Use these to remove Malware (Virus, Spyware and Adware).
1)
SpyBot Search and Destroy After installing SpyBot Search & Destroy, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all the items it marks in red.
2)
Get Ad-Aware After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.
Always reboot the computer between each program - both of these may find things that they need to have a reboot of the machine to clear - please reboot and let them finish .
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
TomCoyote (of
http://tomcoyote.org/forums/index.php fame)
YoKenny (Accredited Expert at TomCoyotes)
baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
ChrisRLG (Classroom Coordinator at TomCoyotes, Trusted Advisor Spywareinfo)
Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops)
therock247uk (In Training at TomCoyotes and Spywareinfo)
irelynmisses (In Training at TomCoyotes and Spywareinfo)
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
I ran the spybot and the adware, here are the results of the hijack. I gotta warn you, it looks ugly to me.
Logfile of HijackThis v1.97.7 Scan saved at 2:37:18 PM, on 3/26/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
It does look nasty - but I have seen worse. --------------------------------------- Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.
Logfile of HijackThis v1.97.7 Scan saved at 9:15:51 PM, on 3/26/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Well your turned out to be a very easy one to cure. Just the one CWS infection, made it look a lot worse than it was. It is so purfect a single infection, that I will probably use it in some teaching materials.
Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.
Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.
Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.
With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.
The same exact thing happened to me this weekend too, right down to the same file names. Dell Support advised me to remove them by running msconfig. Surprisingly, that worked and I've not been bothered at all today. However, my feeling was that fix was temporary; that is will not eliminate the problem: I'm still a target for whoever/whatever did this in the first place. Now after reading all this help that you got, I know what I need to do.
Thanks everyone. Glad I found this page; didn't know it existed!
One other thing happened too; don't know if it's related. I lost almost 2GB of free space. Any thoughts on that?
The best answer is to post your own log here BUT in a new message (not as a reply to this persons problems) and I or another expert will tell you what to fix/delete. - You would need to re enable those items from msconfig that you disabled, yes that is only a tempary fix.
Important: Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training. DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
TomCoyote (of http://tomcoyote.org/forums/index.php fame) YoKenny (Accredited Expert at TomCoyotes) baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo) ChrisRLG (Classroom Coordinator at TomCoyotes, Trusted Advisor Spywareinfo) Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo) Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops) tashi (Helper at Spywareinfo, in training at TomCoyotes) therock247uk (In Training at TomCoyotes and Spywareinfo) irelynmisses (In Training at TomCoyotes and Spywareinfo)
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
ChrisRLG
3.9K Posts
0
March 26th, 2004 18:00
1) SpyBot Search and Destroy
After installing SpyBot Search & Destroy, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all the items it marks in red.
2) Get Ad-Aware
After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.
Always reboot the computer between each program - both of these may find things that they need to have a reboot of the machine to clear - please reboot and let them finish .
Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here
or one of these other links:-
http://www.merijn.org/files/hijackthis.zip
http://www.aluriasoftware.com/tools/hijackthis.zip
http://mjc1.com/mirror/hjt/
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
TomCoyote (of http://tomcoyote.org/forums/index.php fame)
YoKenny (Accredited Expert at TomCoyotes)
baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
ChrisRLG (Classroom Coordinator at TomCoyotes, Trusted Advisor Spywareinfo)
Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops)
therock247uk (In Training at TomCoyotes and Spywareinfo)
irelynmisses (In Training at TomCoyotes and Spywareinfo)
You could also go to one of the more specalist forums where more experts will be able to help.
http://tomcoyote.com/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi (Home of Spybot S&D)
http://boards.cexx.org/index.php
http://www.wilderssecurity.com/index.php
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
twotimes
4 Posts
0
March 26th, 2004 18:00
I ran the spybot and the adware, here are the results of the hijack. I gotta warn you, it looks ugly to me.
