0

Every Time I Start Up My Computer That System 32 Folder Pop's Up.:evil:

How Can I Get It Not To Do That ??:cheesy:

I Have Service Pack 1...Windows XP

My Computer is HP Pavilion 525c

6
Contributors
16
Replies
17
Views
13 Years
Discussion Span
Last Post by DMR
0

Download 'Hijack This!'.http://www.computercops.biz/downloads-file-328.html
Unzip to a permanent folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
then post the log. here.
and I will help you remove what is causing the system32 folder to open at startup

0

Here It Is =)


Logfile of HijackThis v1.97.7

Scan saved at 7:01:46 PM, on 4/17/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\cisvc.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.softwaretreasures.com/

R3 - Default URLSearchHook is missing

O1 - Hosts: 216.93.168.167 sitefinder.verisign.com

O1 - Hosts: comments (such as these) may be inserted on individual

O1 - Hosts: 62.216.18.38 servserv.westwood.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)

O2 - BHO: (no name) - {134FB2C9-AB9D-D389-829A-CC3EE987D52D} - C:\WINDOWS\system32\hunaxbcu.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe

O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe

O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft] C:\WINDOWS\system32\Spoolsv..exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: ComcastHSI (HKCU)

O9 - Extra button: WeatherBug (HKCU)

O9 - Extra button: Help (HKCU)

O9 - Extra button: Support (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab

O16 - DPF: ConferenceRoom Java Client - http://chat.htnet.hr:8000/java/cr.cab

O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab

O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab

O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/univ/scd/x/scdtattoo1x.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.exe

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {896DDE35-E955-11D0-A707-000000521958} - http://69.56.176.228/webplugin.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.aimphuck.com/Imbum_bw.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

0

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

please do the above while i work on your log .

Also in my signature get and update and scan with adaware and spybot ,also check the how to setup both also in my signature.Then this .

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

and then post a new hijack this log thanks

0

Ok This Is What I Did...I Made That Folder HJT in The C Drive i Saved HijackThis There And That Shredder....I Opend Them Bother From There (In Safe Mode) Then It Removed That Virants Things Or W.e Then I Did HijackThis The Log Is On The Bottom =)

Logfile of HijackThis v1.97.7

Scan saved at 12:27:16 AM, on 4/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O1 - Hosts: comments (such as these) may be inserted on individual

O1 - Hosts: 62.216.18.38 servserv.westwood.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)

O2 - BHO: (no name) - {134FB2C9-AB9D-D389-829A-CC3EE987D52D} - C:\WINDOWS\system32\hunaxbcu.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe

O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe

O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft] C:\WINDOWS\system32\Spoolsv..exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab

O16 - DPF: ConferenceRoom Java Client - http://chat.htnet.hr:8000/java/cr.cab

O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab

O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab

O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/univ/scd/x/scdtattoo1x.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.exe

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {896DDE35-E955-11D0-A707-000000521958} - http://69.56.176.228/webplugin.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.aimphuck.com/Imbum_bw.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

0

it still showes that you are running hijack from a temp folder .
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

0

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

fix these two ,01's if you didn't put them in your host file
O1 - Hosts: comments (such as these) may be inserted on individual

O1 - Hosts: 62.216.18.38 servserv.westwood.com

O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)

O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe

O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe

O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/univ/scd/x/scdtattoo1x.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.exe

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.aimphuck.com/Imbum_bw.cab

now reboot computer in safe mode again and delete the following folders

C:\Program Files\Orbit\----Delete orbit folder

C:\Program Files\Open Site\--delete open site folder

to delete the above folder you will need to do the following
go to

"Fix Checked"...Reboot to SAFE mode to delete files

How to start computer in safe mode

Show hidden files & folders

reboot computer and post a new log.

0

Ok This Is What I Did...I Made That Folder HJT in The C Drive i Saved HijackThis There And That Shredder....I Opend Them Bother From There (In Safe Mode) Then It Removed That Virants Things

There are some important problems that have been missed so far. The following are, at the very least, adware and should be removed:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.exe

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {896DDE35-E955-11D0-A707-000000521958} - http://69.56.176.228/webplugin.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.aimphuck.com/Imbum_bw.cab

Here's why:

http://www.liutilities.com/products/wintaskspro/processlibrary/wupdt

http://webhelper.netfirms.com/transponders/buddyicons.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This one is highly suspect. Remove it separately and restore it from backup if it turns out that you need it:

O2 - BHO: (no name) - {134FB2C9-AB9D-D389-829A-CC3EE987D52D} - C:\WINDOWS\system32\hunaxbcu.dll

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here's a resource waster. Remove it:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

0

Ok I Fixed Checked All The Things You Guys Told Me =)

and I Deleted The Folder You Guys Told Me. :cheesy:


Logfile of HijackThis v1.97.7

Scan saved at 2:04:36 PM, on 4/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\cisvc.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.softwaretreasures.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft] C:\WINDOWS\system32\Spoolsv..exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: ComcastHSI (HKCU)

O9 - Extra button: WeatherBug (HKCU)

O9 - Extra button: Help (HKCU)

O9 - Extra button: Support (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net

O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab

O16 - DPF: ConferenceRoom Java Client - http://chat.htnet.hr:8000/java/cr.cab

O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab

O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab

O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {896DDE35-E955-11D0-A707-000000521958} - http://69.56.176.228/webplugin.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

0

Ok I Fixed Checked All The Things You Guys Told Me and I Deleted The Folder You Guys Told Me.

