I have a user with W2k sp4. Spybot S&D has been used a few times in the past few weeks. Some problems have been solved, some...not so much.
Here's the HJT log
Thank you1
Logfile of HijackThis v1.97.7
Scan saved at 10:22:06 AM, on 7/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\sqmdsra.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\WINNT\system32\oclbse.exe
C:\WINNT\system32\shdtcui.exe
C:\WINNT\system32\shdtcui.exe
C:\WINNT\system32\shdtcui.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\FSUTILI.exe
C:\WINNT\system32\erisignpub1v.exe
C:\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50140
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50140
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50140
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: (no name) - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\sqmdsra.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [wxcxkoxtcg] C:\WINNT\system32\oclbse.exe
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [AutoLoaderq83u1WWKIKZd] "C:\WINNT\system32\shdtcui.exe" /PC="AM.SKHN" /HideUninstall /HideDir
O4 - HKLM\..\Run: [qnsS3qj] shdtcui.exe
O4 - HKLM\..\Run: [AutoLoaderq83Y1WWKIKZd] "C:\WINNT\system32\shdtcui.exe"
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [FSUTILI] C:\WINNT\system32\FSUTILI.exe
O4 - HKLM\..\Run: [erisignpub1v] C:\WINNT\system32\erisignpub1v.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/express...tall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7879.5035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = planres.tld
Full Version: Popups a Plenty
Spybot is great, but it hasn't been updated in a few weeks, so let's give Adaware a go of it first to clean up a bit more and then we'll see what is left to take care of manually.
Run the scan in SAFE MODE.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)
Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.
Also download and install the Vx2 Cleaner Plugin. Download it here:
http://www.lavasoft.de/software/plugins/vx2cleaner.shtml
After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R329 06.07.2004 or higher listed.
In Ad-aware click the Gear icon to go to the Settings area.
The following items should be on a green check, not on a red X.
Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected
Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)
Under the Tweak button...
Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.
In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile
In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion
Click Proceed to save these settings.
Don't scan yet, please. We need to do the next steps in SAFE MODE, so please copy these instructions so you have them handy since you will probably not be able to get online in safe mode.
Now, Reboot into safe mode (instructions included in case you need them.
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
Open Adaware, Press *scan now* and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.
Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
Scan once more with Hijackthis and don't remove anything yet in the log. Post it back here so we can see what may remain to be fixed :)
Run the scan in SAFE MODE.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)
Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.
Also download and install the Vx2 Cleaner Plugin. Download it here:
http://www.lavasoft.de/software/plugins/vx2cleaner.shtml
After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R329 06.07.2004 or higher listed.
In Ad-aware click the Gear icon to go to the Settings area.
The following items should be on a green check, not on a red X.
Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected
Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)
Under the Tweak button...
Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.
In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile
In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion
Click Proceed to save these settings.
Don't scan yet, please. We need to do the next steps in SAFE MODE, so please copy these instructions so you have them handy since you will probably not be able to get online in safe mode.
Now, Reboot into safe mode (instructions included in case you need them.
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
Open Adaware, Press *scan now* and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.
Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
Scan once more with Hijackthis and don't remove anything yet in the log. Post it back here so we can see what may remain to be fixed :)
All righty...
Ran all that fun stuff and here's what HJT came up with.
Logfile of HijackThis v1.97.7
Scan saved at 1:34:25 PM, on 7/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\sqmdsra.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\YMEVNTS.exe
C:\WINNT\system32\dbccr32o.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50140
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\sqmdsra.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [qnsS3qj] mfctcpip.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\KMJ\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [YMEVNTS] C:\WINNT\system32\YMEVNTS.exe
O4 - HKLM\..\Run: [dbccr32o] C:\WINNT\system32\dbccr32o.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [bC32RkHET] audhlexd.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/express...tall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7879.5035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = planres.tld
:thx: !
Ran all that fun stuff and here's what HJT came up with.
Logfile of HijackThis v1.97.7
Scan saved at 1:34:25 PM, on 7/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\sqmdsra.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\YMEVNTS.exe
C:\WINNT\system32\dbccr32o.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50140
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\sqmdsra.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [qnsS3qj] mfctcpip.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\KMJ\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [YMEVNTS] C:\WINNT\system32\YMEVNTS.exe
O4 - HKLM\..\Run: [dbccr32o] C:\WINNT\system32\dbccr32o.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [bC32RkHET] audhlexd.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/express...tall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7879.5035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = planres.tld
:thx: !
Down to the final fixes now :)
1. Make sure your PC is configured to show hidden files
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
2. Make a copy of these instructions so you have it handy since the remainder of the steps will be done in SAFE MODE with IE closed.
3. Reboot your PC into SAFE MODE
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
4. Scan with HijackThis and when it finishes, put an x in the boxes next to these items, then press *fix checked*
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50140
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [qnsS3qj] mfctcpip.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\KMJ\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [YMEVNTS] C:\WINNT\system32\YMEVNTS.exe
O4 - HKLM\..\Run: [dbccr32o] C:\WINNT\system32\dbccr32o.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [bC32RkHET] audhlexd.exe
.................................
5. Stay in Safe mode and delete the following folders and files named in bold
C:\PROGRAM FILES\INTERNET KEYWORDS (folder
C:\Program Files\TV Media (folder)
C:\WINNT\srchupdt.exe (file)
C:\DOCUME~1\KMJ\LOCALS~1\Temp\tb_setup.exe (file)
C:\WINNT\system32\YMEVNTS.exe (file)
C:\WINNT\system32\dbccr32o.exe (file)
audhlexd.exe (file - you'll have to search for it.)
