MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Need advice re HIJACKTHIS elements
September 16, 2019, 07:50:48 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
September 16, 2019, 07:50:48 AM

Login with username, password and session length
 
News
New  Looking for cheap hardware and/or software?
Visit our new Online Store where you will be able to purchase from a reputable vendor by country.
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: Need advice re HIJACKTHIS elements  (Read 3735 times)
digger36
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 46


Bookmark and Share

View Profile
« on: October 30, 2004, 04:59:17 PM »

Hello to the More-Learned out there who will see this:

Would appreciate advice re which (if any) of the items identified in the following HIJACKTHIS log should be deleted.

Thanks,,

Logfile of HijackThis v1.97.7
Scan saved at 9:34:02 AM, on 10/30/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\NERO\AHEAD\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\GRIAVG6A\avgserv.exe
D:\VCOM\FixIt\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
F:\WINFAX\WFXMOD32.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\NERO\AHEAD\InCD\InCD.exe
D:\QUIKTIM5\qttask.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\McAfeSpy\MssCli.exe
D:\GRIAVG6A\avgcc32.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINDOWS\System32\??rss.exe
C:\Documents and Settings\MAIN222\Application Data\upcu.exe
F:\ETOTAL5A\TaskPanl.exe
F:\WINFAX\WFXCTL32.EXE
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
D:\VCOM\FixIt\mxtask.exe
C:\WINDOWS\System32\wuauclt.exe
D:\CLIPMATE\ClipMa51\ClipMt51.exe
F:\NETSCP72\Netscp.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
D:\hijackts\#downlod\HIJACK~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50196
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50196
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50196
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F1 - win.ini: run= D:\WD2000E\WD2000
O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\ADOBE\ACRBTRD6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - F:\ETOTAL5A\PnEL.dll
O2 - BHO: (no name) - {63F8675C-BC65-64A4-8753-66550EF2286C} - C:\WINDOWS\System32\ggtvxke.dll
O2 - BHO: (no name) - {63FB3455-E83F-62A6-8753-66550EF22960} - C:\WINDOWS\System32\vyj.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll (file missing)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - D:\MOUSEKEN\IESPOOK.DLL (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\MAIN222\Local Settings\Temp\7.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - F:\ETOTAL5A\PnEL.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\NERO\AHEAD\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\QUIKTIM5\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WFXSwtch] F:\WINFAX\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [RCScheduleCheck] D:\VCOM\RecovCmd\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] D:\McAfeSpy\MssCli.exe
O4 - HKLM\..\Run: [AVG_CC] D:\GRIAVG6A\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [Ilru] C:\Documents and Settings\MAIN222\Application Data\loro.exe
O4 - HKCU\..\Run: [Icnr] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Imam] C:\Documents and Settings\MAIN222\Application Data\upcu.exe
O4 - HKCU\..\Run: [Yvztap] C:\WINDOWS\System32\??rvices.exe
O4 - HKCU\..\Run: [E6TaskPanel] "F:\ETOTAL5A\TaskPanl.exe" -winstart
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\MAIN222\LOCALS~1\Temp\djtopr1150.exe"
O4 - Global Startup: Controller.LNK = F:\WINFAX\WFXCTL32.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: PDF-Capture.lnk = C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094080806952
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab



Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #1 on: October 30, 2004, 05:04:42 PM »

You have quite a bit that needs fixing but first Your hijack this is outdated.Please download the newest version
From Here

Make sure you unzip hijack this to its own folder such as C:\Program files as this is where the backups will be created.Run Hijack this but do NOT fix anything.Click save log and a log will open in notepad.Copy and paste your log here.
Logged

John Vickers
digger36
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 46


Bookmark and Share

View Profile
« Reply #2 on: October 31, 2004, 05:37:41 PM »

JVIC:
Took you advice. Now using v1.98.2.
What follows are TWO copies of the log; first is the original log and then it is followed by a sorted version just in case it might help in identifying the areas more clearly.

