 8:50:34 PM, on 7/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
D:\Program Files\Live Human\LiveHuman.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\AVPersonal\AVGNT.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\mail.com\mcalert.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINNT\system32\ntvdm.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
D:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
D:\Personal Assistant\assistant.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bxqdtteyylwmnirz.net/KvSH...x3tGK1TaF3.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exoticpublishing.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.ruwbdnyzenxkifj.uk/KvSHKSMIXgKohV8jqYHkPYR27NpxlgxCOglVdjEDUjo.jpg");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\63yrq29d.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\63yrq29d.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [PLXSTART] C:\PROGRA~1\PLEXTO~1\PLXSTART.EXE
O4 - HKLM\..\Run: [PLXTASK] C:\PROGRA~1\PLEXTO~1\PLXTASK.EXE
O4 - HKLM\..\Run: [LiveHuman] D:\Program Files\Live Human\LiveHuman.exe /S
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINNT\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Personal Assistant] D:\Personal Assistant\assistant.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ballrule] C:\DOCUME~1\ADMINI~1\APPLIC~1\GRIDSO~1\LINK FAST FLAW.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = D:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Personal Assistant.lnk = D:\Personal Assistant\assistant.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Get Gutcheck - file://C:\Program Files\Gutcheck/ebay.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.0/ebie.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Thanks
Michelle
Review all of our open job positions
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
**Parents having problems with your kids? Come tell us your story
Are you a writer or editor? Join us...
|
Similar Threads
- Application data folder (Visual Basic 4 / 5 / 6)
- Configure Application Data and My Documents (IT Professionals' Lounge)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: help needed Svchoms1at
- Next Thread: Spyware troubles even after cleaning / HT Log
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday