Help - Search - Members - Calendar
Full Version: please help
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
mushuriyu
Oct 7 2004, 04:31 PM
:mad: hey guys, please help. i cant connect to web pages, emails, messengers, or anything web based on my lap top, i can ping, but i cant do anything else. and when i ping, i am pinging web addresses...http:// and www.

here is my HJT logfile
Logfile of HijackThis v1.97.7
Scan saved at 12:34:41 PM, on 10/5/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NetZero\exec.exe
C:\Documents and Settings\Daniel Levy\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
:thx: banana
Bobbi Flekman
Oct 7 2004, 05:04 PM
Hi mushuriyu,

There is a newer version of HijackThis than what you are using. Please get the new version from one of these addresses.
http://209.133.47.12/~merijn/files/HijackThis.exe
http://www.mjc1.com/mirror/hjt/
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

You are running MyWebSearch (or MyBar). This is not technically malware, but it is thought to be bad by many experts and it will bring malware with it. There are safer alternatives available such as the Google toolbar.
If you want to remove it, open "Add/Remove Programs" in the Control Panel. Select the "My Search Bar" (MySearch variant), "MyWay Speed Bar" (MyWay) or "My Web Search Bar" (MyWeb) entry and click "Remove". For the MyWeb variant, be sure to also remove "Fun Web Products Easy Installer".
Here are the components to fix with HijackThis and you will need to remove the main program as well:
O4s are bad!

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your Computer in Safe Mode. How do I Safe Boot my computer?

You may have to have hidden files showing. How do I show hidden files?

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\Downloaded Program Files\SbCIe028.dll

Delete the following folders in red (it could be that they are deleted already):

C:\Program Files\Toolbar
C:\Program Files\MyWay

Restart your computer and post a new log.
mushuriyu
Oct 15 2004, 03:14 PM
hello all Wave.gif

i really hate this computer! but, since you all really know youre stuff, i figured id ask you again for your help. for some reason, when i start my computer, the "my documents" folder opens...also, quick time opens up, not on screen, but in the toolbar at the bottom right hand corner. i have many times gone to msconfig and deselected the quicktime, but it still keeps comming up. and in ms config, there is nothing that says anything about my documents.

here is my start up list from ms config:

hpsysdrv
hkcmd
KBD
coloreal
RECGUARD
remind_XP
nwiz
ps2
lxamsp32
WFXSWTCH
wfxsnt40
ccApp
UrlLstCK (x3)
realsched
sgtray
cdaEngine0400
qttask ---->which i have turned off over 50 times yet still keeps comming back on
rundll32
Incmail
MsnMsgr
Adobe Gamma Loader

i dont know if that will help, but all i want to start upon start up is the following:

incredimail, msn messenger, and any program needed to load and properly run windows. if you need more info, please tell me what info, and how to get it.

as for the documents folder, what can i do?

thank you for all your help! :thumb:

mushuriyu



banana banana banana
TheSentinel
Oct 16 2004, 06:42 AM
Howdy mushuriyu nice to see you back here :)

You should clean up your start up folder from programs which are always going to place themself in this folder.

Open the start up folder and simply delete the entry for Quicktime Player. Next start it won't come up again.

I suggest you should run a HJT log file too, cause the reported problems may be a problem with unwanted stuff you have caught up during surfin on the web.
Here are the details of how-2-do a HJT log:

Before we can give you any help to solve your problem, please have a first look here:

READ THIS FIRST

This link will tell you where to get the needed programs for you HJT log file.

After that you should post your HJT log file here:

HELP! Think you are Infected?


