Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Remove Hijacker, probably Coolwww


  • This topic is locked This topic is locked
7 replies to this topic

#1 huskeyja

huskeyja

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 16 June 2004 - 08:07 AM

I'm betting someone here can help me fix this. Browser hijacked, ran AdAware 6.181, BHO Demon, Webroot SpySweeper, Spybot s&d, finally HijackThis. Ran stuff in regular and safe mode. Hijacker, probably CoolWWW (Sweeper keeps finding it) keeps coming back. Haven't yet tried turning off system restore (XP Home). Have all XP critical updates. Media Player was disabled; I reinstalled and updated. Currently BHO and Spybot are helping me stop homepage change with some mouse clicks, but I want to completely clean it off. CWShredder doesn't detect it. I've also deleted suspect DLLs and .exe files in safe mode; some come back renamed in the hijack, except for C:\WINDOWS\system32\d3vj32.exe, which comes back the same. The apparent uninstaller in Add/Remove Programs is Home Search Assistant, but all it does is call up a web page. Can somebody (smarter than me!) help me by analyzing the HijackThis log below and telling me what else to fix? I've "fixed" the things that I know won't kill me already:

Logfile of HijackThis v1.97.7
Scan saved at 5:38:51 AM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
H:\Program Files\Trend Micro\Internet Security\pccguide.exe
H:\Program Files\Trend Micro\Internet Security\PCClient.exe
H:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWS\system32\d3vj32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
H:\Program Files\microsoft office\Office\FINDFAST.EXE
H:\Program Files\microsoft office\Office\OSA.EXE
C:\Program Files\BHODemon\BHODemon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
H:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
H:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\system32\syslr.exe
H:\Program Files\Trend Micro\Internet Security\PccPfw.exe
F:\My Documents\Dad\Program downloads\Hijack this\hijackthis1977\HijackThis.exe
C:\WINDOWS\System32\notepad.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B81B06F6-5EC4-55AF-F6BE-70DA417086A8} - C:\WINDOWS\system32\iewx32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\creative\sblive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "H:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "H:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "H:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [d3vj32.exe] C:\WINDOWS\system32\d3vj32.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Microsoft Find Fast.lnk = H:\Program Files\microsoft office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = H:\Program Files\microsoft office\Office\OSA.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8078.7310185185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Thank you very much for any help you can give me. I'd really like to avoid the format/reinstall XP solution. - Navy Senior Chief

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 AM

Posted 16 June 2004 - 01:09 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

O2 - BHO: (no name) - {B81B06F6-5EC4-55AF-F6BE-70DA417086A8} - C:\WINDOWS\system32\iewx32.dll
O4 - HKLM\..\Run: [d3vj32.exe] C:\WINDOWS\system32\d3vj32.exe

Then delete these files or directories if they exist (dont be surprised if iewx32.dll does not)
C:\WINDOWS\system32\iewx32.dll
C:\WINDOWS\system32\d3vj32.exe

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#3 huskeyja

huskeyja
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 17 June 2004 - 06:48 AM

I ran all/did all you suggested. I moved HJT and CWShredder to C: and ran them. I also scanned from Panda and RAV AV, which found an infected OE identity file (Netsky.Pmm) that I don't use, so I deleted it. Ran Trend's latest update, found TROJ_EMT.A in c:\windows\updreg.exe, quaranteened it. I ran TDS-3, which cannot find any trojans, but it reports Port 5000 as open. I don't know what this means!

The hijacker seems to run randomly, but it runs consistently. Please note that I have Spybot running, which gives me my choice of preventing registry changes the malware is causing, which I do. CW Shred eronly found 2 iexplore traces, I removed and repeated, then none. SpyBot S&D found the DSO thing. AdAware found CoolWebSearch and cleaned. Doesn't seem to matter, as you'll see from my HJT log below. The malware simply changes file names and goes on. I've been through this about five times now.

One more thing: I have uninstallers listed in ad/remove programs for Search Extender, Home Search Assistent and Shopping Wizard. All try to launch http://looking-for.cc/uninstall/(their name.html), which refuses to load. I think if I can get these things uninstalled, I'd be okay.

It will only take about two more hours of this before I punt, wipe the hard drive and reinstall the whole shootin' match. Thanks again for your help with this!!

