Full Version: Sec Thought.B virus
Good day! - I have the SecThought.B virus and have run AVG and SpyBot, to no avail. Could someone analyze my HijackThis results or advise me in what else I should try so that I can get rid of this nasty, time consuming annoyance? Thanks so much!
Hi Kathy -
We love to help you out here :)
Do a new scan with Hijackthis and wait for it to change to *Save log* (it should then open a text editor when you click on *save log*)
>> just copy and paste the text it displays into your reply here, and someone wil be along to help you out.
Also I'm going to remove your second post - your zip file was corrupted when I downloaded it
We love to help you out here :)
Do a new scan with Hijackthis and wait for it to change to *Save log* (it should then open a text editor when you click on *save log*)
>> just copy and paste the text it displays into your reply here, and someone wil be along to help you out.
Also I'm going to remove your second post - your zip file was corrupted when I downloaded it
Toadbee (or whoever picks this up),
I just want to say that you guys/gals out there are so great - especially your patience working with computer-challenged folks like me! Stuff like this can really make one feel stupid, and it's good to know that you're out there fighting the bad guys!
Now that I got that off my mind, here's my hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 2:48:59 PM, on 3/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\WINDOWS\System32\keyword.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kathy\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=...173109102321100
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=...173109102321100
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Sqwire\s.dll (file missing)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://di.imgag.com/imgag/cp/install/AxCtp.cab
O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://a1040.g.akamai.net/f/1040/759/1h/pi...wnload/tbar.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstall...seInstaller.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {B6D82B82-2D38-3C1A-BAB0-D8CA4575FCA3} (DownloadUL Class) - http://public.searchbarcash.com/cab/013/paevkwzs.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
Thank you!!
I just want to say that you guys/gals out there are so great - especially your patience working with computer-challenged folks like me! Stuff like this can really make one feel stupid, and it's good to know that you're out there fighting the bad guys!
Now that I got that off my mind, here's my hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 2:48:59 PM, on 3/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\WINDOWS\System32\keyword.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kathy\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=...173109102321100
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=...173109102321100
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Sqwire\s.dll (file missing)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://di.imgag.com/imgag/cp/install/AxCtp.cab
O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - http://a1040.g.akamai.net/f/1040/759/1h/pi...wnload/tbar.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstall...seInstaller.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {B6D82B82-2D38-3C1A-BAB0-D8CA4575FCA3} (DownloadUL Class) - http://public.searchbarcash.com/cab/013/paevkwzs.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
Thank you!!
Hi Kathy and welcome to Gladiator 
You have a whole bunch of spyware and hijackers on there. This is going to take a number of steps, so we'll go slow for ya :)
First, you have a CoolWebSearch hijacker and that needs a special (free) tool to remove it called CWShredder.
Download it here:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe
or
Here:
http://www.majorgeeks.com/downloadget.php?...6c5901960cc6e24
Just download it, and click on it (You will need to have all browsers and any open windows closed). Hit the *Fix* button to run it. Let it fix what it finds. When done, press *next* and you will get the results, and then *exit*
Reboot your PC after cleaning with the CWShredder
........................................
Now, you need to get the latest updates for Spybot (I can tell by the number of parasites on your log that maybe you missed that).
How to Update Spybot
http://www.safer-networking.org/index.php?...o&detail=update
1. Click on 'Online' in the navigation bar,
2. Click on 'Update',
3. Search for available updates,
4. Select ALL available updates,
5. Select a download location nearest to you,
6. Download the selected updates.
Updates will be installed without any further action needed.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED
............................
I also want you to download update and run this other very good program as it has very fresh updates as of yesterday so it may find a few more items.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
After download and installing first, please update the program important to get the updates first before scanning Just open Adaware and click on *Check for Updates Now* and then *Continue*. Let them download and install......then press the *Scan now* button. Let it fix what it finds.