6. Clean out Temporary files:
Go to Start > Run > type in the box: cleanmgr. Let Windows scan your system for files to remove. When done, make sure these three are checkmarked and press *ok* to remove files:
Temporary Files
Temporary Internet Files
Recycle Bin.
7. Reboot back into normal mode. Scan once more with HijackThis and post a new log please to see what remains :)
1. Make sure your PC is configured to show hidden files
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
2. Make a copy of these instructions so you have it handy since the remainder of the steps will be done in SAFE MODE with IE closed.
3. Reboot your PC into SAFE MODE
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
4. Scan with HijackThis and when it finishes, put an x in the boxes next to these items, then press *fix checked*
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50140
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINNT\srchfst.dll
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [qnsS3qj] mfctcpip.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\KMJ\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [YMEVNTS] C:\WINNT\system32\YMEVNTS.exe
O4 - HKLM\..\Run: [dbccr32o] C:\WINNT\system32\dbccr32o.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [bC32RkHET] audhlexd.exe
.................................
5. Stay in Safe mode and delete the following folders and files named in bold
C:\PROGRAM FILES\INTERNET KEYWORDS (folder
C:\Program Files\TV Media (folder)
C:\WINNT\srchupdt.exe (file)
C:\DOCUME~1\KMJ\LOCALS~1\Temp\tb_setup.exe (file)
C:\WINNT\system32\YMEVNTS.exe (file)
C:\WINNT\system32\dbccr32o.exe (file)
audhlexd.exe (file - you'll have to search for it.)
6. Clean out Temporary files:
Go to Start > Run > type in the box: cleanmgr. Let Windows scan your system for files to remove. When done, make sure these three are checkmarked and press *ok* to remove files:
Temporary Files
Temporary Internet Files
Recycle Bin.
7. Reboot back into normal mode. Scan once more with HijackThis and post a new log please to see what remains :)
ARRRRRRRRRR :pirate:
Have we stopped the mutinous code?
Logfile of HijackThis v1.97.7
Scan saved at 4:16:49 PM, on 7/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\sqmdsra.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Hijack This\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\sqmdsra.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/express...tall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7879.5035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = planres.tld
Thank you, yet again, for all of your help!!
Have we stopped the mutinous code?
Logfile of HijackThis v1.97.7
Scan saved at 4:16:49 PM, on 7/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\sqmdsra.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Hijack This\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\sqmdsra.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/express...tall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7879.5035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = planres.tld
Thank you, yet again, for all of your help!!
I hate to tell you this, but there is a new one has appeared.
You'll need to do this in Safe mode:
Scan with HijackThis and checkmark these items, then press *fix checked*
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
While still in Safe Mode, delete the following folder
C:\Program Files\Common Files\WinTools <--delete entire folder.
Reboot back into normal mode and post a new log please :)
You'll need to do this in Safe mode:
Scan with HijackThis and checkmark these items, then press *fix checked*
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
While still in Safe Mode, delete the following folder
C:\Program Files\Common Files\WinTools <--delete entire folder.
Reboot back into normal mode and post a new log please :)
I hate to sound dense, but how did this machine just pick up another problem? This kind of infection is unusual for our company and I'm wondering how to address it as I go forward. We're pretty small, but do have antivirus and a firewall. There is no restriction on websites though (yet). How does this start? Do I need to worry that this user is misbehaving? :angry: I'm the de facto network administrator with working knowledge of all of this, but it's learn as I go. And I do thank all of you very much for helping me! This forum ROCKS!
Anyway, here's the new HJT log..
Logfile of HijackThis v1.97.7
Scan saved at 11:40:59 AM, on 7/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\sqmdsra.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Hijack This\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\sqmdsra.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/express...tall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7879.5035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = planres.tld
Anyway, here's the new HJT log..
Logfile of HijackThis v1.97.7
Scan saved at 11:40:59 AM, on 7/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\sqmdsra.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Hijack This\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\sqmdsra.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/express...tall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7879.5035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = planres.tld
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = planres.tld
Carrieant,
This one needs to go. Scan in HJT and checkmark then press *fix checked*
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\sqmdsra.exe
Reboot into safe mode and delete:
C:\WINNT\system32\sqmdsra.exe
Our best recommendations for prevention of Hijacks and spyware is here:
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
It takes more than an Antivirus and a Firewall these days :( This type of malware is growing rapidly and your users could be risky or just ignorant about how to secure IE and their PC. You will have to evaluate that.
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 1.2 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
You might also consider an alternative browser and use IE only when needed for sites that require ActiveX and are trusted (like Windows update or the online virus scanners). I use Firefox for 99% of my everyday surfing (using it right now in fact). It's free and very easy to setup, understand and use without many of the vulnerabilities that IE has. Or feel free to search around for info on other alternative browsers.
Firefox
http://www.mozilla.org/products/firefox/
This one needs to go. Scan in HJT and checkmark then press *fix checked*
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\sqmdsra.exe
Reboot into safe mode and delete:
C:\WINNT\system32\sqmdsra.exe
Our best recommendations for prevention of Hijacks and spyware is here:
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
It takes more than an Antivirus and a Firewall these days :( This type of malware is growing rapidly and your users could be risky or just ignorant about how to secure IE and their PC. You will have to evaluate that.
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 1.2 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
You might also consider an alternative browser and use IE only when needed for sites that require ActiveX and are trusted (like Windows update or the online virus scanners). I use Firefox for 99% of my everyday surfing (using it right now in fact). It's free and very easy to setup, understand and use without many of the vulnerabilities that IE has. Or feel free to search around for info on other alternative browsers.
Firefox
http://www.mozilla.org/products/firefox/
That, too has been taken care of. hopefully I'm clean now. Thank you for your efforts and also for the information and advice.
Take Care ;)
CA
Take Care ;)
CA
You're welcome! Glad we could help 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.