Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - help remove spotresults & look2me


  • This topic is locked This topic is locked
13 replies to this topic

#1 T-bone77

T-bone77

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 03 May 2004 - 01:35 AM

I've recently picked up some spyware including my browser going to spotresults.com when a webpage isn't found and look2me.com popping up a new browser window periodically. There may be other problems too though I think I've managed to clean a bit out with SpyBot and AdAware. Any help would be greatly appreciated! Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 11:34:37 PM, on 5/2/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\UMCSTUB.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\EnterNetDUN.Exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ltmoh\Ltmoh.exe
C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe
C:\PROGRA~1\ProdINet\Bin\piaxorb.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\TNGSD\BIN\triggusr.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Nortel Networks\Extranet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.intuit.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Intuit
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LtMoh] C:\PROGRA~1\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [NAV Live Update] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetLink] netlink32.exe
O4 - HKLM\..\RunServices: [NetLink] netlink32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: IGMPv3 Lite Daemon.lnk = C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RealGuide (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://cbaprojsvr1/TD/Spider80.ocx
O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-NET Client for MSIE) - http://cetracker.sd.intuit.com/trackdoc/trkpm660ie.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03...all/xscan53.cab
O16 - DPF: {8C28EFD7-767B-11D1-8400-000000000000} - http://ollie.bos.intuit.com/components/Brio.Insight.en.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.infuzer.com/IDC/client/player/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://atlasda1.bosptc.intuit.com:8013/jin...tor/oajinit.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7532.6494328704
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://mvnav2k/navmv/webinst/WebInst.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://vspan.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://eroom2.intuit.com:8081/eroomsetup/client.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E80EB7C-BFF3-473E-96F8-AADBB0FE5812}: NameServer = 172.19.22.27,172.17.128.48

BC AdBot (Login to Remove)

 


#2 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 03 May 2004 - 11:09 AM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Just fix these
O4 - HKLM\..\Run: [NetLink] netlink32.exe
O4 - HKLM\..\RunServices: [NetLink] netlink32.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.infuzer.com/IDC/client/player/isetup.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://vspan.webex.com/client/latest/webex/ieatgpc.cab

Reboot your computer into Safe Mode and delete the following files:

Then delete these
c:\windows\system32\netlink32.exe or c:\windows\netlink32.exe or c:\windows\system\netlink32.exe


Reboot your computer to go back to normal mode and post a new log.

#3 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  

Posted 03 May 2004 - 03:01 PM

Fixed files as directed. Was not able to find "netlink32.exe" in any of the directories you mentioned (actually, my subdirectory is winnt, not windows) and I was viewing all files, including system files. Here is my new log. Unfortunately, it seems that while I may have made some progress on the initial problems, I may have picked up a couple other problems in the interim (e.g. allaboutsearching has become a problem that I keep needing to remove).

-----------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 12:55:22 PM, on 5/3/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\UMCSTUB.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\EnterNetDUN.Exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\TNGSD\BIN\Asminstn.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\rundll32.exe
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ltmoh\Ltmoh.exe
C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe
C:\PROGRA~1\ProdINet\Bin\piaxorb.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\TNGSD\BIN\triggusr.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\DvdMeowWeb\Body Program Five.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Intuit
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LtMoh] C:\PROGRA~1\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [NAV Live Update] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Stopwindow] C:\PROGRA~1\DvdMeowWeb\Body Program Five.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: IGMPv3 Lite Daemon.lnk = C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RealGuide (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://cbaprojsvr1/TD/Spider80.ocx
O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-NET Client for MSIE) - http://cetracker.sd.intuit.com/trackdoc/trkpm660ie.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03...all/xscan53.cab
O16 - DPF: {8C28EFD7-767B-11D1-8400-000000000000} - http://ollie.bos.intuit.com/components/Brio.Insight.en.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://atlasda1.bosptc.intuit.com:8013/jin...tor/oajinit.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7532.6494328704
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://mvnav2k/navmv/webinst/WebInst.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://eroom2.intuit.com:8081/eroomsetup/client.cab

#4 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 03 May 2004 - 04:33 PM

Fix these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)


Reboot into safe mdoe and delete:

C:\WINNT\twaintec.dll
C:\PROGRA~1\Toolbar\

#5 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 03 May 2004 - 05:46 PM

Thanks. I was unable to find "twaintec.dll" in C:\WINNT though I did find "twain.dll", "twain_32.dll", and "twaintec.ini". I did NOT delete any of them at this time. Here's my latest logfile. Looks like I see allaboutsearching.com still hanging around at a minimum.

--------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 3:41:50 PM, on 5/3/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\UMCSTUB.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\EnterNetDUN.Exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINNT\system32\rundll32.exe
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ltmoh\Ltmoh.exe
C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe
C:\PROGRA~1\ProdINet\Bin\piaxorb.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\TNGSD\BIN\triggusr.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\DvdMeowWeb\Body Program Five.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/i...?http://inside/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Intuit
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LtMoh] C:\PROGRA~1\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [NAV Live Update] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Stopwindow] C:\PROGRA~1\DvdMeowWeb\Body Program Five.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: IGMPv3 Lite Daemon.lnk = C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RealGuide (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://cbaprojsvr1/TD/Spider80.ocx
O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-NET Client for MSIE) - http://cetracker.sd.intuit.com/trackdoc/trkpm660ie.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03...all/xscan53.cab
O16 - DPF: {8C28EFD7-767B-11D1-8400-000000000000} - http://ollie.bos.intuit.com/components/Brio.Insight.en.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://atlasda1.bosptc.intuit.com:8013/jin...tor/oajinit.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7532.6494328704
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://mvnav2k/navmv/webinst/WebInst.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://eroom2.intuit.com:8081/eroomsetup/client.cab

#6 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 03 May 2004 - 06:19 PM

I apologize. I missed a blatant one (the ~2.exe):

Fix these
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/i...?http://inside/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NAV Live Update] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\~2.EXE

Not sure what these two below are. You can be safe and remove them and they should install again if they are legitimate and you visit the site that you got it from
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://cbaprojsvr1/TD/Spider80.ocx
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://mvnav2k/navmv/webinst/WebInst.cab

#7 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  

Posted 04 May 2004 - 01:30 AM

Thanks Plimsol, I think we're getting close. Unfortunately as you can see from the attached log, allaboutsearching keeps coming back when I reboot. I'm not sure if this is what sends me occasionally to spotresults.com or if it's something else but that is still happening. Any more advice?