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
Here's my short tutorial with screen shots to help if you need it:
Adaware Tutorial Updates & Scanning
http://forum.gladiator-antivirus.com/index...?showtopic=8050
.......................................................
Now, please reboot once more. Scan again with HijackThis and post a fresh log back here to see what remains.
You have a whole bunch of spyware and hijackers on there. This is going to take a number of steps, so we'll go slow for ya :)
First, you have a CoolWebSearch hijacker and that needs a special (free) tool to remove it called CWShredder.
Download it here:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe
or
Here:
http://www.majorgeeks.com/downloadget.php?...6c5901960cc6e24
Just download it, and click on it (You will need to have all browsers and any open windows closed). Hit the *Fix* button to run it. Let it fix what it finds. When done, press *next* and you will get the results, and then *exit*
Reboot your PC after cleaning with the CWShredder
........................................
Now, you need to get the latest updates for Spybot (I can tell by the number of parasites on your log that maybe you missed that).
How to Update Spybot
http://www.safer-networking.org/index.php?...o&detail=update
1. Click on 'Online' in the navigation bar,
2. Click on 'Update',
3. Search for available updates,
4. Select ALL available updates,
5. Select a download location nearest to you,
6. Download the selected updates.
Updates will be installed without any further action needed.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED
............................
I also want you to download update and run this other very good program as it has very fresh updates as of yesterday so it may find a few more items.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
After download and installing first, please update the program important to get the updates first before scanning Just open Adaware and click on *Check for Updates Now* and then *Continue*. Let them download and install......then press the *Scan now* button. Let it fix what it finds.
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
Here's my short tutorial with screen shots to help if you need it:
Adaware Tutorial Updates & Scanning
http://forum.gladiator-antivirus.com/index...?showtopic=8050
.......................................................
Now, please reboot once more. Scan again with HijackThis and post a fresh log back here to see what remains.
What a mess - I feel so violated! O.k., I've done all that you recommended. Here's my new HighjackThis log.
Logfile of HijackThis v1.97.7
Scan saved at 7:43:44 PM, on 3/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Kathy\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - Default URLSearchHook is missing
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [FIPVCI] C:\WINDOWS\FIPVCI.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
I'm humbled yet again by your knowledge - thank you for helping me with this!
Logfile of HijackThis v1.97.7
Scan saved at 7:43:44 PM, on 3/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Kathy\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - Default URLSearchHook is missing
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [FIPVCI] C:\WINDOWS\FIPVCI.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
I'm humbled yet again by your knowledge - thank you for helping me with this!
Hey gal, you did a great job :thumb:
There are a couple of files I would like to have a copy of. I've sent you a PM with my email address and asked you to put into a zip file and email to me these so that I can have then analyzed:
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [FIPVCI] C:\WINDOWS\FIPVCI.exe
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
If you did not set this yourself, fix it....otherwise, leave it alone
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - Default URLSearchHook is missing
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [FIPVCI] C:\WINDOWS\FIPVCI.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
..............................
Reboot your PC
Delete these named in bold:
C:\Program Files\ClearSearch (folder)
C:\WINDOWS\System32\manage.exe (file)
Then, scan once more with HijackThis and post a new log to make sure we got everything.
There are a couple of files I would like to have a copy of. I've sent you a PM with my email address and asked you to put into a zip file and email to me these so that I can have then analyzed:
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [FIPVCI] C:\WINDOWS\FIPVCI.exe
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
If you did not set this yourself, fix it....otherwise, leave it alone
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - Default URLSearchHook is missing
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [FIPVCI] C:\WINDOWS\FIPVCI.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
..............................
Reboot your PC
Delete these named in bold:
C:\Program Files\ClearSearch (folder)
C:\WINDOWS\System32\manage.exe (file)
Then, scan once more with HijackThis and post a new log to make sure we got everything.
O.k., sorry it's taken me time to get your requests done. Life, family, and sleep took me away. It would appear that you guys don't ever sleep!!!
