Tech Support Guy banner
Cancel

Solved: My COMPUTER Is has been infected badly & Spybot/Adaware don't help to fix it

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 24 Posts
P

· Registered
Joined
·
21 Posts
Discussion Starter · #1 ·
please help me, my system is very, very screwed.

email me directly please, or repost here...

this is my log file from Hijackthis:

Logfile of HijackThis v1.99.0
Scan saved at 6:19:24 PM, on 1/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WUSB11 WLAN Monitor\WLService.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\NetTime\NetTime.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\khshepak.exe
C:\documents and settings\mgrbic.online\local settings\temp\1Ym8IF6c8.exe
C:\documents and settings\mgrbic.online\local settings\temp\3KKJD3.exe
C:\documents and settings\mgrbic.online\local settings\temp\0EmzIU.exe
C:\WINNT\system32\clbcatq4.exe
C:\WINNT\system32\internat.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\WINNT\hhnt.exe
C:\Documents and Settings\MGRBIC.ONLINE\Application Data\trdb.exe
C:\WINNT\system32\??plorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Temp\salm.exe
C:\temp\pootz_58.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINNT\system32\SahAgent.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.50.188.82 yahoo.com
O1 - Hosts: 69.50.188.82 askjeeves.com
O1 - Hosts: 69.50.188.82 www.askjeeves.com
O1 - Hosts: 69.50.188.82 www.directhit.com
O1 - Hosts: 69.50.188.82 directhit.com
O1 - Hosts: 69.50.188.82 www.excite.com
O1 - Hosts: 69.50.188.82 excite.com
O1 - Hosts: 69.50.188.82 www.alltheweb.com
O1 - Hosts: 69.50.188.82 go.com
O1 - Hosts: 69.50.188.82 www.go.com
O1 - Hosts: 69.50.188.82 goto.com
O1 - Hosts: 69.50.188.82 www.goto.com
O1 - Hosts: 69.50.188.82 lycos.com
O1 - Hosts: 69.50.188.82 dmoz.org
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem302.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\MGRBIC.ONLINE\Local Settings\Temp\hq.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe
O4 - HKLM\..\Run: [1Ym8IF6c8] C:\documents and settings\mgrbic.online\local settings\temp\1Ym8IF6c8.exe
O4 - HKLM\..\Run: [3KKJD3] C:\documents and settings\mgrbic.online\local settings\temp\3KKJD3.exe
O4 - HKLM\..\Run: [0EmzIU] C:\documents and settings\mgrbic.online\local settings\temp\0EmzIU.exe
O4 - HKLM\..\Run: [26ed44da07b4] C:\WINNT\system32\clbcatq4.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\Vtz7.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [szsvqn] C:\WINNT\szsvqn.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\system32\SahAgent.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [MSAgent] C:\WINNT\hhnt.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\MGRBIC.ONLINE\Application Data\trdb.exe
O4 - HKCU\..\Run: [Rno] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\ezStub.exe /UninstPOP3 C:\Program Files\Web Offer
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: Yahoo! MLB StatTracker - http://aud15.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c15.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17e3557f54cbc46e8116/netzip/RdxIE601.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6181F6E-C021-4DE3-ACBE-808B25CC112D}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gshold.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: 3Com DMI Agent - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: NetTime - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: WUSB28SVC - Unknown - C:\Program Files\WUSB11 WLAN Monitor\WLService.exe" "WUSB11B.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe
 
Cheeseball81

· Retired Moderator
Joined
·
84,466 Posts
#2 ·
Welcome to TSG :)

Good amount of infection in there

Run some online virus scans first:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

http://housecall.trendmicro.com/

Run these again (make sure you check for updates first):

Ad-Aware: http://www.lavasoftusa.com/support/download/

In the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.
Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.
Then, deselect Search for negligible risk entries.
To start the scan, click the Next button.
When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

SpyBot Search & Destroy: http://majorgeeks.com/download2471.html

Open the program.
Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems''.

Reboot your computer again

Post a new log
 
P

· Registered
Joined
·
21 Posts
Discussion Starter · #3 ·
Thank you so much for you help!!!

The background on my computer is still ADWARE stating:

WARNING!
YOU'RE IN DANGER!

ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

Every site you or somebody or even something, like spyware, opened in your browser, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life![/I]

SECURE YOURSELF RIGHT NOW!