Logfile of HijackThis v1.97.7
Scan saved at 9:55:21 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
H:\Program Files\Trend Micro\Internet Security\pccguide.exe
H:\Program Files\Trend Micro\Internet Security\PCClient.exe
H:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWS\system32\syssn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\microsoft office\Office\FINDFAST.EXE
H:\Program Files\microsoft office\Office\OSA.EXE
C:\Program Files\BHODemon\BHODemon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
H:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
H:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\system32\atlyr.exe
H:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Hijack this\hijackthis1977\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8D1DC95E-3145-B4D6-7B78-BD7EBCDB10B3} - C:\WINDOWS\addcn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\creative\sblive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "H:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "H:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "H:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [syssn.exe] C:\WINDOWS\system32\syssn.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Microsoft Find Fast.lnk = H:\Program Files\microsoft office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = H:\Program Files\microsoft office\Office\OSA.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8078.7310185185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 AM

Posted 17 June 2004 - 12:21 PM

Cant tell for certain but I am pretty sure I know which one you have. Please follow these instructions:

Please do not open Internet Explorer during any portion of this process.

Step 1:


Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:
Press control-alt-delete to get into the task manager and end the follow processes if they exist:

apikt.exe (prob the name of the file from the service above)
apind.exe

Step 3:
I now need you to delete the following files:

C:\WINDOWS\addcn32.dll
C:\WINDOWS\addcn32.exe
C:\WINDOWS\system32\syssn.exe
C:\WINDOWS\system32\atlyr.exe
The file from the services above.

If you see dll files with the same name, such as syssn.dll or atlyr.dll, you can delete those as well.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then run hijackthis and fix these entries:

O2 - BHO: (no name) - {8D1DC95E-3145-B4D6-7B78-BD7EBCDB10B3} - C:\WINDOWS\addcn32.dll
O4 - HKLM\..\Run: [syssn.exe] C:\WINDOWS\system32\syssn.exe


Reboot your computer and post a new log.

#5 huskeyja

huskeyja
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 17 June 2004 - 03:40 PM

I did it. Log looks good now. Should I turn off my spybot shield and see how life turns out? Up until now, it still reports something trying to add a BHO to my registry, but (fingers crossed) it hasn't reported it since I rebooted. Here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 4:36:58 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
H:\Program Files\Trend Micro\Internet Security\pccguide.exe
H:\Program Files\Trend Micro\Internet Security\PCClient.exe
H:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\microsoft office\Office\FINDFAST.EXE
H:\Program Files\microsoft office\Office\OSA.EXE
C:\Program Files\BHODemon\BHODemon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
H:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
H:\Program Files\Trend Micro\Internet Security\tmproxy.exe
H:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Hijack this\hijackthis1977\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\creative\sblive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "H:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "H:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "H:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Microsoft Find Fast.lnk = H:\Program Files\microsoft office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = H:\Program Files\microsoft office\Office\OSA.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8078.7310185185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 AM

Posted 17 June 2004 - 03:42 PM

Yeah the log looks great. I would keep the shield up. ISpybot will tell you if it tries so you should be good to go :thumbsup:

#7 huskeyja

huskeyja
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 18 June 2004 - 06:09 AM

Grinler, I want to thank you for all your help. Here's the final summary of this situation, all seems clean. In case it can help anybody, this is what was found and how it was solved:

- I tried your suggestions: stopped Network Security Service, deleted the file it pointed to (atlyr.exe) and the latest drop from the malware in the O4 section of HijackThis log (System32/syssn.exe). I also deleted apind.exe.
- I changed AdAware to deeper search settings and ran it in safe mode. It found about 18 problems and cleaned them, involving iSearch Toolbar and CoolWebSearch.
- Finally, I ran TDS-3, which found 39 alarms related to dat and dll files from the above malware, and deleted them all. Problem solved. Here's the new Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 3:49:11 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\win logon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\l sass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svc host.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE< br>C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
H:\Program Files\Trend Micro\Internet Security\pccguide.exe
H:\Program Files\Trend Micro\Internet Security\PCClient.exe
H:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\microsoft office\Office\FINDFAST.EXE
H:\Program Files\microsoft office\Office\OSA.EXE
C:\Program Files\BHODemon\BHODemon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C: \WINDOWS\System32\svchost.exe
H:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
H:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\system32\atlyr.exe
C:\Hijack this\hijackthis1977\HijackThis.exe
H:\Program Files\Trend Micro\Internet Security\PccPfw.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\creative\sblive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "H:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "H:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "H:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Microsoft Find Fast.lnk = H:\Program Files\microsoft office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = H:\Program Files\microsoft office\Office\OSA.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8078.7310185185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

Many thanks to Grinler for all your help. Are donations appropriate? Jim

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:30 AM

Posted 18 June 2004 - 10:07 AM

This log looks nice and clean. Great job on the extra cleanup.

Donations are always welcomed but not necessary :thumbsup: We are here to serve.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users