Following is my last highjackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 1:07:06 PM, on 3/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
I deleted C:\Program Files\ClearSearch, but I did not find C:\WINDOWS\System32\manage.exe after I fixed it in HighjackThis.
The only manage.exe file that I found was C:\WINDOWS\Prefetch\ODF37B2F.pf
I have to say that, even though we may not be totally there yet, the computer is already running MUCH more smoothly!
Once again, thanks, and I look forward to hearing what I need to do next.
Blessings - Kathy
Following is my last highjackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 1:07:06 PM, on 3/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
I deleted C:\Program Files\ClearSearch, but I did not find C:\WINDOWS\System32\manage.exe after I fixed it in HighjackThis.
The only manage.exe file that I found was C:\WINDOWS\Prefetch\ODF37B2F.pf
I have to say that, even though we may not be totally there yet, the computer is already running MUCH more smoothly!
Once again, thanks, and I look forward to hearing what I need to do next.
Blessings - Kathy
Hi Kathy....looks gooooood :thumb: (Sleep? What's that?) :lol:
Did you search for and find this file?
C:\WINDOWS\FIPVCI.exe
Make sure your PC is configured to show hidden files:
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Then look for
C:\WINDOWS\FIPVCI.exe and
C:\WINDOWS\System32\manage.exe
If you do have them I would like to get a copy of it to analyze.
If you don't have it a prior cleaning step may have removed it.
Did you search for and find this file?
C:\WINDOWS\FIPVCI.exe
Make sure your PC is configured to show hidden files:
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Then look for
C:\WINDOWS\FIPVCI.exe and
C:\WINDOWS\System32\manage.exe
If you do have them I would like to get a copy of it to analyze.
If you don't have it a prior cleaning step may have removed it.
The only manage.exe file that I found was C:\WINDOWS\Prefetch\ODF37B2F.pf
If you are interested..
Tool for flushing the Prefetch log and controlling the Prefetch Parameters.
What Is Prefetch?? -
Taken From Microsoft Website -
"Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications."
This information is logged and stored on your hard drive taking up space and requiring a process to be kept running monitoring which applications are being run. This has a performance impact on your PC. Disabling the Prefetch function or at least only enabling it for the Boot Files will allow you to free up some system resources and preserve some disk space.
If you are interested..
Tool for flushing the Prefetch log and controlling the Prefetch Parameters.
What Is Prefetch?? -
Taken From Microsoft Website -
"Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications."
This information is logged and stored on your hard drive taking up space and requiring a process to be kept running monitoring which applications are being run. This has a performance impact on your PC. Disabling the Prefetch function or at least only enabling it for the Boot Files will allow you to free up some system resources and preserve some disk space.
And here is the tool :)
And in this thread I made some posts about why it can help a users of XP on the start up.
.
http://forum.gladiator-antivirus.com/index...67&hl=xpantispy
And in this thread I made some posts about why it can help a users of XP on the start up.
.
http://forum.gladiator-antivirus.com/index...67&hl=xpantispy
Calamiy -
I wasn't sure if I should copy the files to here or to your email, so I chose here.
I've attached the FIPCVI file. I still did not find the manage.exe in \System32. There is one in the same place as the FIPCVI.exe, i.e.,
C:\Documents and Settings\All Users\Application Data\Spybot - Search&Destroy\Recovery\WinEssentialJraunKanhaiya6.zip
I'll check one more time.
I wasn't sure if I should copy the files to here or to your email, so I chose here.
I've attached the FIPCVI file. I still did not find the manage.exe in \System32. There is one in the same place as the FIPCVI.exe, i.e.,
C:\Documents and Settings\All Users\Application Data\Spybot - Search&Destroy\Recovery\WinEssentialJraunKanhaiya6.zip
I'll check one more time.
Thanks, Kathy
I got it and deleted the download so someone else doesn't accidentally get it.
