Author Topic: trash (Read 1757 times)

labopp · « **on:** July 21, 2004, 21:44 »

hello
i am just about to trash my computer or throw it through the window, whichever's most efficient.
i dont know whats going on with it but it keeps acting up. being super slow, i think it's explorer which is screwing my whole cpu but i cant be sure. i already tried norton, the adaware, whole bunch of stuff, etc... i dont know how to reinstall IE cause i cant get rid of it. or is it something else?

basically i have to restart 20 times a day but as long i dont use explorer it seems to be fine. it just often bombs, or freezes, cant even see my desktop when it does that, almost as if it was low on ram.
anyway, this cpu needs help....
thanx in advance

Simon · « **Reply #1 on:** July 21, 2004, 22:19 »

Do you want to run Hijack This, and post the log on here? It definitely sounds like spyware, or a browser hijack of some sort. Have you tried Cool Web Shredder? The home page seems to be unavailable at the moment, but you should be able to download it from here, or do a Google search for 'CWShredder'.

labopp · « **Reply #2 on:** July 22, 2004, 00:42 »

thanx simon. here is the log.

Logfile of HijackThis v1.97.7
Scan saved at 07:41:26 PM, on 21/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\DelFin\PromulGate\PgMonitr.exe
C:\Program Files\ToPicks\Bin\Idhost.exe
C:\WINDOWS\SYSTEM32\ossproxy.exe
C:\Program Files\BTV\btv.exe
C:\WINDOWS\System32\nftueu.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ClearSearch\csAOLldr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alain\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939 - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - (no file)
O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - c:\Program Files\Reg2\Reg2.dll
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F05} - (no file)
O2 - BHO: (no name) - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - c:\Program Files\Xmod\xm320.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF6a10.dll
O2 - BHO: (no name) - {E0F0E0E1-5D45-11D4-BC00-2DCC73302D70} - C:\WINDOWS\SYSTEM32\cpr.dll (file missing)
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINDOWS\SYSTEM32\cpr.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\System32\tapicfg.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v2\se.EXE" /U
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [OSSProxy] C:\WINDOWS\SYSTEM32\ossproxy.exe -boot
O4 - HKLM\..\Run: [Jreg] "C:\Program Files\Common Files\Java\Jreg2b.exe"
O4 - HKLM\..\Run: [BTV] C:\Program Files\BTV\btv.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\breg.exe"
O4 - HKLM\..\Run: [xgqvyalbx] C:\WINDOWS\System32\nftueu.exe
O4 - HKLM\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe -X
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [Sys Ren] C:\WINDOWS\SysRen.exe /S
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF6a10.dll
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: CUseeMe Conferencing Companion (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Pristine RTR Client - http://chat.pristine.com/rtr/PristineRTR.CAB
O16 - DPF: Sametime JNI Loader - http://chat.pristine.com/RTR/Packages/Sametime/STJNILoader.cab
O16 - DPF: Sametime JNI Loader ST30SP1 - http://chat.pristine.com/RTR/Packages/Sametime/3.0/STJNILoader.cab
O16 - DPF: Sametime Meeting Toolkit ST25 - http://chat.pristine.com/RTR/Packages/Sametime/STMeeting25.cab
O16 - DPF: Sametime Meeting Toolkit ST30SP1 - http://chat.pristine.com/RTR/Packages/Sametime/3.0/STMeeting.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} - http://www.cuworld.com/PIC/inner_pic/packages/CUworld.cab
O16 - DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} (MarketTrader - ETrade v243a) - http://etrade.bridge.com/etgmt_prd/java/gmtb_etrade_i.cab
O16 - DPF: {8C285F85-0DBD-11D3-8B37-00A02459FA0F} (CuWeb CuWebConf) - http://ic2.cuseeme.com/packages/cuweb.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37593.5615625
O16 - DPF: {B8037A22-5FE1-4CC3-B862-E644A521EE54} - http://www2.pristine.com/ESP/Install/1.56.0139/esp-install.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://203.199.200.61/ads/shareit/da/trans/SysUpd.CAB
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} (StarInstall Control) - http://install.serviceurl.de/StarInstall.ocx
O16 - DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} (MarketTrader - Reuters v243b) - http://etrade.bridge.com/etgmt_prd/java/gmtb_bridge_i.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O19 - User stylesheet: C:\WINDOWS\Web\win.def (file missing)
O19 - User stylesheet: C:\WINDOWS\default.css (file missing) (HKLM)

Dack · « **Reply #3 on:** July 22, 2004, 09:25 »

Ouch! You will need to re-run HJT and select and fix the following entries (at least). After running reboot and post another HJT scan (in case any are missed)

Firstly though I would reboot in safe mode and re-run adaware then clear out any of these that are left.