Advice appreciated as to what to delete.
Thanks,,

========= First the original copy ==
Logfile of HijackThis v1.98.2
Scan saved at 9:23:00 AM, on 10/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\NERO\AHEAD\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\GRIAVG6A\avgserv.exe
D:\VCOM\FixIt\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\System32\WFXSVC.EXE
F:\WINFAX\WFXMOD32.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\NERO\AHEAD\InCD\InCD.exe
D:\QUIKTIM5\qttask.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\McAfeSpy\MssCli.exe
D:\GRIAVG6A\avgcc32.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\System32\kmw_run.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\PIB.exe
D:\VCOM\FixIt\mxtask.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Documents and Settings\MAIN222\Application Data\tasr.exe
C:\WINDOWS\System32\??rvices.exe
F:\ETOTAL5A\TaskPanl.exe
C:\WINDOWS\System32\rundll32.exe
F:\WINFAX\WFXCTL32.EXE
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\WINDOWS\System32\wuauclt.exe
D:\hijackts\HIJACKT2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50196
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50196
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50196
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F3 - REG:win.ini: run= D:\WD2000E\WD2000
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\ADOBE\ACRBTRD6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - F:\ETOTAL5A\PnEL.dll
O2 - BHO: (no name) - {63F8675C-BC65-64A4-8753-66550EF2286C} - C:\WINDOWS\System32\ggtvxke.dll
O2 - BHO: (no name) - {63FB3455-E83F-62A6-8753-66550EF22960} - C:\WINDOWS\System32\vyj.dll
O2 - BHO: (no name) - {69AC645A-EA3E-33A4-8753-66550EF22E3B} - C:\WINDOWS\System32\rpfnj.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: IEHlprObjClass - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - D:\MOUSEKEN\IESPOOK.DLL (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\MAIN222\Local Settings\Temp\7.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - F:\ETOTAL5A\PnEL.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\NERO\AHEAD\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\QUIKTIM5\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WFXSwtch] F:\WINFAX\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [RCScheduleCheck] D:\VCOM\RecovCmd\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] D:\McAfeSpy\MssCli.exe
O4 - HKLM\..\Run: [AVG_CC] D:\GRIAVG6A\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [Ilru] C:\Documents and Settings\MAIN222\Application Data\loro.exe
O4 - HKCU\..\Run: [Icnr] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Imam] C:\Documents and Settings\MAIN222\Application Data\upcu.exe
O4 - HKCU\..\Run: [Yvztap] C:\WINDOWS\System32\??rvices.exe
O4 - HKCU\..\Run: [Psat] C:\Documents and Settings\MAIN222\Application Data\tasr.exe
O4 - HKCU\..\Run: [Vxwsbc] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [E6TaskPanel] "F:\ETOTAL5A\TaskPanl.exe" -winstart
O4 - Global Startup: Controller.LNK = F:\WINFAX\WFXCTL32.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: PDF-Capture.lnk = C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094080806952
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll


=======  The following is a SORTED copy of the above,
         just in case it might help =====================
Logfile of HijackThis v1.98.2
Scan saved at 9:23:00 AM, on 10/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Documents and Settings\MAIN222\Application Data\tasr.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\??rvices.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\kmw_run.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
D:\GRIAVG6A\avgcc32.exe
D:\GRIAVG6A\avgserv.exe
D:\McAfeSpy\MssCli.exe
D:\NERO\AHEAD\InCD\InCD.exe
D:\NERO\AHEAD\InCD\InCDsrv.exe
D:\QUIKTIM5\qttask.exe
D:\VCOM\FixIt\mxtask.exe
D:\VCOM\FixIt\mxtask.exe
D:\hijackts\HIJACKT2.exe
F:\ETOTAL5A\TaskPanl.exe
F:\WINFAX\WFXCTL32.EXE
F:\WINFAX\WFXMOD32.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50196
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50196
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50196
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

F3 - REG:win.ini: run= D:\WD2000E\WD2000

O2 - BHO: (no name) - {63F8675C-BC65-64A4-8753-66550EF2286C} - C:\WINDOWS\System32\ggtvxke.dll
O2 - BHO: (no name) - {63FB3455-E83F-62A6-8753-66550EF22960} - C:\WINDOWS\System32\vyj.dll
O2 - BHO: (no name) - {69AC645A-EA3E-33A4-8753-66550EF22E3B} - C:\WINDOWS\System32\rpfnj.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\ADOBE\ACRBTRD6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - F:\ETOTAL5A\PnEL.dll
O2 - BHO: IEHlprObjClass - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - D:\MOUSEKEN\IESPOOK.DLL (file missing)
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\MAIN222\Local Settings\Temp\7.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - F:\ETOTAL5A\PnEL.dll
O4 - Global Startup: Controller.LNK = F:\WINFAX\WFXCTL32.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: PDF-Capture.lnk = C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [E6TaskPanel] "F:\ETOTAL5A\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [Icnr] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Ilru] C:\Documents and Settings\MAIN222\Application Data\loro.exe
O4 - HKCU\..\Run: [Imam] C:\Documents and Settings\MAIN222\Application Data\upcu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Psat] C:\Documents and Settings\MAIN222\Application Data\tasr.exe
O4 - HKCU\..\Run: [Vxwsbc] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [Yvztap] C:\WINDOWS\System32\??rvices.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] D:\GRIAVG6A\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [InCD] D:\NERO\AHEAD\InCD\InCD.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\QUIKTIM5\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RCScheduleCheck] D:\VCOM\RecovCmd\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WFXSwtch] F:\WINFAX\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [_AntiSpyware] D:\McAfeSpy\MssCli.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094080806952
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll



Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #3 on: October 31, 2004, 05:48:59 PM »

Please download and run the following programs:

AD-AWARE

Install the program and launch it.