If that file is located ONLY in the Spybot Recovery folder, it is ok. You can delete those items in the Spybot recovery through the program. Do that once you are sure all programs are running smoothly and properly. Nothing harmful can run from the Recovery folder, but it put there in case you remove something you shouldn't have. Once you are clean and all is ok - you can just empty everything in that recovery of Spybot.
Don't worry about not finding manage.exe. A prior cleaning step may have removed it and all was left was the registry entry which is now fixed.
Go ahead and clean out your prefetch files that Hunter has listed for you and I'll be back in a few with some more things you need to do for prevention and then I think we'll be done
I got it and deleted the download so someone else doesn't accidentally get it.
If that file is located ONLY in the Spybot Recovery folder, it is ok. You can delete those items in the Spybot recovery through the program. Do that once you are sure all programs are running smoothly and properly. Nothing harmful can run from the Recovery folder, but it put there in case you remove something you shouldn't have. Once you are clean and all is ok - you can just empty everything in that recovery of Spybot.
Don't worry about not finding manage.exe. A prior cleaning step may have removed it and all was left was the registry entry which is now fixed.
Go ahead and clean out your prefetch files that Hunter has listed for you and I'll be back in a few with some more things you need to do for prevention and then I think we'll be done
Ok, I sent you a Private message (check your message box up top) since I need the password to open the zip file.
Now, let's talk prevention and how you got infected in the first place :)
First and most important, you need to get ALL the Windows Critical Security Updates (that's how a lot of that malware got on your system without your knowledge). Today's pests are using exploits in Windows and IE to install on you silently.
Go here and get all the recommended critical updates for your OS and IE.
http://v4.windowsupdate.microsoft.com/en/default.asp
That's going to take a while probably but will protect you from many of today's spyware and hijackers (but not all...still have some other things for you to do)
But next, since your PC is now clean, you'll need to reset the restore points in Windows XP......why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Follow those steps and recommendations in that page and you will be able to keep most of this stuff off your system so you don't have to feel violated ever again :thumb:
Now, let's talk prevention and how you got infected in the first place :)
First and most important, you need to get ALL the Windows Critical Security Updates (that's how a lot of that malware got on your system without your knowledge). Today's pests are using exploits in Windows and IE to install on you silently.
Go here and get all the recommended critical updates for your OS and IE.
http://v4.windowsupdate.microsoft.com/en/default.asp
That's going to take a while probably but will protect you from many of today's spyware and hijackers (but not all...still have some other things for you to do)
But next, since your PC is now clean, you'll need to reset the restore points in Windows XP......why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Follow those steps and recommendations in that page and you will be able to keep most of this stuff off your system so you don't have to feel violated ever again :thumb:
Sorry - I guess I'm determined to infect the rest of the world in my ignorance!
I did find this in the "fix" log from yesterday:
WinEssential.Jraun.Kanhaiya: Executable (File, fixed)
C:\WINDOWS\System32\manage.exe
I did find this in the "fix" log from yesterday:
WinEssential.Jraun.Kanhaiya: Executable (File, fixed)
C:\WINDOWS\System32\manage.exe
O.k.! Looks like I'm there. It's amazing how much one can get done elsewhere while one is waiting for updates to install! System Restore back on (I had turned it off when all this started). I guess the question is, how did this happen? I have AVG free version (which we're going to purchase). I guess I didn't realize that I had to regularly update from the site, and the Trojan slipped in during that time. Will AV packages protect me from all the spyware junk I encountered, or will it just protect me from viruses? I also regularly install the updates from Microsoft - did I miss a critical update; and in the meantime, the bad guys infiltrated?
What I've learned (actually, I've learned a lot!) is that I need to be diligent and run all your suggested packages on a regular basis.