Quote from: labopp on July 22, 2004, 00:42

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939 - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - (no file)
O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - c:\Program Files\Reg2\Reg2.dll
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F05} - (no file)
O2 - BHO: (no name) - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - c:\Program Files\Xmod\xm320.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF6a10.dll
O2 - BHO: (no name) - {E0F0E0E1-5D45-11D4-BC00-2DCC73302D70} - C:\WINDOWS\SYSTEM32\cpr.dll (file missing)
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} - C:\WINDOWS\SYSTEM32\cpr.dll (file missing)
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\System32\tapicfg.exe
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v2\se.EXE" /U
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [OSSProxy] C:\WINDOWS\SYSTEM32\ossproxy.exe -boot
O4 - HKLM\..\Run: [Jreg] "C:\Program Files\Common Files\Java\Jreg2b.exe"
O4 - HKLM\..\Run: [BTV] C:\Program Files\BTV\btv.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\breg.exe"
O4 - HKLM\..\Run: [xgqvyalbx] C:\WINDOWS\System32\nftueu.exe
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://203.199.200.61/ads/shareit/da/trans/SysUpd.CAB
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} (StarInstall Control) - http://install.serviceurl.de/StarInstall.ocx
O19 - User stylesheet: C:\WINDOWS\Web\win.def (file missing)
O19 - User stylesheet: C:\WINDOWS\default.css (file missing) (HKLM)

here are a few others I have to check out but that should be a start - justr remember to fix them in Safe mode and with all Internet explorer windows shut.

I'll have a full look later (as I'm off to work now)

Simon · « **Reply #4 on:** July 22, 2004, 09:40 »

:mg: You've got so much crap in there, I'm surprised Internet Explorer runs at all! I don't know where to start with a list of things to fix, but I suggest an easier way might be to first download CWShredder, then go into Safe Mode (press F8 repeatedly while booting up) and run CWShredder, Ad Aware and Spybot, and see what they can get rid of. It's all the 'search' things that are causing the trouble.

When you've done that, do another Hijack This (HJT), and post it on here, so we can pick the bones out of what's left.

Just one thing, make sure you update Ad Aware and Spybot before running, or they won't do their jobs properly. Once you've cleaned your machine, get Spyware Blaster, which should help prevent future infestations. Hopefully the links below will be useful.

Ad Aware
Spybot S&D
Spyware Blaster
CWShredder

:damn: Beaten by the expert!

labopp · « **Reply #5 on:** July 22, 2004, 19:24 »

thanx dack and simon.
so i ran the adaware, spybot and the shredder in safe mode and here is the log i got after all this:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BTV\btv.exe
C:\WINDOWS\System32\nftueu.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Alain\Desktop\HijackThis.exe
C:\Program Files\Web_Rebates\WebRebates1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939 - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - c:\Program Files\Reg2\Reg2.dll
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F05} - (no file)
O2 - BHO: (no name) - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - c:\Program Files\Xmod\xm320.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF6a10.dll
O2 - BHO: (no name) - {E0F0E0E1-5D45-11D4-BC00-2DCC73302D70} - C:\WINDOWS\SYSTEM32\cpr.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Jreg] "c:\Program Files\Common Files\Java\Jreg2b.exe"
O4 - HKLM\..\Run: [BTV] C:\Program Files\BTV\btv.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\breg.exe"
O4 - HKLM\..\Run: [xgqvyalbx] C:\WINDOWS\System32\nftueu.exe
O4 - HKLM\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe -X
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\wast2.exe 2
O4 - HKLM\..\Run: [Sys Ren] C:\WINDOWS\SysRen.exe /S
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF6a10.dll
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [t] "c:\Program Files\Common Files\Java\xclean.exe"
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: CUseeMe Conferencing Companion (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Pristine RTR Client - http://chat.pristine.com/rtr/PristineRTR.CAB
O16 - DPF: Sametime JNI Loader - http://chat.pristine.com/RTR/Packages/Sametime/STJNILoader.cab
O16 - DPF: Sametime JNI Loader ST30SP1 - http://chat.pristine.com/RTR/Packages/Sametime/3.0/STJNILoader.cab
O16 - DPF: Sametime Meeting Toolkit ST25 - http://chat.pristine.com/RTR/Packages/Sametime/STMeeting25.cab
O16 - DPF: Sametime Meeting Toolkit ST30SP1 - http://chat.pristine.com/RTR/Packages/Sametime/3.0/STMeeting.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} - http://www.cuworld.com/PIC/inner_pic/packages/CUworld.cab
O16 - DPF: {611CF77F-F7F5-4EA1-B979-667671326B4C} (MarketTrader - ETrade v243a) - http://etrade.bridge.com/etgmt_prd/java/gmtb_etrade_i.cab
O16 - DPF: {8C285F85-0DBD-11D3-8B37-00A02459FA0F} (CuWeb CuWebConf) - http://ic2.cuseeme.com/packages/cuweb.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37593.5615625
O16 - DPF: {B8037A22-5FE1-4CC3-B862-E644A521EE54} - http://www2.pristine.com/ESP/Install/1.56.0139/esp-install.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://install.serviceurl.de/StarInstall.ocx
O16 - DPF: {E93A06EF-ABD8-4FA5-96BF-968614B08531} (MarketTrader - Reuters v243b) - http://etrade.bridge.com/etgmt_prd/java/gmtb_bridge_i.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Simon · « **Reply #6 on:** July 22, 2004, 19:57 »