First, in the bottom right-hand corner of the main window
click on Check for updates now then click Connect and download
the latest reference files.

Then, in the main window: Click Start and under Select
 a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal
and get rid of it. (Right-click the window and choose select
all from the drop down menu and then click Next)

Restart your computer.


SPYBOT SEARCH & DESTROY


Open Spybot Search & Destroy (Click Start, Programs,
Spybot S&D (Advanced Mode). Click online, Search for updates,
Download all available updates. Close all Browser windows,
Click ''Check for Problems''. Anything that needs to be fixed
it will show in red and have a green check in the box to the left.
Click ''Fix Selected Problems'', Then restart your computer.

Go to start<settings<control panel<add and remove programs and uninstall

WinTools

Then Boot into safe mode

Click on Start, Run, Type REGEDIT and Click OK

Click the pluses(+) next to the following items
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run

Right-Click on the file WinTools and click DELETE

Click the pluses(+) next to the following items
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunServices

Right-Click on the file WinTools and click DELETE

Close REGEDIT Reboot and post a new hijack this log








Logged

John Vickers
digger36
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 46


Bookmark and Share

View Profile
« Reply #4 on: October 31, 2004, 08:35:51 PM »

JVIC:

Am proceeding as you suggested.
Do you prefer the HIJACKTHIS log sorted?
What is the WinTools that you recommend deleting?
What are its bac characteristics?
Do NOT recall ever installing such.
Did it come piggybacked on something else or did someone give it to me while my back was turned?

Thanks,,
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #5 on: October 31, 2004, 09:11:03 PM »

Doesn't matter which way you post the hijack this log.
WinTools appears to be a variant of Huntbar. It is very persistent and extremely difficult to remove. It creates its own folder under Program Files/Common Files called WinTools. All of its files appear to be contained within this folder.
Logged

John Vickers
digger36
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 46


Bookmark and Share

View Profile
« Reply #6 on: October 31, 2004, 09:26:31 PM »

JVIC:
Have run BOTH AdAware and SpyBot as you suggested.
You were quite correct about the location of WinTools.
By the time that I got to the part of your instructions about UNinstalling it and removing its entry from the Registry, it was ALREADY gone.
Tracking back thru copies of the Registry and my Files/Directories, it seems to have appeared about 7-10 days ago and was there yesterday; possibly AdAware or SpyBot "took care" ot it.
Following is the latest HIJACKTHIS log. PLease advise any further necessary actions.
Thanks,,

Logfile of HijackThis v1.98.2
Scan saved at 1:17:09 PM, on 10/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\NERO\AHEAD\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\GRIAVG6A\avgserv.exe
D:\VCOM\FixIt\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
F:\WINFAX\WFXMOD32.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\NERO\AHEAD\InCD\InCD.exe
D:\QUIKTIM5\qttask.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\McAfeSpy\MssCli.exe
D:\GRIAVG6A\avgcc32.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Messenger\msmsgs.exe
D:\VCOM\FixIt\mxtask.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Documents and Settings\MAIN222\Application Data\tasr.exe
C:\WINDOWS\System32\??oolsv.exe
F:\ETOTAL5A\TaskPanl.exe
C:\WINDOWS\System32\rundll32.exe
F:\WINFAX\WFXCTL32.EXE
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HIJACKTS\HIJACKT2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run= D:\WD2000E\WD2000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\ADOBE\ACRBTRD6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - F:\ETOTAL5A\PnEL.dll
O2 - BHO: (no name) - {63F8675C-BC65-64A4-8753-66550EF2286C} - C:\WINDOWS\System32\ggtvxke.dll
O2 - BHO: (no name) - {63FB3455-E83F-62A6-8753-66550EF22960} - C:\WINDOWS\System32\vyj.dll
O2 - BHO: (no name) - {69AC645A-EA3E-33A4-8753-66550EF22E3B} - C:\WINDOWS\System32\rpfnj.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - F:\ETOTAL5A\PnEL.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\NERO\AHEAD\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\QUIKTIM5\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WFXSwtch] F:\WINFAX\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [RCScheduleCheck] D:\VCOM\RecovCmd\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] D:\McAfeSpy\MssCli.exe
O4 - HKLM\..\Run: [AVG_CC] D:\GRIAVG6A\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [Ilru] C:\Documents and Settings\MAIN222\Application Data\loro.exe
O4 - HKCU\..\Run: [Icnr] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Imam] C:\Documents and Settings\MAIN222\Application Data\upcu.exe
O4 - HKCU\..\Run: [Yvztap] C:\WINDOWS\System32\??rvices.exe
O4 - HKCU\..\Run: [Psat] C:\Documents and Settings\MAIN222\Application Data\tasr.exe
O4 - HKCU\..\Run: [Vxwsbc] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [E6TaskPanel] "F:\ETOTAL5A\TaskPanl.exe" -winstart
O4 - Global Startup: Controller.LNK = F:\WINFAX\WFXCTL32.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: PDF-Capture.lnk = C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094080806952
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab



Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #7 on: October 31, 2004, 09:59:36 PM »

First disable system restore.You can enable it after you are clean

Using System Restore Windows XP

Run hijack this and place a check beside the following:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {63F8675C-BC65-64A4-8753-66550EF2286C} - C:\WINDOWS\System32\ggtvxke.dll
O2 - BHO: (no name) - {63FB3455-E83F-62A6-8753-66550EF22960} - C:\WINDOWS\System32\vyj.dll
O2 - BHO: (no name) - {69AC645A-EA3E-33A4-8753-66550EF22E3B} - C:\WINDOWS\System32\rpfnj.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "D:\QUIKTIM5\qttask.exe" -atboottime this one is optional but is considered to be a resource hog

O4 - HKCU\..\Run: [Icnr] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Imam] C:\Documents and Settings\MAIN222\Application Data\upcu.exe
O4 - HKCU\..\Run: [Yvztap] C:\WINDOWS\System32\??rvices.exe
O4 - HKCU\..\Run: [Psat] C:\Documents and Settings\MAIN222\Application Data\tasr.exe
O4 - HKCU\..\Run: [Vxwsbc] C:\WINDOWS\System32\??oolsv.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all windows except hijack this and click fix

Boot to safe mode making sure you can see hidden files and folders


How To Boot Into SafeMode

How To Show Hidden Files And Folders


Delete The Following If Present:

C:\Documents and Settings\MAIN222\Application Data\tasr.exe<this file
C:\WINDOWS\System32\??oolsv.exe<<-Be carefull! There is a good file Spoolsv.exe
C:\WINDOWS\System32\??rss.exe<this file
C:\Documents and Settings\MAIN222\Application Data\upcu.exe<this file
C:\WINDOWS\System32\??rvices.exe<this file
C:\Documents and Settings\MAIN222\Application Data\tasr.exe<this file

Reboot and post a new hijack this log









« Last Edit: November 01, 2004, 06:11:24 PM by jvic » Logged

John Vickers
digger36
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 46


Bookmark and Share

View Profile
« Reply #8 on: October 31, 2004, 10:12:24 PM »

Understand all that you've said, but why is it necessary to disable restore?
A long as I am aware NOT to go back to any of those previous checkpoints, then is it ok just to leave it active?
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #9 on: October 31, 2004, 10:18:09 PM »

they need to disable the System Restore feature; otherwise, the problem files will get sucked into the restore folder and will become a system restore point.
« Last Edit: November 01, 2004, 12:10:11 PM by jvic » Logged

John Vickers
digger36
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 46


Bookmark and Share

View Profile
« Reply #10 on: October 31, 2004, 11:42:13 PM »

JVIC:
Here is the latest.
The ref to wd2000 is still present; believe that I understand it as part of one of my faorite tools.
The ??xxx.exe items were TOUGH to get rid of.
They showed up at the END of the alphabetized list of entries and had other real alpha characters filled-in for the ?? chars.
Believe that they are now GONE.

Although I actually DID turn off the restore, am still not understanding why this was needed. As long as I understood that using any of the old restore/checkpoints would put back some of this stuff, it seems to me that it would have been OK to leave that still ON.

Is it OK to turn it back on now?