This is my new LOG:

Logfile of HijackThis v1.99.0
Scan saved at 8:52:49 PM, on 1/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WUSB11 WLAN Monitor\WLService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\HPZipm12.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.50.188.82 yahoo.com
O1 - Hosts: 69.50.188.82 askjeeves.com
O1 - Hosts: 69.50.188.82 www.askjeeves.com
O1 - Hosts: 69.50.188.82 www.directhit.com
O1 - Hosts: 69.50.188.82 directhit.com
O1 - Hosts: 69.50.188.82 www.excite.com
O1 - Hosts: 69.50.188.82 excite.com
O1 - Hosts: 69.50.188.82 www.alltheweb.com
O1 - Hosts: 69.50.188.82 go.com
O1 - Hosts: 69.50.188.82 www.go.com
O1 - Hosts: 69.50.188.82 goto.com
O1 - Hosts: 69.50.188.82 www.goto.com
O1 - Hosts: 69.50.188.82 lycos.com
O1 - Hosts: 69.50.188.82 dmoz.org
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe
O4 - HKLM\..\Run: [1Ym8IF6c8] C:\documents and settings\mgrbic.online\local settings\temp\1Ym8IF6c8.exe
O4 - HKLM\..\Run: [3KKJD3] C:\documents and settings\mgrbic.online\local settings\temp\3KKJD3.exe
O4 - HKLM\..\Run: [0EmzIU] C:\documents and settings\mgrbic.online\local settings\temp\0EmzIU.exe
O4 - HKLM\..\Run: [26ed44da07b4] C:\WINNT\system32\clbcatq4.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\MtyJ62F.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\MGRBIC.ONLINE\Application Data\trdb.exe
O4 - HKCU\..\Run: [Rno] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\ezStub.exe /UninstPOP3 C:\Program Files\Web Offer
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17e3557f54cbc46e8116/netzip/RdxIE601.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6181F6E-C021-4DE3-ACBE-808B25CC112D}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gshold.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: 3Com DMI Agent - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: NetTime - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: WUSB28SVC - Unknown - C:\Program Files\WUSB11 WLAN Monitor\WLService.exe" "WUSB11B.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#5 ·
Run HJT again and put a check in the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.50.188.82 yahoo.com
O1 - Hosts: 69.50.188.82 askjeeves.com
O1 - Hosts: 69.50.188.82 www.askjeeves.com
O1 - Hosts: 69.50.188.82 www.directhit.com
O1 - Hosts: 69.50.188.82 directhit.com
O1 - Hosts: 69.50.188.82 www.excite.com
O1 - Hosts: 69.50.188.82 excite.com
O1 - Hosts: 69.50.188.82 www.alltheweb.com
O1 - Hosts: 69.50.188.82 go.com
O1 - Hosts: 69.50.188.82 www.go.com
O1 - Hosts: 69.50.188.82 goto.com
O1 - Hosts: 69.50.188.82 www.goto.com
O1 - Hosts: 69.50.188.82 lycos.com
O1 - Hosts: 69.50.188.82 dmoz.org
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17e3557f54cbc4...ip/RdxIE601.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
O23 - Service: WUSB28SVC - Unknown - C:\Program Files\WUSB11 WLAN Monitor\WLService.exe" "WUSB11B.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)

Close all applications and browser windows before you click "fix checked".

Go to add/remove programs and remove Viewpoint and Web Offer

Go here http://www.thespykiller.co.uk/ and click on Downloads to get the peper trojan uninstaller.

Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

Restart your computer.

Click on the link below to download CWshredder.
http://www.intermute.com/spysubtract/cwshredder_download.html

Run the program and let it do it's thing. Make sure to click on "Fix" and not scan only.

Reboot and post another log.
 