OK, what you need to do now is, in HJT 'Fix' any of the items in the list Dack posted above, which are still in the new list. I can still see quite a lot! How much did Ad Aware and Spybot remove? You did remember to update them before running them, I hope!

When you've 'Fixed' the items in HJT, run Ad Aware and Spybot again, and hopefully you will be clean, then you can install Spyware Blaster to protect you in the future.

labopp · « **Reply #7 on:** July 22, 2004, 23:07 »

thanx simon
it seems to go better although when i run a hijack it still seems to show the same recurring ones. can i do anything to get rid of those?

Dack · « **Reply #8 on:** July 23, 2004, 00:20 »

You have got A *LOT* of spyware clogging up your system and each of them has a different way of removal

If we take each one at a time and go from there:

1. The TV media display spyware.
The link here tells you the steps required to remove it:
http://pestpatrol.com/pestinfo/t/tv_media_display.asp

2. The total velocity ZSearch.
http://pestpatrol.com/pestinfo/t/totalvelocity_zsearch.asp

3. The clearsearch spyware. The link for removal of that is:
http://pestpatrol.com/pestinfo/c/clearsearch.asp

4. SearchV
http://www.pestpatrol.com/PestInfo/s/searchv.asp

5. Websearch.
http://pestpatrol.com/pestinfo/w/websearch.asp

6. BTV Dialer.
http://pestpatrol.com/pestinfo/b/btv_dialer.asp

7. Flashtrack.
http://pestpatrol.com/pestinfo/f/flashtrack.asp

8. Adroar.
http://pestpatrol.com/pestinfo/a/adroar.asp

9. Webhancer.
http://pestpatrol.com/pestinfo/w/webhancer.asp

10. IPInsight.
http://pestpatrol.com/pestinfo/i/ipinsight.asp

If you do those and then repost a HJT log we can try and spot any others.

Due to current job/girlfriend in hospital/impending kiddywink I only get to post around 9am and 10pm at the moment. A simple way of finding if it's spyware or not is to take the HJT entry and search the pest patrol site for the name. The PDF6a10.dll and nftueu.exe entries are almost certainly spyware related and are probably created by one of the other bits of spyware.

I have to admit I am supprised that Adaware and Spybot didn't detect those in Safe mode.

(And do your windows updates, install a firewall, and try a different browser

)

Dack · « **Reply #9 on:** July 23, 2004, 00:43 »

One thing I would also add is it is worth downloading the Adaware reference file seperately in case one of the Spywares is blocking/faking access to the adaware site for the update.

labopp · « **Reply #10 on:** July 27, 2004, 21:51 »

ok
thank you so much guys

Author Topic: trash (Read 1757 times)

labopp

trash

Simon

Re:trash

labopp

Re:trash

Dack

Re:trash

Simon

Re:trash

labopp

Re:trash

Simon

Re:trash

labopp

Re:trash

Dack

Re:trash

Dack

Re:trash

labopp

Re:trash