Tech Support Guy banner
Cancel

[Solved] Stubborn hijacked IE

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 17 of 17 Posts
T

· Registered
Joined
·
8 Posts
Discussion Starter · #1 ·
I have done searches for my problem but cannot find a answer to this.

My homepage has been hijacked and when I click on Tools/Internet Options ALL of the homepage buttons to change the information is grayed out and cannot be accessed.

I can go into regedit and change the homepage... But WHY is it grayed out in IE? What is causing this and HOW can I fix it?

Thanks
TexCajun:) :)
 
Cookiegal

· Administrator
Joined
·
124,730 Posts
First Name -
Karen
#3 ·
Here are some links and instructions on how to get those programs.

Download and run: SPYBOT SEARCH & DESTROY, here:

http://download.com.com/3000-2144-1...tml?tag=lst-0-1

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems'', Put a check in every entry Spybot Search & Destroy flags with a red exclamation mark and click ''Fix Selected Problems'' , Then restart your computer.

Click here: http://www.majorgeeks.com/downloadg...a8baee6434cfc13
to download Hijack This. Save it to it’s own folder (not temporary files). Click on the Hijackthis.exe.

Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

Cookie
 
T

· Registered
Joined
·
8 Posts
Discussion Starter · #4 ·
I have Spybot Search & Destroy and run it every few days. But ran it again and still grayed out.

Here is my Hijackthis results

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
D:\VIRUS\AVG\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
D:\Virus\TrendPc-Cillian\Tmntsrv.exe
D:\Virus\TrendPc-Cillian\tmproxy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
D:\CdBurners\Roxie\DirectCD\DirectCD.exe
D:\VIRUS\AVG\avgcc32.exe
D:\Virus\TrendPc-Cillian\PccPfw.exe
D:\WebPage\TweakPowerPack\TweakNow PowerPack\RAM_XP.exe
D:\CdBurners\MusicMatch\mmtask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Photos\HP Share-to-Web\hpgs2wnd.exe
D:\Virus\TrendPc-Cillian\pccguide.exe
D:\Photos\HP Share-to-Web\hpgs2wnf.exe
D:\Virus\TrendPc-Cillian\PCClient.exe
D:\Virus\TrendPc-Cillian\TMOAgent.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Utilities\PopUpVanish2\PopupVanish.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
D:\Internet\MailWasher\MailWasher.exe
D:\Virus\SpywareGuard\sgmain.exe
C:\WINDOWS\webshots.scr
D:\Internet\NEOPLA~1\bin\np.exe
D:\Virus\SpywareGuard\sgbhp.exe
D:\Internet\INCRED~1\bin\IMApp.exe
D:\Internet\INCRED~1\bin\IncMail.exe
D:\Graphics\PhotoImpact7\Iedit.exe
D:\Internet\Kazaa\kazaa.exe
D:\ZIPS\Virus\Sypware Guard\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.texcajun.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gatewaybiz.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - D:\Microsolft\Money2003\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Virus\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\UTILIT~1\SEARCH~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - d:\internet\ws ftp pro\wsbho2k0.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\Internet\FlashGet\jccatch.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\Internet\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\CdBurners\Roxie\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG_CC] D:\VIRUS\AVG\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RAM Idle Professional] D:\WebPage\TweakPowerPack\TweakNow PowerPack\RAM_XP.exe
O4 - HKLM\..\Run: [system32] C:\WINDOWS\System32\system32.exe
O4 - HKLM\..\Run: [mmtask] D:\CdBurners\MusicMatch\mmtask.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Photos\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "D:\Virus\TrendPc-Cillian\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "D:\Virus\TrendPc-Cillian\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "D:\Virus\TrendPc-Cillian\TMOAgent.exe" /run
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [IncrediMail] D:\Internet\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupVanish] D:\Utilities\PopUpVanish2\PopupVanish.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe D:\Photos\Ofoto2\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [Uset] C:\Documents and Settings\Owner\Application Data\rtos.exe
O4 - Startup: NeoPlanet.lnk = D:\Internet\NeoPlanet\bin\Neo.exe
O4 - Startup: SpywareGuard.lnk = D:\Virus\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = D:\Program Files\WebshotsPhotos\Launcher.exe
O4 - Global Startup: DriveSelect.lnk = D:\CdBurners\XCopy Express\Xpress\DriveSelect.exe
O4 - Global Startup: MailWasher.lnk = D:\Internet\MailWasher\MailWasher.exe
O4 - Global Startup: TurboNote.lnk = D:\Desktop\TurboNote\tbnote.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\Internet\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Internet\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimageN\IEimageN.htm
O9 - Extra button: Joyo (HKLM)
O9 - Extra button: PowerWord (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Linked Images (HKLM)
O9 - Extra 'Tools' menuitem: Linked Ima&ges (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5E7E117-6CEF-4AAF-ACDB-8343B8941454}: NameServer = 209.149.134.252 205.152.132.235
 
Cookiegal

· Administrator
Joined
·
124,730 Posts
First Name -
Karen
#5 ·
You definitely have some bad stuff in there and you should get rid of Kazaa or you will continually have problems with spyware. I think you also have a browser hijack, as suspected.

