djmcc795
asked on
dc1.exe, dc2.exe
Hmm well there seems to be alot, i guess ill start with what i noticed? then give you the hijackthis log.
As of now, nortan is recognizing dc1.exe and dc2.exe in C:\RECYCLER\S-1-5-21-11235 61945-9638 94560-8395 22115-500\
I have XP prof.
I took it upon myself to clean something hijackthis found as start page _bak or soemthin, well it was listed as squire i believe which i recognized as spyware. other than that i didnt touch any of the other keys.
a while back i had problems with squire maybe and some other sutff that seems to have just disappeared, recently my wireless connection has been behaving strangely, even sending my aim conversations to the computer downstaires so i figured i may have a corrupt trojan horse or something. I ran nortan 2004 and it got rid of some files which seems to have fixed my connetion now maybe, which was oscillating terribly.
Logfile of HijackThis v1.97.7
Scan saved at 7:36:38 PM, on 12/21/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTEC T.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\DJMCC795\Desktop\ New Folder (4)\hijackthis\HijackThis. exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX E
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX E
C:\WINDOWS\regedit.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System 32\Userini t.exe
O1 - Hosts: 200.204.78.203 go.icq.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCh eck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",Ex portedChec kODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTo ols\ADVCHK .EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.E XE
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D 3488ABDDC6 B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4 4455354000 0} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F 1E1C615350 C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-0 0105AA9B6A E} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-0 0AA00389B7 1} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B 518BB6A408 C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0 050DA18DE7 1} (RdxIE Class) - http://207.188.7.150/11b3ccf991cec707b221/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E 099162EEEC 5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-0 0105A1F0D6 8} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.3907060185
O16 - DPF: {A3009861-330C-4E10-822B-3 9D16EC8829 D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-F CB76B08747 F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
i think i can point out a few problems but i just wanted to be sure, and if you can solve this for me could i ask another one? i have a real task for you for my dad's comp.
As of now, nortan is recognizing dc1.exe and dc2.exe in C:\RECYCLER\S-1-5-21-11235
I have XP prof.
I took it upon myself to clean something hijackthis found as start page _bak or soemthin, well it was listed as squire i believe which i recognized as spyware. other than that i didnt touch any of the other keys.
a while back i had problems with squire maybe and some other sutff that seems to have just disappeared, recently my wireless connection has been behaving strangely, even sending my aim conversations to the computer downstaires so i figured i may have a corrupt trojan horse or something. I ran nortan 2004 and it got rid of some files which seems to have fixed my connetion now maybe, which was oscillating terribly.
Logfile of HijackThis v1.97.7
Scan saved at 7:36:38 PM, on 12/21/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\Ati2ev
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTEC
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINDOWS\System32\svchos
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\DJMCC795\Desktop\
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\WINDOWS\regedit.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System
O1 - Hosts: 200.204.78.203 go.icq.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",Ex
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTo
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.E
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {2119776A-F1AD-4FCD-9548-F
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-0
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {644E432F-49D3-41A1-8DD5-E
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {90C9629E-CD32-11D3-BBFB-0
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {A3009861-330C-4E10-822B-3
O16 - DPF: {B942A249-D1E7-4C11-98AE-F
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
i think i can point out a few problems but i just wanted to be sure, and if you can solve this for me could i ask another one? i have a real task for you for my dad's comp.
ASKER
ya those were the ones i was gonna hit, im sure that fixed somehting but the dc1.exe and dc2.exe are still there, nortan calls them adware.bargainbuddy and adware.commonname, respectively, but the guides offer no help on removing them:
http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=39458
http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=39454
http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=39458
http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=39454
Removing this
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
should take care of your problem.
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
should take care of your problem.
ASKER
ya i did,
Logfile of HijackThis v1.97.7
Scan saved at 9:03:32 PM, on 12/21/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTEC T.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DJMCC795\Desktop\ New Folder (4)\hijackthis\HijackThis. exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System 32\Userini t.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCh eck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",Ex portedChec kODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTo ols\ADVCHK .EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.E XE
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D 3488ABDDC6 B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4 4455354000 0} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F 1E1C615350 C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-0 0105AA9B6A E} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-0 0AA00389B7 1} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B 518BB6A408 C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0 050DA18DE7 1} (RdxIE Class) - http://207.188.7.150/11b3ccf991cec707b221/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E 099162EEEC 5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-0 0105A1F0D6 8} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.3907060185
O16 - DPF: {A3009861-330C-4E10-822B-3 9D16EC8829 D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-F CB76B08747 F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Logfile of HijackThis v1.97.7
Scan saved at 9:03:32 PM, on 12/21/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\Ati2ev
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon
C:\Program Files\U.S. Robotics 802.11g WLAN\USRWLANG.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTEC
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINDOWS\System32\svchos
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DJMCC795\Desktop\
F2 - REG:system.ini: UserInit=C:\WINDOWS\System
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",Ex
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTo
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.E
O4 - Global Startup: U.S. Robotics 802.11g Wireless Network Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {2119776A-F1AD-4FCD-9548-F
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-0
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {644E432F-49D3-41A1-8DD5-E
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {90C9629E-CD32-11D3-BBFB-0
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {A3009861-330C-4E10-822B-3
O16 - DPF: {B942A249-D1E7-4C11-98AE-F
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
HT log file looks clean. :) Need anymore help? If problem is solved, will you accept my comment as the answer?