And I guess the question of the century is: What's in it for all the guys out there developing this nasty stuff? Is it just that they enjoy making folks miserable, or is there more to it? What makes me sad is people like my 78 year-old mom that will be dead in the water if this happens to her. She's challenged simply loading software, much less keeping up with AV updates and spyware. Unfortunately, she lives 8 hours away so it's not easy to help her. At least my knowledge base was enough that you wonderful guys could dumb it down for me.
Lastly, I can't thank you guys enough for all you've done, especially your patience in taking me step-by-step through this. You have a real gift when you can take all the knowledge that you have an make it simple for folks like me. My husband is a software engineer (though your realm is not his), and he hopes to develop shareware (when he figures out what it is!) to give back to all you folks that have been so generous to give to us.
If I could send you flowers, I would - THANKS!!!!!!!!!
Well, you are not alone if that makes you feel better. I think a lot of people have the same questions, same problems you do.
What you had was not a true *virus* but spyware and hijackers. The AVs are all now starting to add detection and to some extent, cure for these nasties, however, the Antispyware programs really do it best. Since the AVs do not have a category for Spyware they call it a trojan or a virus and actually, sometimes this stuff can be just as nasty. The Spybot and Adaware programs are the best to have on board for a weekly update, scan and cleaning. They can't really prevent it (with the exception of Spybot and it's *immunize* feature prevents some - and Adaware's paid version which has the Adwatch feature.) For prevention you want to see my page I listed above:
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
SpywareBlaster, SpywareGuard and IESPYAD are all free programs that can prevent a lot of the junk from installing in the first place. Having ALL the critical Windows Security Updates is also important.
[rant] Most of this junk is the handiwork of Spammers and dirty advertisers. They will hit everyone in hopes of snagging a few and there is dollars to be made for them, so they will continue you can bet. The latest threat is this scum offering up so called Antispyware in Ads to poor unsuspecting folks to make a sale and then they load you up with Spyware or take your money and don't really work at all. These are the Spyware scanner ripoff programs and they are proliferating as well. The best scanners we are using are free (but donate to the authors if you appreciate and use the program and can afford to). No need to buy anything, but most people don't know that.
And yes, we are all in the same boat as you with our friends and family who are less prepared than us to deal with it. We all have parents, brothers, sisters, friends who all suffer the same problems who lack expertise (or time) at computing and/or the knowledge to keep up with an deal with it. I don't think there are any of us here who don't have at least one *challenge* user we try to keep safe, but find it very difficult at a long distance in addition to what we do here.
It's a war and we are fighting it the best we know how on this site and on many others across the internet. But, it seems we are losing ground. In the meantime - we keep on fighting. [/rant]
Sends you flowers
What you had was not a true *virus* but spyware and hijackers. The AVs are all now starting to add detection and to some extent, cure for these nasties, however, the Antispyware programs really do it best. Since the AVs do not have a category for Spyware they call it a trojan or a virus and actually, sometimes this stuff can be just as nasty. The Spybot and Adaware programs are the best to have on board for a weekly update, scan and cleaning. They can't really prevent it (with the exception of Spybot and it's *immunize* feature prevents some - and Adaware's paid version which has the Adwatch feature.) For prevention you want to see my page I listed above:
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
SpywareBlaster, SpywareGuard and IESPYAD are all free programs that can prevent a lot of the junk from installing in the first place. Having ALL the critical Windows Security Updates is also important.
[rant] Most of this junk is the handiwork of Spammers and dirty advertisers. They will hit everyone in hopes of snagging a few and there is dollars to be made for them, so they will continue you can bet. The latest threat is this scum offering up so called Antispyware in Ads to poor unsuspecting folks to make a sale and then they load you up with Spyware or take your money and don't really work at all. These are the Spyware scanner ripoff programs and they are proliferating as well. The best scanners we are using are free (but donate to the authors if you appreciate and use the program and can afford to). No need to buy anything, but most people don't know that.