Greetz
B. Udo
mushuriyu
Oct 20 2004, 02:05 PM
Wave.gif

thank you sentinel for your reply. however, i looked in my start-up folder and the only thing that is in that folder is the gamma loader. when i go run msconfig, that is the only place that i see the quick time. i select it to be disabled, yet everyday it enables itself again.

as for the hijack this, i have the program already, i will post the log today.

thanks again,

mushuriyu :zorro:
Hunter
Oct 20 2004, 04:04 PM
Yes please do post your hijack this log..but also read this.. Wave.gif

How to stop qttask from loading





Problem:

I have tried everything I can think of to stop Qttask.exe (Quicktime's annoying little program that loads at startup). I've tried deleting it from my HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run entry in the registry, as well as tried to find a flag to set in the Quicktime Control Panel to stop it from loading. However, if I load a Quicktime video, as soon as I start the computer again, there it is. Does anyone have an end-all solution to this other than uninstalling Quicktime?

see his link for some very good ways to do that


http://www.annoyances.org/exec/forum/win2000/t1042641285

one you will see is this..


This One Works ...
File search is for qttask.exe
Which my XP did not locate and I detest XP search because it never finds my stuff
and I have to go manually find everything but that is another gripe lol
I manually went over to C:\Program Files\QuickTime\ and inside this directory I did
find qttask.exe and I renamed it to qttask2.exe ...
I rebooted system and went to my website where I have a file to use to try this out
and I heard the file and qttask.exe did not place itself into my start menu ...
Now I have a same problem with realsched so I will now begin seeking out answers
for this so that it will stop placing itself into my start menu :o)
Cherry




On Saturday, October 11, 2003 at 8:46 pm, Walt Liebkemann wrote:
>1) Do a file search for qttask.exe
>2) Rename all instances of qttask.exe to
> qttask2.exe
>3) restart your computer
>
>Now qttask can't load, but won't generate an error message. You can still view
.mov
>files just fine.
>
>Good luck!

You could also try that same thing for your realsched

But read the whole thread to decide how you want to do it.


Then we can also talk about the other programs you do not want in you start up.
Hunter
Oct 20 2004, 04:12 PM
realsched


C:\Program Files\Common Files\Real\Update_OB\realsched.exe

that is the updater for Real player and it could be considered borderline "adware" since it pops up ads on your desktop from time to time. Everytimg I install or upgrade RealPlayer, I disable this component:

(1) terminate the "realsched.exe" process using a free process viewer.
http://www.teamcti.com/pview/prcview.htm


(2) go to the above "Update_OB" folder and rename realsched.exe to realsched.disabled {you can do this from Explorer or from the Command Prompt if you know how}.
(3) Open MSConfig {Start, Run, MSConfig}; go to the Startup tab and UNcheck {disable} the entry named "TkBellExe" which launches realsched.exe when Windows starts up.

That's it! If you follow these steps, no more popup ads! {that is, no more ads from RealPlayer's updater, realsched.exe}. Very Simple!

NOTE: The reason you have to rename the executable {from .exe to .disabled} is because otherwise RealPlayer will run realsched.exe and regenerate itself {undo what you have disabled} everytime you run the program. That is, it will load realsched.exe in memory and regenerate the "TkBellExe" registry entry you disabled.