ASKER
dc1.exe and dc2.exe are still there
ASKER
C:\RECYCLER\S-1-5-21-11235 61945-9638 94560-8395 22115-500\
dc1.exe is associated with a downloader program. Follow the instruction here to get rid of it
http://www.pestpatrol.com/PestInfo/B/Backweb.asp
http://www.pestpatrol.com/PestInfo/B/Backweb.asp
ASKER
none of those files were found
backwebserv.exe
dc1.exe
dc10.hlp
dc6.r
Iadhide3.dll
DLGLI.EXE
\program files\BackWeb\
nor are any of the listed processes running in task manager, the only time i see dc1 and 2 is when i run norton full system scan
backwebserv.exe
dc1.exe
dc10.hlp
dc6.r
Iadhide3.dll
DLGLI.EXE
\program files\BackWeb\
nor are any of the listed processes running in task manager, the only time i see dc1 and 2 is when i run norton full system scan
Are they located in the System Restore files? If they are, you can disable System Restore, then re-enable, thus deleting the old restore files.
Run Housecall anti-virus scan. This scanner will delete the files.
http://housecall.antivirus.com
Run Housecall anti-virus scan. This scanner will delete the files.
http://housecall.antivirus.com
ASKER
i already disabled system restore, on all drives, and i ran housecall afterwards ealier
If you only disable system restore, then the old files are still on your computer. Re-enable system restore so that the new files will write over the old.
ASKER
house call didnt ifnd naything but nortan still got them, "The file C:\RECYCLER\S-1-5-21-11235 61945-9638 94560-8395 22115-500\ Dc1.exe is a Adware threat."
The folder Recycler is the NTFS equivalent of the "Recycled" folder on fat 32. The correct size of this folder is about 85 bytes! You can safely delete this folder - the next time you put something in the Recycle Bin and empty it, the folder will be re-created.
Are you using Norton's protected files or something like that? Unprotect the fles and then you can delete it.
Are you using Norton's protected files or something like that? Unprotect the fles and then you can delete it.
ASKER
um norton by default had some "norton protected recylcing bin", but i set it as standard recyling bin. Under options, then adavnced tools, their are options for the recyling bin. When i go to 'modify', theres a tab called "Norton Protection", heading: Protects files deleted from teh command line prompt, and applications until the disk space is needed for other files. Protection is enabled on both my drives: C and Z, and theres a 7 day purge. There are three "system settings": Exclusings, Empty protected files, and Drive usage
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
still there :(
ASKER
im gonna try running nortan in xp safe mode
ASKER
on safe mode norton didnt even find the files
ASKER
theyre apparently gone now, who knows?
I have another question though, cuz my dad's computer has like 2 worms and 10s of thousands of infected files, do i make another post? i dont htink i have any points
I have another question though, cuz my dad's computer has like 2 worms and 10s of thousands of infected files, do i make another post? i dont htink i have any points
Looks like rebooting the computer with one of the solutions that I proposed fixed the problem.