You still (again?) have some problems. I gotta step away, I'll go through them when I get back.

0

I Fixed Checked All The Things You Guys Told Me
and I Deleted The Folder You Guys Told Me.

You have some old ones back and some new ones, as well. You will have to do a 3-step process this time.

First, turn off System Restore before removing stuff. Some of your problems may be sneaking back in that way.

Second, make sure that IE is not running. It's best to shut down all programs except HijackThis when fixing stuff.

Now on to the problems:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.softwaretreasures.com/

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

Last, go into the folder C:\Windows\Prefetch, and locate a file named ZZB.EXE-something. Reboot your computer into Safe Mode and then delete the file. I would also recommend that you delete zzb.exe itself at the same time. You may even want to delete all the files in your Prefetch folder at this time, just to be safe. Viruses hide there.

Last, but not least, this is interesting. Why does it have two periods? Look in that folder and see if there are two files, Spoolsv..exe and Spoolsv.exe--if so, remove the two-dot one in Safe Mode and edit the Registry to the one-dot file. I haven't seen this before, but it would explain some things:

O4 - HKLM\..\Run: [Microsoft] C:\WINDOWS\system32\Spoolsv..exe

Here's some prevention tools:

SpywareBlaster -- blocks malware installation. Not a removal tool, helps keep adware and spyware off your PC by blocking ActiveX for known malware. Updates available on a regular basis.

SpywareGuard -- detect spyware programs. SpywareGuard works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware is detected.

IE-SPYAD: Restricted Sites List for Internet Explorer. Registry add-in that moves known malware sites to the "Restricted" zone in IE to block the nasties.

XP Anti-Spy -- turn off the "phone home" functions in XP. Did you know that Windows XP, by default, monitors your computer usage and reports back to Microsoft? Slow it down, at least, with this tool.

0

Ok...This IS What I DId...I Used HijackThis And Fixed What U Lisyed Up There After I Did That System Reboot Off Thingy Then I Deleted All The Files In The Prefetch Folder...But There Wasnt That ZZb.Exe File There...And That Spoolvs File There And When I restarted My Comp The Folder Didnt Pop Up =)

0

Ok...This IS What I DId...I Used HijackThis And Fixed What U Lisyed Up There After I Did That System Reboot Off Thingy Then I Deleted All The Files In The Prefetch Folder...But There Wasnt That ZZb.Exe File There...And That Spoolvs File There And When I restarted My Comp The Folder Didnt Pop Up =)

First of all to help prevent this from happening again (the CWS hijack), install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

You need to post a new hijackthis log for us to determine what, if anything, is left.

0

So here's the log!!

To be fair on the original poster & seeing how his problem is still ongoing, it would be unfair to him/her to start doing your log. Please start your own thread where someone will be glad to help you.

0

To be fair on the original poster & seeing how his problem is still ongoing, it would be unfair to him/her to start doing your log. Please start your own thread where someone will be glad to help you.

Yes. It is our policy that threads remain focussed on the original poster's question in order to keep things clear and concise.

ElTete,

I've split your question into its own thread; you can find it here:

http://www.daniweb.com/techtalkforums/showthread.php?t=5871

Please follow your troubleshoot in that thread as oppsed to here.

Thanks. :)

0

Hey guys,

Same problem here any clues on what i need to fix?


Logfile of HijackThis v1.97.7
Scan saved at 2:46:48 AM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\WINNT\aximurzj.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\WINNT\system32\Bndt32.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\System32\hgrvys.exe
C:\Program Files\Messenger\msmsgs.exe
C:\program files\steam\steam.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Configuration Utility.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rhslacrosse.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [csmxxxmb] C:\WINNT\aximurzj.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Bndt32] C:\WINNT\system32\Bndt32.exe
O4 - HKLM\..\Run: [] C:\WINNT\System32\
O4 - HKLM\..\Run: [codpteuqj] C:\WINNT\System32\hgrvys.exe
O4 - HKLM\..\RunServices: [WinSvc32.exe] C:\WINNT\System32\MsSvc32\WinSvc32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: Configuration Utility.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Administrator\Application Data\DownloadPlus.exe
O4 - Startup: Drempels Desktop.lnk = C:\WINNT\drempels.exe
O4 - Global Startup: WinSvc32.exe
O4 - Global User Startup: WinSvc32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud11.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

0

naturalbornham,

Please read the two posts directly above yours concerning the "piggybacking" of questions onto someone else's thread. As mentioned, it just gets too confusing to have multiple questions being asked and answered in a single thread. You need to post your question in its own thread, and when you do, post it in the new Security forum that we've created specifically for these spyware/hijackware/etc problems.

Thanks for understanding... :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.