Logfile of HijackThis v1.97.7
Scan saved at 2:37:18 PM, on 3/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\KODAK\KODAK_DR\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACK~1\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
O2 - BHO: (no name) - {058FC709-D5CD-4A95-92DB-59E6488ECDA4} - C:\PROGRAM FILES\MEDIACOM\BBCLIENT\PROGRAMS\SABHO.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.1.8P.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [BroadbandClient] C:\Program Files\Mediacom\BBClient\Programs\RegCon.exe /admincheck
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [KodakCCS] C:\Program Files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "C:\Program Files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [80472DRQ.EXE] C:\WINDOWS\80472DRQ.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [80472DRQ.EXE] C:\WINDOWS\80472DRQ.EXE /dk
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: E909HJAN.lnk = C:\WINDOWS\e909hjan.exe
O4 - Startup: JA4UMWQ0.lnk = C:\WINDOWS\ja4umwq0.exe
O4 - Startup: 40CQ9IPP.lnk = C:\WINDOWS\40cq9ipp.exe
O4 - Startup: IKPBCU8W.lnk = C:\WINDOWS\ikpbcu8w.exe
O4 - Startup: 3F9K07PN.lnk = C:\WINDOWS\3f9k07pn.exe
O4 - Startup: G93U08BD.lnk = C:\WINDOWS\g93u08bd.exe
O4 - Startup: JW9HWFND.lnk = C:\WINDOWS\jw9hwfnd.exe
O4 - Startup: 0LUFZ096.lnk = C:\WINDOWS\0lufz096.exe
O4 - Startup: 2QZNR79J.lnk = C:\WINDOWS\2qznr79j.exe
O4 - Startup: L7JHU33N.lnk = C:\WINDOWS\l7jhu33n.exe
O4 - Startup: GH2OG7ET.lnk = C:\WINDOWS\gh2og7et.exe
O4 - Startup: CTWMU9WJ.lnk = C:\WINDOWS\ctwmu9wj.exe
O4 - Startup: 2HM27NBJ.lnk = C:\WINDOWS\2hm27nbj.exe
O4 - Startup: 4A9Q4JQE.lnk = C:\WINDOWS\4a9q4jqe.exe
O4 - Startup: KC1NF4DA.lnk = C:\WINDOWS\kc1nf4da.exe
O4 - Startup: J0FUFMPX.lnk = C:\WINDOWS\j0fufmpx.exe
O4 - Startup: N0709Z1X.lnk = C:\WINDOWS\n0709z1x.exe
O4 - Startup: 3AXR0JZX.lnk = C:\WINDOWS\3axr0jzx.exe
O4 - Startup: 80472DRQ.lnk = C:\WINDOWS\80472drq.exe
O4 - Global Startup: FUG1OZ60.lnk = C:\WINDOWS\fug1oz60.exe
O4 - Global Startup: KBBI6JN5.lnk = C:\WINDOWS\kbbi6jn5.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: GAU5256T.lnk = C:\WINDOWS\gau5256t.exe
O4 - Global Startup: 3F9K07PN.lnk = C:\WINDOWS\3f9k07pn.exe
O4 - Global Startup: N966I0AL.lnk = C:\WINDOWS\n966i0al.exe
O4 - Global Startup: M62JMWX0.lnk = C:\WINDOWS\m62jmwx0.exe
O4 - Global Startup: Z5X3M0Z3.lnk = C:\WINDOWS\z5x3m0z3.exe
O4 - Global Startup: UC7ROH7F.lnk = C:\WINDOWS\uc7roh7f.exe
O4 - Global Startup: XRJFJIWO.lnk = C:\WINDOWS\xrjfjiwo.exe
O4 - Global Startup: 265JYA4U.lnk = C:\WINDOWS\265jya4u.exe
O4 - Global Startup: 0RB5JX6X.lnk = C:\WINDOWS\0rb5jx6x.exe
O4 - Global Startup: 516VT0GP.lnk = C:\WINDOWS\516vt0gp.exe
O4 - Global Startup: 0FLYA10M.lnk = C:\WINDOWS\0flya10m.exe
O4 - Global Startup: 0XYKWN9R.lnk = C:\WINDOWS\0xykwn9r.exe
O4 - Global Startup: NLD4AT7X.lnk = C:\WINDOWS\nld4at7x.exe
O4 - Global Startup: PLCQOL60.lnk = C:\WINDOWS\plcqol60.exe
O4 - Global Startup: 1L0XAZ0H.lnk = C:\WINDOWS\1l0xaz0h.exe
O4 - Global Startup: V9DI7DT0.lnk = C:\WINDOWS\v9di7dt0.exe
O4 - Global Startup: J0FUFMPX.lnk = C:\WINDOWS\j0fufmpx.exe
O4 - Global Startup: 4LXOBT1B.lnk = C:\WINDOWS\4lxobt1b.exe
O4 - Global Startup: N0709Z1X.lnk = C:\WINDOWS\n0709z1x.exe
O4 - Global Startup: 01F0B947.lnk = C:\WINDOWS\01f0b947.exe
O4 - Global Startup: W9VJGEE6.lnk = C:\WINDOWS\w9vjgee6.exe
O4 - Global Startup: BVMRDQX3.lnk = C:\WINDOWS\bvmrdqx3.exe
O4 - Global Startup: B90G54QO.lnk = C:\WINDOWS\b90g54qo.exe
O4 - Global Startup: PBZO590J.lnk = C:\WINDOWS\pbzo590j.exe
O4 - Global Startup: 2KCE7PTC.lnk = C:\WINDOWS\2kce7ptc.exe
O4 - Global Startup: 0IBZRZXN.lnk = C:\WINDOWS\0ibzrzxn.exe
O4 - Global Startup: 2DACW5ZC.lnk = C:\WINDOWS\2dacw5zc.exe
O4 - Global Startup: XO4E354X.lnk = C:\WINDOWS\xo4e354x.exe
O4 - Global Startup: E909HJAN.lnk = C:\WINDOWS\e909hjan.exe
O4 - Global Startup: JA4UMWQ0.lnk = C:\WINDOWS\ja4umwq0.exe
O4 - Global Startup: 40CQ9IPP.lnk = C:\WINDOWS\40cq9ipp.exe
O4 - Global Startup: IKPBCU8W.lnk = C:\WINDOWS\ikpbcu8w.exe
O4 - Global Startup: V7TLCGZM.lnk = C:\WINDOWS\v7tlcgzm.exe
O4 - Global Startup: X2BA3BZC.lnk = C:\WINDOWS\x2ba3bzc.exe
O4 - Global Startup: G93U08BD.lnk = C:\WINDOWS\g93u08bd.exe
O4 - Global Startup: JW9HWFND.lnk = C:\WINDOWS\jw9hwfnd.exe
O4 - Global Startup: 0LUFZ096.lnk = C:\WINDOWS\0lufz096.exe
O4 - Global Startup: 2QZNR79J.lnk = C:\WINDOWS\2qznr79j.exe
O4 - Global Startup: L7JHU33N.lnk = C:\WINDOWS\l7jhu33n.exe
O4 - Global Startup: GH2OG7ET.lnk = C:\WINDOWS\gh2og7et.exe
O4 - Global Startup: CTWMU9WJ.lnk = C:\WINDOWS\ctwmu9wj.exe
O4 - Global Startup: 2HM27NBJ.lnk = C:\WINDOWS\2hm27nbj.exe
O4 - Global Startup: 4A9Q4JQE.lnk = C:\WINDOWS\4a9q4jqe.exe