I'm going to request that this thread be moved over to the Security forum for better assistance.

Cookie
 
Flrman1

· Registered
Joined
·
46,465 Posts
#7 ·
First you need to copy and paste your log again. You cut off the top part of the log that shows pertinent info that helps us help you.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
 
Save Share
T

· Registered
Joined
·
8 Posts
Discussion Starter · #8 ·
Yeah I'm not crazy abt Kazza being on my computer...but my son has the paid version of Kazza and I run Search & Destroy every few days.

And I just downloaded Ad-Aware this evening. And it has gotten rid of of whatever it was that had hijacked my homepage.. And can NOW change the settings back on the start page in IE. Thanks to Ad Aware :)

But I would appreciate IF someone would look over my hi jack this log and let me know what is bad.

Thanks
TexCajun

Logfile of HijackThis v1.97.7
Scan saved at 8:54:44 PM, on 3/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
D:\VIRUS\AVG\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
D:\Virus\TrendPc-Cillian\Tmntsrv.exe
D:\Virus\TrendPc-Cillian\tmproxy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
D:\CdBurners\Roxie\DirectCD\DirectCD.exe
D:\VIRUS\AVG\avgcc32.exe
D:\Virus\TrendPc-Cillian\PccPfw.exe
D:\WebPage\TweakPowerPack\TweakNow PowerPack\RAM_XP.exe
D:\CdBurners\MusicMatch\mmtask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Photos\HP Share-to-Web\hpgs2wnd.exe
D:\Virus\TrendPc-Cillian\pccguide.exe
D:\Photos\HP Share-to-Web\hpgs2wnf.exe
D:\Virus\TrendPc-Cillian\PCClient.exe
D:\Virus\TrendPc-Cillian\TMOAgent.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Utilities\PopUpVanish2\PopupVanish.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
D:\Internet\MailWasher\MailWasher.exe
D:\Virus\SpywareGuard\sgmain.exe
C:\WINDOWS\webshots.scr
D:\Internet\NEOPLA~1\bin\np.exe
D:\Virus\SpywareGuard\sgbhp.exe
D:\Internet\INCRED~1\bin\IMApp.exe
D:\Internet\INCRED~1\bin\IncMail.exe
D:\Internet\Kazaa\kazaa.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\ZIPS\Virus\Sypware Guard\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.texcajun.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gatewaybiz.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - D:\Microsolft\Money2003\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Virus\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\UTILIT~1\SEARCH~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - d:\internet\ws ftp pro\wsbho2k0.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\Internet\FlashGet\jccatch.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\Internet\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\CdBurners\Roxie\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG_CC] D:\VIRUS\AVG\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RAM Idle Professional] D:\WebPage\TweakPowerPack\TweakNow PowerPack\RAM_XP.exe
O4 - HKLM\..\Run: [system32] C:\WINDOWS\System32\system32.exe
O4 - HKLM\..\Run: [mmtask] D:\CdBurners\MusicMatch\mmtask.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Photos\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "D:\Virus\TrendPc-Cillian\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "D:\Virus\TrendPc-Cillian\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "D:\Virus\TrendPc-Cillian\TMOAgent.exe" /run
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [IncrediMail] D:\Internet\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupVanish] D:\Utilities\PopUpVanish2\PopupVanish.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe D:\Photos\Ofoto2\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [Uset] C:\Documents and Settings\Owner\Application Data\rtos.exe
O4 - Startup: NeoPlanet.lnk = D:\Internet\NeoPlanet\bin\Neo.exe
O4 - Startup: SpywareGuard.lnk = D:\Virus\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = D:\Program Files\WebshotsPhotos\Launcher.exe
O4 - Global Startup: DriveSelect.lnk = D:\CdBurners\XCopy Express\Xpress\DriveSelect.exe
O4 - Global Startup: MailWasher.lnk = D:\Internet\MailWasher\MailWasher.exe
O4 - Global Startup: TurboNote.lnk = D:\Desktop\TurboNote\tbnote.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\Internet\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Internet\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimageN\IEimageN.htm
O9 - Extra button: Joyo (HKLM)
O9 - Extra button: PowerWord (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Linked Images (HKLM)
O9 - Extra 'Tools' menuitem: Linked Ima&ges (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5E7E117-6CEF-4AAF-ACDB-8343B8941454}: NameServer = 209.149.134.252 205.152.132.235
 
Flrman1

· Registered
Joined
·
46,465 Posts
#9 ·
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [system32] C:\WINDOWS\System32\system32.exe

O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

O4 - HKCU\..\Run: [Uset] C:\Documents and Settings\Owner\Application Data\rtos.exe

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\Documents and Settings\Owner\Application Data\rtos.exe file
The C:\WINDOWS\System32\system32.exe file
 
Save Share
T

· Registered
Joined
·
8 Posts
Discussion Starter · #10 ·
Ok but what are these?