P

· Registered
Joined
·
21 Posts
Discussion Starter · #6 ·
Logfile of HijackThis v1.99.0
Scan saved at 8:14:57 PM, on 1/5/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\NetTime\NetTime.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\khshepak.exe
C:\documents and settings\mgrbic.online\local settings\temp\3KKJD3.exe
C:\WINNT\system32\clbcatq4.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINNT\System32\internat.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\WINNT\system32\??plorer.exe
C:\Documents and Settings\MGRBIC.ONLINE\Application Data\secb.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\RnrMw.exe
C:\WINNT\System32\Uen8ab.exe
C:\Documents and Settings\MGRBIC.ONLINE\Desktop\CWShredder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm
O2 - BHO: (no name) - {25EC9A7A-01E5-5161-9862-2FA71B40C4BC} - C:\WINNT\System32\rovzgimn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\MGRBIC.ONLINE\Local Settings\Temp\7.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe
O4 - HKLM\..\Run: [1Ym8IF6c8] C:\documents and settings\mgrbic.online\local settings\temp\1Ym8IF6c8.exe
O4 - HKLM\..\Run: [3KKJD3] C:\documents and settings\mgrbic.online\local settings\temp\3KKJD3.exe
O4 - HKLM\..\Run: [0EmzIU] C:\documents and settings\mgrbic.online\local settings\temp\0EmzIU.exe
O4 - HKLM\..\Run: [26ed44da07b4] C:\WINNT\system32\clbcatq4.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\MtyJ62F.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [[email protected]@99C72DKF3BH] C:\WINNT\System32\LysXhe2.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\MGRBIC.ONLINE\Application Data\trdb.exe
O4 - HKCU\..\Run: [Rno] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Ttol] C:\Documents and Settings\MGRBIC.ONLINE\Application Data\secb.exe
O4 - HKCU\..\Run: [Bcji] C:\WINNT\System32\d?dplay.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\ezStub.exe /UninstPOP3 C:\Program Files\Web Offer
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6181F6E-C021-4DE3-ACBE-808B25CC112D}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gshold.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: 3Com DMI Agent - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: NetTime - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#7 ·
Run HJT again and put a check in the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm
O2 - BHO: (no name) - {25EC9A7A-01E5-5161-9862-2FA71B40C4BC} - C:\WINNT\System32\rovzgimn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\MGRBIC.ONLINE\Local Settings\Temp\7.dll
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe
O4 - HKLM\..\Run: [1Ym8IF6c8] C:\documents and settings\mgrbic.online\local settings\temp\1Ym8IF6c8.exe
O4 - HKLM\..\Run: [3KKJD3] C:\documents and settings\mgrbic.online\local settings\temp\3KKJD3.exe
O4 - HKLM\..\Run: [0EmzIU] C:\documents and settings\mgrbic.online\local settings\temp\0EmzIU.exe
O4 - HKLM\..\Run: [26ed44da07b4] C:\WINNT\system32\clbcatq4.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\MtyJ62F.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [[email protected]@99C72DKF3BH] C:\WINNT\System32\LysXhe2.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\MGRBIC.ONLINE\Application Data\trdb.exe
O4 - HKCU\..\Run: [Rno] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Ttol] C:\Documents and Settings\MGRBIC.ONLINE\Application Data\secb.exe
O4 - HKCU\..\Run: [Bcji] C:\WINNT\System32\d?dplay.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\ezStub.exe /UninstPOP3 C:\Program Files\Web Offer
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\maxspeed.exe (file missing)

Close all applications and browser windows before you click "fix checked".

Restart in safe mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

Delete these files:
C:\ezStub.exe
C:\documents and settings\mgrbic.online\local settings\temp\1Ym8IF6c8.exe
C:\documents and settings\mgrbic.online\local settings\temp\3KKJD3.exe
C:\documents and settings\mgrbic.online\local settings\temp\0EmzIU.exe
C:\Documents and Settings\MGRBIC.ONLINE\Application Data\trdb.exe
C:\Documents and Settings\MGRBIC.ONLINE\Application Data\secb.exe
C:\WINNT\khshepak.exe
C:\WINNT\system32\clbcatq4.exe
C:\WINNT\system32\MtyJ62F.exe
C:\WINNT\System32\LysXhe2.exe

Delete these folders:
C:\Program Files\DeskAd Service
C:\Program Files\ISTsvc
C:\Program Files\Web Offer

Go to C:\documents and settings\mgrbic.online\local settings\temp empty the entire contents of that folder.

Empty your recycle bin.

Now run CWShredder again.

Reboot.

Get all critical security patches Windows Update

When you are complete with these instructions post another log.
 
P

· Registered
Joined
·
21 Posts
Discussion Starter · #8 ·
Windows Installer is constantly trying to install something on my desktop. I hit "Cancel" and it just pops up 3 more dialogue boxes. It appears that it keeps switching what it wants to install....

You guys rock! and here's my new log:

Logfile of HijackThis v1.99.0
Scan saved at 12:45:06 PM, on 1/6/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\NetTime\NetTime.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\khshepak.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\Mim2.exe
C:\WINNT\System32\BdeU.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [[email protected]@99C72DKF3BH] C:\WINNT\System32\LegMSCZ.exe
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6181F6E-C021-4DE3-ACBE-808B25CC112D}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gshold.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: 3Com DMI Agent - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: NetTime - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#9 ·
Run HJT again and put a check in the following:

O4 - HKLM\..\Run: [[email protected]@99C72DKF3BH] C:\WINNT\System32\LegMSCZ.exe
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe

Close all applications and browser windows before you click "fix checked".

Download and run this program

Reboot and post another log.
 