O4 - Global Startup: KC1NF4DA.lnk = C:\WINDOWS\kc1nf4da.exe
O4 - Global Startup: 3AXR0JZX.lnk = C:\WINDOWS\3axr0jzx.exe
O4 - Global Startup: 80472DRQ.lnk = C:\WINDOWS\80472drq.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio/clients/listener/bin/whlisten12.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.6559027778
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
Please HELP!!!!
ChrisRLG
3.9K Posts
0
March 26th, 2004 19:00
It does look nasty - but I have seen worse.
---------------------------------------
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.
CWShredder available from :-
http://www.aluriasoftware.com/tools/cwshredder.zip
please post a new hijackthis log after a reboot.
(I believe that all those as part of that long list of random named files, should be deleted by this program. But if not we will do it manually after)
twotimes
4 Posts
0
March 27th, 2004 03:00
here's what i have now. let me know how it looks!
Logfile of HijackThis v1.97.7
Scan saved at 9:15:51 PM, on 3/26/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPZTSB06.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\POWERPDF\PWRPDFSRV.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HIJACK~1\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.1.8P.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [pwrpdfprsrv.exe] C:\Program Files\PowerPDF\pwrpdfsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio/clients/listener/bin/whlisten12.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.6559027778
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
Message Edited by twotimes on 03-26-2004 11:28 PM
ChrisRLG
3.9K Posts
0
March 27th, 2004 17:00
Well your turned out to be a very easy one to cure. Just the one CWS infection, made it look a lot worse than it was.
It is so purfect a single infection, that I will probably use it in some teaching materials.
Back to you.
----------------------------------------------------
This is my normal post for when you are clear - which you now are:-
------------------------
How on earth did I get infected with all that spyware in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051
Also available from here :- http://www.computercops.biz/postlite7736-.html or http://boards.cexx.org/viewtopic.php?t=957
--------------
Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-
Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.
Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.
Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.
With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.
JVo
10 Posts
0
March 29th, 2004 18:00
The same exact thing happened to me this weekend too, right down to the same file names. Dell Support advised me to remove them by running msconfig. Surprisingly, that worked and I've not been bothered at all today. However, my feeling was that fix was temporary; that is will not eliminate the problem: I'm still a target for whoever/whatever did this in the first place. Now after reading all this help that you got, I know what I need to do.
Thanks everyone. Glad I found this page; didn't know it existed!
One other thing happened too; don't know if it's related. I lost almost 2GB of free space. Any thoughts on that?
J-Vo
ChrisRLG
3.9K Posts
0
March 29th, 2004 19:00
The best answer is to post your own log here BUT in a new message (not as a reply to this persons problems) and I or another expert will tell you what to fix/delete. - You would need to re enable those items from msconfig that you disabled, yes that is only a tempary fix.
A post of a hijackthis log for the experts to advise.
HijackThis From Here
or one of these other links:-
http://www.merijn.org/files/hijackthis.zip
http://www.aluriasoftware.com/tools/hijackthis.zip
http://mjc1.com/mirror/hjt/
Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
TomCoyote (of http://tomcoyote.org/forums/index.php fame)
YoKenny (Accredited Expert at TomCoyotes)
baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
ChrisRLG (Classroom Coordinator at TomCoyotes, Trusted Advisor Spywareinfo)
Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops)
tashi (Helper at Spywareinfo, in training at TomCoyotes)
therock247uk (In Training at TomCoyotes and Spywareinfo)
irelynmisses (In Training at TomCoyotes and Spywareinfo)
You could also go to one of the more specalist forums where more experts will be able to help.
http://tomcoyote.com/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi (Home of Spybot S&D)
http://boards.cexx.org/index.php
http://www.wilderssecurity.com/index.php
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.