Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SIXA Dialer


  • This topic is locked This topic is locked
8 replies to this topic

#1 KarmaCarmen

KarmaCarmen

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 25 August 2005 - 08:55 PM

I have run Adware, Spydoctor AND Spybot, did not help, still have this stupid SIXA virus. I also ran the hijacker program (which I saw from another thread) and have posted it below.

I wanted to say THANK YOU for helping those of us who don't have a clue what the computer language says. It is incredibly kind of you to take the time to help fix these things.

Carmen.

PS: I do have Gator Wallet (which I realize is a form of spyware, etc. but it has never caused me much hassle aside from the pop ups), and I also have Kaaza on my computer, which also has never been a problem before. But if I need to I certainly will remove both programs....although I'd prefer not to.

Logfile of HijackThis v1.99.1
Scan saved at 7:50:46 PM, on 25/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\0pobhh6l.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Personal Money Tree\personalmoneytree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\3web HiSpeed Dial-up\PropelAC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\3web HiSpeed Dial-up\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\3web HiSpeed Dial-up\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [0pobhh6l] C:\WINDOWS\system32\0pobhh6l.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PMT] C:\Program Files\Personal Money Tree\personalmoneytree.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\3web HiSpeed Dial-up\pac-addwl.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\3web HiSpeed Dial-up\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\3web HiSpeed Dial-up\pac-image.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124155761641
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

And once again, THANK YOU THANK YOU THANK YOU!!

BC AdBot (Login to Remove)

 


#2 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 27 August 2005 - 02:10 PM

First ctrl+alt+delete and end the following task
C:\WINDOWS\system32\0pobhh6l.exe


Close all your running programs, run Hijackthis and place a check next to the following.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O4 - HKLM\..\Run: [0pobhh6l] C:\WINDOWS\system32\0pobhh6l.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll

close all your internet browsers and click fix in Hijackthis.

Locate the following files and delete it.

File:
C:\WINDOWS\system32\0pobhh6l.exe
C:\WINDOWS\about.htm

Reboot once and post a fresh Hijackthis log in your thread.

#3 KarmaCarmen

KarmaCarmen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 28 August 2005 - 09:54 PM

Thank you thank you thank you, you have no idea how thankful I am.

I wasn't able to find c:\windows\about.htm, but I did find 2 files named Opobhh6l so I deleted those two. Then rebooted and here is the log. Thank you again. (PS: it continues to hijack my dialer).

Logfile of HijackThis v1.99.1
Scan saved at 8:47:07 PM, on 28/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Personal Money Tree\personalmoneytree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\3web HiSpeed Dial-up\PropelAC.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\3web HiSpeed Dial-up\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\3web HiSpeed Dial-up\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PMT] C:\Program Files\Personal Money Tree\personalmoneytree.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\3web HiSpeed Dial-up\pac-addwl.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\3web HiSpeed Dial-up\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\3web HiSpeed Dial-up\pac-image.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124155761641
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Edited by KarmaCarmen, 28 August 2005 - 11:17 PM.


#4 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 29 August 2005 - 01:57 AM

Close all your running programs, run Hijackthis and place a check next to the following.

O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll

close all your internet browsers and click fix in Hijackthis.

Now locate the following folder and delete it

Folder:
C:\Program Files\3web


Post a fresh Hijackthis log in your thread once complete.

#5 KarmaCarmen

KarmaCarmen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 29 August 2005 - 10:26 AM

Ummm, not to be a "pain" and question your greatness....but 3web is actually my internet provider. That is who my dialer is supposed to be dialing....do I still remove the file you've indicated?

I also apologize I didn't run my spybot, etc. before the last hijack log and I will do that for this next one.

#6 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 29 August 2005 - 02:34 PM

No, don't remove it, sorry about that one.


Umm, do you have any anti-virus software? If not we can try an online scan to see if that helps. Go to the following site and run their online virus scan and see if finds anything.

http://housecall.antivirus.com/housecall/start_frame.asp

#7 KarmaCarmen

KarmaCarmen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 29 August 2005 - 09:58 PM

Okay, I ran Adware, Spybot, Spyware Doctor and my Trend Micro PC-illian Internet Security. I went to the link you gave me, but I have the Trend virus program and it looked the same. Trend didn't find a thing and it was last updated yesterday and isn't showing any updates for today.

Let me know if you'd like me to run the link you provided but I'm not sure about installing the program as I already have PC Trend.

Well, here's the hijacker log again...hopefully you can see something..(fingers crossed).

Logfile of HijackThis v1.99.1
Scan saved at 8:48:34 PM, on 29/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\3web HiSpeed Dial-up\PropelAC.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Shockwave.com\House of Cards Solitaire\House of Cards Solitaire.exe
C:\Program Files\Shockwave.com\House of Cards Solitaire\House of Cards Solitaire.exe
C:\Program Files\3web\3web.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\3web HiSpeed Dial-up\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\3web\AFE.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\3web HiSpeed Dial-up\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [PMT] C:\Program Files\Personal Money Tree\personalmoneytree.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\3web HiSpeed Dial-up\pac-addwl.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\3web HiSpeed Dial-up\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\3web HiSpeed Dial-up\pac-image.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124155761641
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4642B214-0FB0-4823-8516-8ABDCFECFDCB}: NameServer = 209.197.128.2 209.195.95.95
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#8 KarmaCarmen

KarmaCarmen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 31 August 2005 - 11:40 AM

I got sick of my computer being hijacked so I snooped around and deleted a few folders I was pretty sure weren't anything I wanted/needed (ie: myweather, etc.) and I was online for 3 hours last night without any incident. I think I may have deleted the folder containing the virus....not 100% on that because I'm not even all that sure of what I got rid of...but I'm hoping all is well for now.

Thanks for all your help and I will post another post if the sixa starts dialing again.

#9 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 05 September 2005 - 03:29 PM

That's probably the best thing to do to remove everything from the computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users