P

· Registered
Joined
·
21 Posts
Discussion Starter · #10 ·
Well, not sure whats going on. Windows Installer is still I constant problem on my system... and now, when I reboot, Windows gets stuck and I have to do it manually... here's my latest log:

Logfile of HijackThis v1.99.0
Scan saved at 2:26:35 PM, on 1/6/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NetTime\NetTime.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\khshepak.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Documents and Settings\MGRBIC.ONLINE\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6181F6E-C021-4DE3-ACBE-808B25CC112D}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gshold.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: 3Com DMI Agent - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: NetTime - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#11 ·
Run HJT again and put a check in the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe

Close all applications and browser windows before you click "fix checked".

Restart in safe mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

Delete this file: C:\WINNT\khshepak.exe
Go to Internet Options, Programs
Click the "Reset Web Settings" Button to reset your home and search pages.

Reboot.

Are you using DameWare?
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#13 ·
Run HJT again and put a check in the following:

O23 - Service: DameWare Mini Remote Control - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE

Close all applications and browser windows before you click "fix checked".

Download the KillBox

Unzip the files to your desktop.

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu will come up where you can choose to enter Safe Mode.

Run KillBox.exe.

Select the Delete on Reboot option.

In the Full Path of File to Delete field paste this:

C:\WINNT\khshepak.exe

Click the red circle with the white X in it, when it asks you to reboot, click Yes.

After the reboot post one more log.
 
P

· Registered
Joined
·
21 Posts
Discussion Starter · #14 ·
Well, its running very slow, BUT success, you eliminated the Windows Installer box that kept coming up.... Lemme know what u think:

Logfile of HijackThis v1.99.0
Scan saved at 4:03:15 PM, on 1/6/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\NetTime\NetTime.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\MGRBIC.ONLINE\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6181F6E-C021-4DE3-ACBE-808B25CC112D}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = gshold.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: 3Com DMI Agent - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NetTime - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
 
P

· Registered
Joined
·
21 Posts
Discussion Starter · #16 ·
Darn it... I thought we had it. It won't let me erase some of those temp files, says it's a sharing violation. I even tried Killbox.

Logfile of HijackThis v1.99.0
Scan saved at 4:47:39 PM, on 1/6/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\NetTime\NetTime.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\MGRBIC.ONLINE\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6181F6E-C021-4DE3-ACBE-808B25CC112D}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = gshold.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: 3Com DMI Agent - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NetTime - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
 
P

· Registered
Joined
·
21 Posts
Discussion Starter · #17 ·
Ok. All temp files deleted.... system feels much, much, much better to me - but i'm not certain yet, please lemme know what u think! and thanks again for all your help, this site is a life-saver...

Logfile of HijackThis v1.99.0
Scan saved at 5:05:17 PM, on 1/6/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\NetTime\NetTime.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\HPZipm12.exe
C:\Documents and Settings\MGRBIC.ONLINE\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6181F6E-C021-4DE3-ACBE-808B25CC112D}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = gshold.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: 3Com DMI Agent - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NetTime - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#18 ·
Run HJT again and put a check in the following:

O4 - HKLM\..\Run: [evsdwI] C:\WINNT\khshepak.exe

Close all applications and browser windows before you click "fix checked".

Run killbox on that file again. Reboot to safe mode and make sure it's gone, if it's still there run killbox again on it in safe mode. Reboot.

Post another log when you are done and if it's still there I'll have someone else look at it.
 
P

· Registered
Joined
·
21 Posts
Discussion Starter · #19 ·
Hooray!!! Well, I think it's gone.... Lemme know what u think! :)

Logfile of HijackThis v1.99.0
Scan saved at 5:46:09 PM, on 1/6/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\NetTime\NetTime.exe
C:\Documents and Settings\MGRBIC.ONLINE\Desktop\HijackThis.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Citrus Alarm Clock\citrusac.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINNT\system32\HPZipm12.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [secboot] C:\WINNT\System32\vtd_16.exe !!
O4 - HKCU\..\Run: [Citrus Alarm Clock] C:\Program Files\Citrus Alarm Clock\citrusac.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6181F6E-C021-4DE3-ACBE-808B25CC112D}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: Domain = gshold.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91F694B-2D0F-4337-910A-A17614A627CF}: NameServer = 66.28.0.45,66.28.34.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gshold.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = gshold.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: 3Com DMI Agent - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NetTime - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#20 ·
1 - 20 of 24 Posts
Status
Not open for further replies.
About this Discussion
23 Replies
3 Participants
Last post:
cybertech
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top