I see Alnet Points Manager..I know that came with Kazza.
But the others..what are they? Are they trojans or what? :(

I run a virus scan every week... Trend & AVG and do updates for them almost everyday. And they have never pointed those out..
:(

And I thought system32.exe & rtos.exe was part of windows??

Thanks
TexCajun:)
 
T

· Registered
Joined
·
8 Posts
Discussion Starter · #12 ·
Ok I removed the ones you said from Hijackthis and rebooted to Safe mode and did as you said. But I could not find either file system32.exe or rtos.exe . Even did a file search for them..but it couldn't find them either.

Thanks
TexCajun
 
T

· Registered
Joined
·
8 Posts
Discussion Starter · #14 ·
Ok here is the hijack log from today..let me know what you think:)

Logfile of HijackThis v1.97.7
Scan saved at 1:51:56 PM, on 4/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
D:\VIRUS\AVG\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
D:\Virus\TrendPc-Cillian\Tmntsrv.exe
D:\Virus\TrendPc-Cillian\tmproxy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
D:\CdBurners\Roxie\DirectCD\DirectCD.exe
D:\Virus\TrendPc-Cillian\PccPfw.exe
D:\VIRUS\AVG\avgcc32.exe
D:\WebPage\TweakPowerPack\TweakNow PowerPack\RAM_XP.exe
D:\CdBurners\MusicMatch\mmtask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Photos\HP Share-to-Web\hpgs2wnd.exe
D:\Photos\HP Share-to-Web\hpgs2wnf.exe
D:\Virus\TrendPc-Cillian\pccguide.exe
D:\Virus\TrendPc-Cillian\PCClient.exe
D:\Virus\TrendPc-Cillian\TMOAgent.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Utilities\PopUpVanish2\PopupVanish.exe
C:\WINDOWS\System32\RunDLL32.exe
D:\Internet\MailWasher\MailWasher.exe
D:\Desktop\TurboNote\tbnote.exe
D:\Virus\SpywareGuard\sgmain.exe
C:\WINDOWS\webshots.scr
D:\Internet\NEOPLA~1\bin\np.exe
D:\Virus\SpywareGuard\sgbhp.exe
D:\Internet\INCRED~1\bin\IMApp.exe
D:\ZIPS\Virus\Sypware Guard\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.texcajun.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gatewaybiz.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - D:\Microsolft\Money2003\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Virus\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\UTILIT~1\SEARCH~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - d:\internet\ws ftp pro\wsbho2k0.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\Internet\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\Internet\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\CdBurners\Roxie\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG_CC] D:\VIRUS\AVG\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RAM Idle Professional] D:\WebPage\TweakPowerPack\TweakNow PowerPack\RAM_XP.exe
O4 - HKLM\..\Run: [mmtask] D:\CdBurners\MusicMatch\mmtask.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Photos\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "D:\Virus\TrendPc-Cillian\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "D:\Virus\TrendPc-Cillian\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "D:\Virus\TrendPc-Cillian\TMOAgent.exe" /run
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [IncrediMail] D:\Internet\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopupVanish] D:\Utilities\PopUpVanish2\PopupVanish.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe D:\Photos\Ofoto2\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: NeoPlanet.lnk = D:\Internet\NeoPlanet\bin\Neo.exe
O4 - Startup: SpywareGuard.lnk = D:\Virus\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = D:\Program Files\WebshotsPhotos\Launcher.exe
O4 - Global Startup: DriveSelect.lnk = D:\CdBurners\XCopy Express\Xpress\DriveSelect.exe
O4 - Global Startup: MailWasher.lnk = D:\Internet\MailWasher\MailWasher.exe
O4 - Global Startup: TurboNote.lnk = D:\Desktop\TurboNote\tbnote.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\Internet\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download All by FlashGet - D:\Internet\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Internet\FlashGet\jc_link.htm
O8 - Extra context menu item: Linked Ima&ges - C:\Program Files\IEimageN\IEimageN.htm
O9 - Extra button: Joyo (HKLM)
O9 - Extra button: PowerWord (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Linked Images (HKLM)
O9 - Extra 'Tools' menuitem: Linked Ima&ges (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5E7E117-6CEF-4AAF-ACDB-8343B8941454}: NameServer = 209.149.134.252 205.152.132.235
 
T

· Registered
Joined
·
8 Posts
Discussion Starter · #16 ·
Yeah I'm hoping to have my son put it on his computer soon when he gets internet.

I made him buy the full version of Kazza to hopefully keep the adware, spyware etc off of my computer. And I did notice a BIG difference after installing the paid version from the free.

The free version had LOTS of crap..and we uninstalled it..did a sweep to get rid of it all. Then told him he couldn't put it on my computer unless he got the paid version.

Then ran search & destroy after installing it and it didn't find anything like it did with the free one.

But I'm still not crazy about it and hope to have it off of "my" pc soon.

Thanks for all your help!
TexCajun/Sandra
 
1 - 17 of 17 Posts
Status
Not open for further replies.
About this Discussion
16 Replies
5 Participants
Last post:
Flrman1
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top