And yes, we are all in the same boat as you with our friends and family who are less prepared than us to deal with it. We all have parents, brothers, sisters, friends who all suffer the same problems who lack expertise (or time) at computing and/or the knowledge to keep up with an deal with it. I don't think there are any of us here who don't have at least one *challenge* user we try to keep safe, but find it very difficult at a long distance in addition to what we do here.
It's a war and we are fighting it the best we know how on this site and on many others across the internet. But, it seems we are losing ground. In the meantime - we keep on fighting. [/rant]
Sends you flowers
So what else can we tell you.. :)
1. Windows XP " out of the box" (term used for any software that is not set up for the specific use of your PC as a home user ) is the most vulnerable OS put out by Microsoft. There are so many service you will never use that can be exploited. As you see the updates you are now getting from them for you OS and your browser are not trivial..but even after that is done I suggest you turn off some of those service with xpantispy which is a set and forget program that is free.
http://www.xp-antispy.org/
What is XP-AntiSpy?
XP-AntiSpy is a little utility that let's you disable some built-in update and authetication 'features' in WindowsXP.
For example, there's a service running in the background wich is called 'Automatic Updates'. I don't know what this service transfers from my machine to other machines on the internet, especially the MS ones. So I play it safe and disable such functions. If you like, you can even disable these function manually, by going through the System and checking or unchecking some checkboxes. This will take you approximately half an hour. But why wasting time when a little neat utility can do the same in 1 minute? This utility was successfully tested by lots of users, and was found to disable all the known 'Suspicious' Functions in WindowsXP. It's customizeable, but comes up with the Default settings, which are recommended. If you like to get more information about those 'functions',read THIS.
This utility is FREEWARE! This means, you dont have to pay anything for this program and you can give it to anyone who's interested in, as long as you don't sell it. If you find this tool useful, and wanna gimme something back, then click on my sponsors.
Thanks.
Important information: The Domains www.xp-antispy.de und www.xpantispy.de do not belong to the project xp-AntiSpy anymore. The new owner offers only a dialer to download.
Please update any links and your bookmarks to www.xp-antispy.org
Greetings, -chris-
1. Windows XP " out of the box" (term used for any software that is not set up for the specific use of your PC as a home user ) is the most vulnerable OS put out by Microsoft. There are so many service you will never use that can be exploited. As you see the updates you are now getting from them for you OS and your browser are not trivial..but even after that is done I suggest you turn off some of those service with xpantispy which is a set and forget program that is free.
http://www.xp-antispy.org/
What is XP-AntiSpy?
XP-AntiSpy is a little utility that let's you disable some built-in update and authetication 'features' in WindowsXP.
For example, there's a service running in the background wich is called 'Automatic Updates'. I don't know what this service transfers from my machine to other machines on the internet, especially the MS ones. So I play it safe and disable such functions. If you like, you can even disable these function manually, by going through the System and checking or unchecking some checkboxes. This will take you approximately half an hour. But why wasting time when a little neat utility can do the same in 1 minute? This utility was successfully tested by lots of users, and was found to disable all the known 'Suspicious' Functions in WindowsXP. It's customizeable, but comes up with the Default settings, which are recommended. If you like to get more information about those 'functions',read THIS.
This utility is FREEWARE! This means, you dont have to pay anything for this program and you can give it to anyone who's interested in, as long as you don't sell it. If you find this tool useful, and wanna gimme something back, then click on my sponsors.
Thanks.
Important information: The Domains www.xp-antispy.de und www.xpantispy.de do not belong to the project xp-AntiSpy anymore. The new owner offers only a dialer to download.
Please update any links and your bookmarks to www.xp-antispy.org
Greetings, -chris-
@johnny408
I have moved your post to a new topic of it's own.
You can follow it here :)
johnny408's HijackThis Log
http://forum.gladiator-antivirus.com/index...showtopic=11828
I have moved your post to a new topic of it's own.
You can follow it here :)
johnny408's HijackThis Log
http://forum.gladiator-antivirus.com/index...showtopic=11828
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.