Continued advice appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 3:35:54 PM, on 10/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\NERO\AHEAD\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
D:\GRIAVG6A\avgserv.exe
D:\VCOM\FixIt\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
F:\WINFAX\WFXMOD32.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\NERO\AHEAD\InCD\InCD.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\McAfeSpy\MssCli.exe
D:\VCOM\FixIt\mxtask.exe
D:\GRIAVG6A\avgcc32.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Documents and Settings\MAIN222\Application Data\tasr.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\WINDOWS\System32\rundll32.exe
F:\ETOTAL5A\TaskPanl.exe
F:\WINFAX\WFXCTL32.EXE
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HIJACKTS\HIJACKT2.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
F3 - REG:win.ini: run= D:\WD2000E\WD2000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\ADOBE\ACRBTRD6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - F:\ETOTAL5A\PnEL.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - F:\ETOTAL5A\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\NERO\AHEAD\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WFXSwtch] F:\WINFAX\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [RCScheduleCheck] D:\VCOM\RecovCmd\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] D:\McAfeSpy\MssCli.exe
O4 - HKLM\..\Run: [AVG_CC] D:\GRIAVG6A\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [Ilru] C:\Documents and Settings\MAIN222\Application Data\loro.exe
O4 - HKCU\..\Run: [Psat] C:\Documents and Settings\MAIN222\Application Data\tasr.exe
O4 - HKCU\..\Run: [E6TaskPanel] "F:\ETOTAL5A\TaskPanl.exe" -winstart
O4 - Global Startup: Controller.LNK = F:\WINFAX\WFXCTL32.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: PDF-Capture.lnk = C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094080806952
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab

Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #11 on: October 31, 2004, 11:57:42 PM »

Your log is definitely looking better.Delete these two files

C:\Documents and Settings\MAIN222\Application Data\loro.exe
C:\Documents and Settings\MAIN222\Application Data\tasr.exe

Go ahead and enable system restore.Reboot and post one more log
Logged

John Vickers
digger36
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 46


Bookmark and Share

View Profile
« Reply #12 on: November 01, 2004, 12:23:39 AM »

JVIC:
Both files were Hidden+System+readOnly.
LORO.EXE was easily deleted.
TASR.EXE was "in use" so rebooted into SafeMode and got rid of it.

Q. Any idea how to best handle files with "?" in their names?

Latest log follows ...

Logfile of HijackThis v1.98.2
Scan saved at 4:20:09 PM, on 10/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\NERO\AHEAD\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
D:\GRIAVG6A\avgserv.exe
D:\VCOM\FixIt\mxtask.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
F:\WINFAX\WFXMOD32.EXE
D:\NERO\AHEAD\InCD\InCD.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\McAfeSpy\MssCli.exe
D:\GRIAVG6A\avgcc32.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
D:\VCOM\FixIt\mxtask.exe
C:\WINDOWS\System32\rundll32.exe
F:\ETOTAL5A\TaskPanl.exe
F:\WINFAX\WFXCTL32.EXE
C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HIJACKTS\HIJACKT2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
F3 - REG:win.ini: run= D:\WD2000E\WD2000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\ADOBE\ACRBTRD6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - F:\ETOTAL5A\PnEL.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - F:\ETOTAL5A\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\NERO\AHEAD\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WFXSwtch] F:\WINFAX\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [RCScheduleCheck] D:\VCOM\RecovCmd\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] D:\McAfeSpy\MssCli.exe
O4 - HKLM\..\Run: [AVG_CC] D:\GRIAVG6A\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [Ilru] C:\Documents and Settings\MAIN222\Application Data\loro.exe
O4 - HKCU\..\Run: [Psat] C:\Documents and Settings\MAIN222\Application Data\tasr.exe
O4 - HKCU\..\Run: [E6TaskPanel] "F:\ETOTAL5A\TaskPanl.exe" -winstart
O4 - Global Startup: Controller.LNK = F:\WINFAX\WFXCTL32.EXE
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: PDF-Capture.lnk = C:\Program Files\PDF-XChange SDK EndUser\PDFSaver.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094080806952
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab

Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #13 on: November 01, 2004, 12:40:25 AM »

Won't be able to fully check your log till the morning but it is looking a lot better.
In the meantime Run An Online Virus Scan At Trendmicro!!!
http://housecall60.trendmicro.com/en/start_corp.asp?id=scan
Remove anything it finds and write down any files it says are uncleanable
(Write down the name and path)


« Last Edit: November 01, 2004, 12:42:49 AM by jvic » Logged

John Vickers
digger36
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 46


Bookmark and Share

View Profile
« Reply #14 on: November 02, 2004, 01:28:25 AM »

JVIC:
Now that I've taken all of that advice, there are no longer any printers in my system: they are all gone!!!

They were all there mid-way thru our deleting processes, because I printed out some to the HIJACKTHIS logs.

Not only that, but now I can NOT add any back into the system.
When I now click on "Add Printer" I get a box noting ...
            "Printers - Operation could not be completed."

Any thoughts greatly appreciated.
Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 14, 2018, 02:24:23 PM