On your Dad's computer, run the anti-virus and adware scanner that I had proposed. I will summarized them here
Housecall Online Scan
http://housecall.antivirus.com
or
Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/
On your Dad's computer, run the anti-virus and adware scanner that I had proposed. I will summarized them here
Housecall Online Scan
http://housecall.antivirus.com
or
Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/
ASKER
well i have the hijackthis log if thats ok to post here
what the basic deal was everything was disabled: task manager, regedit, msconfig, etc
so i dled the tril of rav and ran that, and it foudn two womrs i believe, big mac and supernova? i couldnt get rid of them cuz they were running, so i used hijackthis and cleaned a reg key for 'big mac'. Then rav found an executable, fpdd[more random lowercase].exe, and hijacker listed it as something like 'HKLM\..\Run: [Nortan Antivirus] fpdd[more random lowercase].exe', so i told it to clean that key and i ran procexp.exe to close the program, since task manager was disabled. That seemed to fix the problem of the disabled windows functions, so i rebooted in safe mode and ran rav. I think it got everything but theres still some .elm or .eml? files i cant get rid of that i thought may just be corrupt, and some things on the log look suspicious. So tell me if you notice anything odd? thanks
Logfile of HijackThis v1.97.7
Scan saved at 2:09:28 PM, on 12/22/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\DRIVER S\CDANTSRV .EXE
C:\WINDOWS\system32\cisvc. exe
C:\Program Files\GeCAD\RAV8 Desktop\ravmon.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\cidaem on.exe
C:\Program Files\Common Files\Real\Update_OB\evnts vc.exe
C:\Program Files\Support.com\bin\tgcm d.exe
C:\WINDOWS\System32\ruben. exe
C:\WINDOWS\System32\WINZ32 .exe
C:\WINDOWS\System32\IEUPTR .exe
C:\Program Files\GeCAD\RAV8 Desktop\ravtray8.exe
C:\WINDOWS\System32\devldr 32.exe
c:\program files\gecad\rav8 desktop\ravwin8.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexe c.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jim McCarthy\Desktop\New Folder\HijackThis.exe
H:\WUTemp\com_microsoft.82 2603_WXP_S P2_WinSE_4 7942\Windo wsXP-KB822 603-x86-EN U.exe
h:\699f37997904a9813d3d\up date\updat e.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50026
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID }&pver={SU B_PVER}&ar =home
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://www.websearch.com/ie.aspx?tb_id=50026
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.ht m
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,SearchAssist ant = http://www.websearch.com/ie.aspx?tb_id=50026
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3 DBE0391097 2} - C:\PROGRA~1\Toolbar\toolba r.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3 DBE0391097 2} - C:\PROGRA~1\Toolbar\toolba r.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0 060083CFB9 C} - C:\WINDOWS\SYSTEM32\NZDD.D LL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-2 9EA915965E C} - C:\PROGRA~1\Toolbar\toolba r.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evnts vc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttas k.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcm d.exe" /server
O4 - HKLM\..\Run: [Configuration Loader] ruben.exe
O4 - HKLM\..\Run: [WinMDPLYR] video3.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\JIMMCC~1\LOCAL S~1\Temp\T B_ANI~1.EX E /dcheck
O4 - HKLM\..\Run: [INTERNET SERVISES] WINZ32.exe
O4 - HKLM\..\Run: [IE Updater] IEUPTR.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [RAV8Tray] C:\Program Files\GeCAD\RAV8 Desktop\ravtray8.exe
O4 - HKLM\..\RunServices: [Configuration Loader] ruben.exe
O4 - HKLM\..\RunServices: [WinMDPLYR] video3.exe
O4 - HKLM\..\RunServices: [INTERNET SERVISES] WINZ32.exe
O4 - HKLM\..\RunServices: [IE Updater] IEUPTR.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\Styl eXP.exe -Hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = InterVideo\Common\Bin\WinC inemaMgr.e xe
O4 - Global Startup: ravmon.exe.lnk = GeCAD\RAV8 Desktop\ravmon.exe
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Microsoft WFC Forms Designer - file://F:\VJ98\WFCFORMS.CA B
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://F:\VJ98\VSTUDIO6.CA B
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.3106828704
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6 0DB54C1000 0} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {A3009861-330C-4E10-822B-3 9D16EC8829 D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
what the basic deal was everything was disabled: task manager, regedit, msconfig, etc
so i dled the tril of rav and ran that, and it foudn two womrs i believe, big mac and supernova? i couldnt get rid of them cuz they were running, so i used hijackthis and cleaned a reg key for 'big mac'. Then rav found an executable, fpdd[more random lowercase].exe, and hijacker listed it as something like 'HKLM\..\Run: [Nortan Antivirus] fpdd[more random lowercase].exe', so i told it to clean that key and i ran procexp.exe to close the program, since task manager was disabled. That seemed to fix the problem of the disabled windows functions, so i rebooted in safe mode and ran rav. I think it got everything but theres still some .elm or .eml? files i cant get rid of that i thought may just be corrupt, and some things on the log look suspicious. So tell me if you notice anything odd? thanks
Logfile of HijackThis v1.97.7
Scan saved at 2:09:28 PM, on 12/22/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\DRIVER
C:\WINDOWS\system32\cisvc.
C:\Program Files\GeCAD\RAV8 Desktop\ravmon.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\cidaem
C:\Program Files\Common Files\Real\Update_OB\evnts
C:\Program Files\Support.com\bin\tgcm
C:\WINDOWS\System32\ruben.