*********************

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\REALSCHED.EXE -osboot

This is a resource killer, get rid of it at all costs - Real Networks Scheduler which gets installed with RealOne Player. Under Win9x/ME this task shows as TKBELLEXE, and as EVNTSVC under Windows 2000/XP or REALSCHED depending on which version of RealOne Player you have installed. From our experience, everything that applies to EVNTSVC below, also applies to REALSCHED. RNDAL elsewhere in these Task List pages is a good starting point to read about RealOne Player. Next, a 15-Jun-2002 extract from the RealOne Player License Agreement that is specific to EVNTSVC (the said License Agreement was updated on 25-Nov-2002 by Real Networks and EVNTSVC was replaced by REALSCHED in that version of the License Agreement) : An application Scheduler, known as "evntsvc.exe," is installed along with RealOne Player. Once installed, it runs independently of RealOne Player. The Scheduler does not collect personal information or communicate with RealNetworks’ servers. It is used to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals. The Scheduler is also used to automatically launch RealNetworks’ Media Type Helper. The Media Type Helper ensures the system is configured for correct operation of the RealOne Player with Multi-Purpose Internet Mail Extensions ("MIME") types, file extensions, Internet protocols and other media types. If a media type has been assigned a different action by a different application, Media Type Helper may override the association and substitute its own association. Recommendation : If reading about RNDAL did not put you off, then read on. RealPlayer Classic used to be one of the most needed pieces of software on a PC. Its successor, RealOne Player, is vying for the title of the most hated piece of software. For a start, on many PCs EVNTSVC slows down boot-ups unacceptably, using up to 90% of CPU time at times. There have also been reports of EVNTSVC dropping advertising shortcuts onto the desktop during idle times. Next, if you try to disable EVNTSVC via Startup Manager or MSCONFIG, RealOne Player checks to see if it has been deleted from the Registry and re-instates it as a startup item ! To be fair, there is a facility within RealOne Player to "only perform automatic services while RealOne Player is in use". As stated in our write-up for RNDAL, our recommendation is to de-install RealOne Player and either use the classic RealPlayer, or something else such as WinAmp. If you absolutely want to keep RealOne Player, we suggest you rename EVNTSVC.EXE to EVNTSVC.EXE.OLD (or REALSCHED.EXE to REALSCHED.OLD) as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it.

http://www.dslreports.com/forum/remark,8772710~mode=flat
mushuriyu
Oct 29 2004, 01:41 PM
Logfile of HijackThis v1.97.7
Scan saved at 9:38:06 AM, on 10/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\lxamsp32.exe
C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Real\RealOne Player\realplay.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: MyQuickSearch Search Assistant BHO - {04011C11-2F3B-44ed-977C-270CA669C6B2} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\SbCIe027.dll
O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {B5D1D750-55C1-412F-8919-97BDEBCF5998} - C:\WINDOWS\System32\cefwmdm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {DE4C3BE4-5394-4AA2-8752-863A9799B41B} - (no file)
O3 - Toolbar: (no name) - {0E677229-E309-4341-81BD-3CC3018BF5B3} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00726/sb027.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab


i did the renaming of qttask.exe, but remember, my "my documents" folder keeps lloading at start up and i see nothing in the start up log that can do that. please let me know what else i can do. and what else i can remove. thank you!

mushuriyu :ph34r:
Bobbi Flekman
Oct 30 2004, 04:27 PM
Hi mushuriyu,

There is a newer version of HijackThis than what you are using. Please get the new version from one of these addresses.
http://209.133.47.12/~merijn/files/HijackThis.exe
http://www.mjc1.com/mirror/hjt/
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
http://www.downloads.subratam.org/hijackthis.zip

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

CODE
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"_{00D6A7E7-4A97-456f-848A-3B75BF7554D7}"=-
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Open "Add/Remove Programs" in the Control Panel. Select "WildTangent" and click "Remove".

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,

O2 - BHO: MyQuickSearch Search Assistant BHO - {04011C11-2F3B-44ed-977C-270CA669C6B2} - (no file)
O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\SbCIe027.dll
O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - (no file)
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O2 - BHO: (no name) - {B5D1D750-55C1-412F-8919-97BDEBCF5998} - C:\WINDOWS\System32\cefwmdm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {DE4C3BE4-5394-4AA2-8752-863A9799B41B} - (no file)
O3 - Toolbar: (no name) - {0E677229-E309-4341-81BD-3CC3018BF5B3} - (no file)

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O9 - Extra button: SideStep (HKLM)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00726/sb027.cab

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

You may have to have hidden files showing. How do I show hidden files?

Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\Downloaded Program Files\bridge.dll
C:\WINDOWS\System32\cefwmdm.dll

Delete the following folders in red (it could be that they are deleted already):

C:\WINDOWS\Downloaded Program Files\CONFLICT.1
C:\Program Files\WildTangent
C:\Program Files\WebSavingsfromEbates

Restart your computer and post a new log.
Bobbi Flekman
Nov 16 2004, 03:30 PM
This topic is closed due to lack of activity.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.