---------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 11:25:40 PM, on 5/3/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\UMCSTUB.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\LogWatNT.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\EnterNetDUN.Exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\svchost.exe
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ltmoh\Ltmoh.exe
C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe
C:\PROGRA~1\ProdINet\Bin\piaxorb.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\TNGSD\BIN\triggusr.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\DvdMeowWeb\Body Program Five.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
C:\TNGAM\Agents\umclisvc.exe
C:\TNGAM\Agents\INOVW32.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/i...?http://inside/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Intuit
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LtMoh] C:\PROGRA~1\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Stopwindow] C:\PROGRA~1\DvdMeowWeb\Body Program Five.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: IGMPv3 Lite Daemon.lnk = C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RealGuide (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://cbaprojsvr1/TD/Spider80.ocx
O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-NET Client for MSIE) - http://cetracker.sd.intuit.com/trackdoc/trkpm660ie.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03...all/xscan53.cab
O16 - DPF: {8C28EFD7-767B-11D1-8400-000000000000} - http://ollie.bos.intuit.com/components/Brio.Insight.en.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://atlasda1.bosptc.intuit.com:8013/jin...tor/oajinit.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7532.6494328704
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://mvnav2k/navmv/webinst/WebInst.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://eroom2.intuit.com:8081/eroomsetup/client.cab

#8 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 04 May 2004 - 12:15 PM

Reboot into safe mode and fix the below entrties with hijackthis. Tell us how it goes after

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/i...?http://inside/
O16 - DPF: {205E7068-6D03-4566-AD06-A146B592FBA5} (Loader Class v2) - http://cbaprojsvr1/TD/Spider80.ocx
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://mvnav2k/navmv/webinst/WebInst.cab

#9 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:07:46 PM

Posted 04 May 2004 - 12:23 PM

Not sure if System restore is in 2000, but if it is, then you need to disable it. I know that in XP, if you try to remove some nasties, they like to reside there...
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#10 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  

Posted 04 May 2004 - 03:16 PM

After fixing in Safe Mode and rebooting, allaboutsearching returns. I don't know that it is affecting me much other than that I know big brother is watching. Log attached.
---------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 1:12:01 PM, on 5/4/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\UMCSTUB.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\NavNT\rtvscan.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\pppoeservice.exe
C:\PROGRA~1\Prodigy\PRODIG~1\app\EnterNetDUN.Exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\WINNT\system32\rundll32.exe
C:\SxpInst\sxplog32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\ltmoh\Ltmoh.exe
C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe
C:\PROGRA~1\ProdINet\Bin\piaxorb.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\TNGSD\BIN\triggusr.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\PROGRA~1\DvdMeowWeb\Body Program Five.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\HJT\HijackThis.exe
C:\Program Files\Microsoft Broadband Networking\MSBNUpdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/i...?http://inside/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Intuit
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\SxpInst\sxplog32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LtMoh] C:\PROGRA~1\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRA~1\ProdINet\Bin\PiDunHk.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Stopwindow] C:\PROGRA~1\DvdMeowWeb\Body Program Five.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: IGMPv3 Lite Daemon.lnk = C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RealGuide (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-NET Client for MSIE) - http://cetracker.sd.intuit.com/trackdoc/trkpm660ie.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03...all/xscan53.cab
O16 - DPF: {8C28EFD7-767B-11D1-8400-000000000000} - http://ollie.bos.intuit.com/components/Brio.Insight.en.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://atlasda1.bosptc.intuit.com:8013/jin...tor/oajinit.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7532.6494328704
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://eroom2.intuit.com:8081/eroomsetup/client.cab

#11 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 04 May 2004 - 05:08 PM

Do you have any need for thoe Intuit downloaded files?

If not get rid of these with HijackThis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/i...?http://inside/
O16 - DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} (PVCS Tracker I-NET Client for MSIE) - http://cetracker.sd.intuit.com/trackdoc/trkpm660ie.cab
O16 - DPF: {8C28EFD7-767B-11D1-8400-000000000000} - http://ollie.bos.intuit.com/components/Brio.Insight.en.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://atlasda1.bosptc.intuit.com:8013/jin...tor/oajinit.exe
O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - http://eroom2.intuit.com:8081/eroomsetup/client.cab

#12 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 05 May 2004 - 08:54 PM

Getting rid of 1 or 2 of those remaining files plus finding a utility to remove lop.com seems to have done the trick though I'll keep my eye on it for the next few days to make sure I got everything off. Thanks so much for the help!

#13 T-bone77

T-bone77
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  

Posted 14 May 2004 - 08:38 PM

Just to follow up - it's been 9 days and all symptoms seem to have gone away. Thanks again for all the help!

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 PM

Posted 14 May 2004 - 10:05 PM

Hi T-Bone. Glad to hear you're doing well.

finding a utility to remove lop.com seems to have done the trick


Could you be so kind as to tell what that utility was? Got a link for it?

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users