C:\WINDOWS\System32\WINZ32
C:\WINDOWS\System32\IEUPTR
C:\Program Files\GeCAD\RAV8 Desktop\ravtray8.exe
C:\WINDOWS\System32\devldr
c:\program files\gecad\rav8 desktop\ravwin8.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jim McCarthy\Desktop\New Folder\HijackThis.exe
H:\WUTemp\com_microsoft.82
h:\699f37997904a9813d3d\up
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-2
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evnts
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttas
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcm
O4 - HKLM\..\Run: [Configuration Loader] ruben.exe
O4 - HKLM\..\Run: [WinMDPLYR] video3.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\JIMMCC~1\LOCAL
O4 - HKLM\..\Run: [INTERNET SERVISES] WINZ32.exe
O4 - HKLM\..\Run: [IE Updater] IEUPTR.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [LaCie USB2 Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [RAV8Tray] C:\Program Files\GeCAD\RAV8 Desktop\ravtray8.exe
O4 - HKLM\..\RunServices: [Configuration Loader] ruben.exe
O4 - HKLM\..\RunServices: [WinMDPLYR] video3.exe
O4 - HKLM\..\RunServices: [INTERNET SERVISES] WINZ32.exe
O4 - HKLM\..\RunServices: [IE Updater] IEUPTR.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\Styl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = Common Files\Adobe\Calibration\Ad
O4 - Global Startup: InterVideo WinCinema Manager.lnk = InterVideo\Common\Bin\WinC
O4 - Global Startup: ravmon.exe.lnk = GeCAD\RAV8 Desktop\ravmon.exe
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Microsoft WFC Forms Designer - file://F:\VJ98\WFCFORMS.CA
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://F:\VJ98\VSTUDIO6.CA
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6
O16 - DPF: {A3009861-330C-4E10-822B-3
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
Analyzing a HijackThis log takes a lot of time. Please ask this in another question.
ASKER
i dont have any points
I will analyze the log for free, since this is Christmas.
Go to Control Panel > Add Remove Programs and remove "Search Toolbar"
Check these items in HijackThis log and have HT remove them.
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50026
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://www.websearch.com/ie.aspx?tb_id=50026
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.ht m
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,SearchAssist ant = http://www.websearch.com/ie.aspx?tb_id=50026
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3 DBE0391097 2} - C:\PROGRA~1\Toolbar\toolba r.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3 DBE0391097 2} - C:\PROGRA~1\Toolbar\toolba r.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0 060083CFB9 C} - C:\WINDOWS\SYSTEM32\NZDD.D LL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-2 9EA915965E C} - C:\PROGRA~1\Toolbar\toolba r.dll
O4 - HKLM\..\Run: [Configuration Loader] ruben.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\JIMMCC~1\LOCAL S~1\Temp\T B_ANI~1.EX E /dcheck
O4 - HKLM\..\Run: [INTERNET SERVISES] WINZ32.exe
O4 - HKLM\..\Run: [IE Updater] IEUPTR.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\RunServices: [Configuration Loader] ruben.exe
O4 - HKLM\..\RunServices: [WinMDPLYR] video3.exe
O4 - HKLM\..\RunServices: [INTERNET SERVISES] WINZ32.exe
O4 - HKLM\..\RunServices: [IE Updater] IEUPTR.exe
After running HT, delete Toolbar folder from C:\Program Files\
Delete Belt.exe from C:\Windows\
Delete the following from C:\WINDOWS\System32\
ruben.exe
WINZ32.exe
Go to Control Panel > Add Remove Programs and remove "Search Toolbar"
Check these items in HijackThis log and have HT remove them.
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-2
O4 - HKLM\..\Run: [Configuration Loader] ruben.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\JIMMCC~1\LOCAL
O4 - HKLM\..\Run: [INTERNET SERVISES] WINZ32.exe
O4 - HKLM\..\Run: [IE Updater] IEUPTR.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\RunServices: [Configuration Loader] ruben.exe
O4 - HKLM\..\RunServices: [WinMDPLYR] video3.exe
O4 - HKLM\..\RunServices: [INTERNET SERVISES] WINZ32.exe
O4 - HKLM\..\RunServices: [IE Updater] IEUPTR.exe
After running HT, delete Toolbar folder from C:\Program Files\
Delete Belt.exe from C:\Windows\
Delete the following from C:\WINDOWS\System32\
ruben.exe
WINZ32.exe
ASKER
haha thanks
oh btw, what are ruban and winz32 anyway? i think ive noticed ruben for a while now and its bothered me haha, prolly cuz of the american idol guy
oh btw, what are ruban and winz32 anyway? i think ive noticed ruben for a while now and its bothered me haha, prolly cuz of the american idol guy
wnz32 is a trojan. Could not find anything on ruban.
You have a search bar and a trojan. Check these items in HijackThis and have HT remove them.
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
Unless you put this the ICQ in Hosts file, delete this also
O1 - Hosts: 200.204.78.203 go.icq.com
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
Best wishes, war1