Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

tessgold

17 Posts

2942

April 18th, 2004 03:00

malware? or worse?

Some items with odd names are in my startup list. I've run Spybot and AdAware multiple times and they don't show that anything needs to be deleted. So I'm thinking that maybe the odd things on the list used to be a problem but have been removed by Spybot and AdAware and I've just got leftover stuff in the startup list.Could that be right? Do I need to do anything here? Here are a few examples:

QEU.exe
DGW.exe
JZDHBKOBI.exe
47MSJ2W3J7PQJE (WditARpr.exe)
AutoUpdater

ChrisRLG

2 Intern

 • 

3.9K Posts

April 18th, 2004 11:00

Post a hijackthis log for us to see please - instructions below.
================
Use these to remove Malware (Virus, Spyware and Adware).

1) SpyBot Search and Destroy
After installing SpyBot Search & Destroy, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all the items it marks in red.

2) Get Ad-Aware
After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.

Always reboot the computer between each program - both of these may find things that they need to have a reboot of the machine to clear - please reboot and let them finish .

Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here
or one of these other links:-
http://www.merijn.org/files/hijackthis.zip
http://www.aluriasoftware.com/tools/hijackthis.zip
http://mjc1.com/mirror/hjt/

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.

DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.

Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.

TomCoyote (of http://tomcoyote.org/forums/index.php fame)
YoKenny (Accredited Expert at TomCoyotes)
baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
ChrisRLG (Classroom Coordinator at TomCoyotes, Trusted Advisor Spywareinfo)
Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops)
tashi (Helper at Spywareinfo, in training at TomCoyotes)
therock247uk (In Training at TomCoyotes and Spywareinfo)
irelynmisses (In Training at TomCoyotes and Spywareinfo)
Texruss (In Training at TomCoyotes and Spywareinfo)
PGPhantom (In Training at Spywareinfo)

You could also go to one of the more specalist forums where more experts will be able to help.
http://tomcoyote.com/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi (Home of Spybot S&D)
http://boards.cexx.org/index.php
http://www.wilderssecurity.com/index.php
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.

I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.

tessgold

17 Posts

April 18th, 2004 15:00

OK, here is my Hijack This log file:

 

Logfile of HijackThis v1.97.7
Scan saved at 8:55:23 PM, on 4/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\IVASION\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\XCPCSYNC\TRANSLATORS\MYPALM\MPTRAY.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
C:\PROGRAM FILES\KEIRNET\K9\K9.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\GOOGLE\GGVIEWER81-76.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Queue?hnjr=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dell.com/search/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.netflix.com/Default?mqso=36126240&bfree_sourceid=qIasQD05kgu3AmBg-p6@&partid=0039870718
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\iVasion\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] c:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [XTNDConnect PC - MyPalm] C:\PROGRA~1\COMMON~1\XCPCSYNC\Translators\MyPalm\MPTray.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPSCANMonitor] c:\windows\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINSM32.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .exe: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .zip: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .z: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .lha: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .arj: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .gz: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .tar: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .bin: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38094.4724652778
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} - http://client2.tvtonic.com/Webservice/Public/WXStageInstall/2.6/TVTStage1.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.217.77.82,207.217.120.83

 

ChrisRLG

2 Intern

 • 

3.9K Posts

April 18th, 2004 18:00

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

The following activeX controls will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, check to remove.

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {27EB254C-C724-43B1-8DD8-F3AC9ED761B2} - http://client2.tvtonic.com/Webservice/Public/WXStageInstall/2.6/TVTStage1.cab

Then Reboot and post a fresh log for me to check.

tessgold

17 Posts

April 18th, 2004 19:00

Here is new log file after rebooting. Odd entries still remaining in startup file viewed with msconfig.  ( I left the Shutterfly entry in because I use Shuttefly to upload pictures for printing)

 

Logfile of HijackThis v1.97.7
Scan saved at 1:06:41 PM, on 4/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\IVASION\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\XCPCSYNC\TRANSLATORS\MYPALM\MPTRAY.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
C:\PROGRAM FILES\KEIRNET\K9\K9.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAM FILES\GOOGLE\GGVIEWER81-76.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Queue?hnjr=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dell.com/search/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.netflix.com/Default?mqso=36126240&bfree_sourceid=qIasQD05kgu3AmBg-p6@&partid=0039870718
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\iVasion\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] c:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [XTNDConnect PC - MyPalm] C:\PROGRA~1\COMMON~1\XCPCSYNC\Translators\MyPalm\MPTray.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPSCANMonitor] c:\windows\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINSM32.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .exe: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .zip: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .z: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .lha: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .arj: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .gz: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .tar: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .bin: C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NPSystem.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38094.4724652778
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.217.77.82,207.217.120.83

 

Message Edited by tessgold on 04-18-2004 03:15 PM

ChrisRLG

2 Intern

 • 

3.9K Posts

April 18th, 2004 20:00

Your log is now clean - let me know if you have any problems still, but here is my all clear message
========================
This is my normal post for when you are clear - which you now are:-
------------------------
How on earth did I get infected with all that spyware in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051
Also available from here :- http://www.computercops.biz/postlite7736-.html or http://boards.cexx.org/viewtopic.php?t=957
--------------
Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-

Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.

Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.

Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.

With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.

 

tessgold

17 Posts

April 18th, 2004 20:00

Chris, thank you, thank you, thank you. I feel so much better now. You are providing a wonderful service.

Tess

ChrisRLG

2 Intern

 • 

3.9K Posts

April 18th, 2004 21:00

Your Welcome

Was this post helpful?

View All

0 events found

No Events found!

Top