Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

alisapikaart

10 Posts

4589

March 29th, 2004 12:00

Spyware...did it break my computer?

I have a dimension 2450.  I am certain that SpyWare has overtaken my computer.  Once before when pop-ups were out of control and AdAware didn't stop it, I erased and re-installed the entire system.  Now, it's so bad that I cannot run a single program.  So I can't use AdAware to delete this stuff or the internet, virus software, setting options...etc.  NOTHING will run!!!  Help me please....what can I do???

BBlackie

426 Posts

March 29th, 2004 14:00

When you start the computer, tap F8 repeatedly to get the safe mode menu.  Select safe mode with no networking support.  Then press Start->Run, type in sfc /scannow and press OK.  Let the system fix any broken system files.  Then reboot and do as ChrisRLG suggests.

If that will not recover the system, then you'll be doing another clean OS reinstall.  And if that's the case, then make sure in the future that you have a VALID and UPTODATE anti-virus program.  Also do NOT open emails from anyone that you don't know.  Also do not open any emails that purport to be from Microsoft, Yahoo, etc. that tell you that you need to run an update, verify your account to keep it from closing, etc.

alisapikaart

10 Posts

March 29th, 2004 14:00

BUT,  I CANT RUN IE AT ALL. (I'M USING MY WORK COM RIGHT NOW) IS THERE ANYTHING I CAN DO SINCE I CAN'T RUN ANY PROGRAMS?

ChrisRLG

3.9K Posts

March 29th, 2004 14:00

A post of a hijackthis log for the experts to advise.
HijackThis From Here
or one of these other links:-
http://www.merijn.org/files/hijackthis.zip
http://www.aluriasoftware.com/tools/hijackthis.zip
http://mjc1.com/mirror/hjt/

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.

DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.

Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.

TomCoyote (of http://tomcoyote.org/forums/index.php fame)
YoKenny (Accredited Expert at TomCoyotes)
baskar1234 (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
ChrisRLG (Classroom Coordinator at TomCoyotes, Trusted Advisor Spywareinfo)
Tuxedo Jack (Teaching Assistant at TomCoyotes, Trusted Advisor Spywareinfo)
Yellowhammer (Trusted Advisor at Net-Integration, First Responder at Computer Cops)
tashi (Helper at Spywareinfo, in training at TomCoyotes)
therock247uk (In Training at TomCoyotes and Spywareinfo)
irelynmisses (In Training at TomCoyotes and Spywareinfo)

You could also go to one of the more specalist forums where more experts will be able to help.
http://tomcoyote.com/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi (Home of Spybot S&D)
http://boards.cexx.org/index.php
http://www.wilderssecurity.com/index.php
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.

I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.

ChrisRLG

3.9K Posts

March 29th, 2004 17:00

Also if that does not work, try downloading a copy of hijackthis from another machine, put it on a floppy (or CDRW) and use that to copy to your own machine. Copy the text file to the floppy (or CDRW) and use another machine to post the log here.

alisapikaart

10 Posts

March 30th, 2004 11:00

After about 2 hours I finally was able to do the HIjack scan.  Since I have an XP, my boyfriend and I have our own log on names.  The first post will be my scan, the second will be his (look below for his):

I hope you can find something that's easy to fix...let me know. 

Logfile of HijackThis v1.97.7
Scan saved at 7:24:44 PM, on 3/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\view media city\idle info seek.exe
C:\WINDOWS\SysUpd.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Orbit\update.exe
C:\Program Files\Orbit\view.exe
C:\Program Files\Window Active\winactive.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\WINDOWS\System32\tnynkgrl.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\dp-k13w13.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\uptodate.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Documents and Settings\Alisa Pikaart\Application Data\ttuh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wtssvsu.exe
C:\WINDOWS\sp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System\winspool.exe
C:\windows\winlogon.exe
C:\WINDOWS\System32\sencodem.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Documents and Settings\Alisa Pikaart\Application Data\Microsoft\sr64\ggcigccl.exe
C:\WINDOWS\System32\svchostc.exe
C:\WINDOWS\System32\wuauclt.exe
c:\000.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.alfa-search.com/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ultralinks.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.alfa-search.com/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alfa-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://omega-search.com/go/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://list2004.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: SearchSquire3 - {907CA0E5-CE84-11D6-9508-02608CDD2846} - C:\WINDOWS\System32\SEARCH~1.DLL
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [SearchSquire33] C:\WINDOWS\System32\SearchUpdate33.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [pile file] C:\Program Files\view media city\idle info seek.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [system] c:\Free_Sex_Download.exe
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [ahgeqxmw] C:\WINDOWS\System32\tnynkgrl.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [8u8gl3l8gg] C:\WINDOWS\cfekh235x4.exe
O4 - HKLM\..\Run: [sencodem] C:\WINDOWS\System32\sencodem.exe
O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Alisa Pikaart\Application Data\ttuh.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtssvsu.exe
O4 - HKCU\..\Run: [sp] C:\WINDOWS\sp.exe
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winspool.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\Alisa Pikaart\Application Data\Microsoft\sr64\ggcigccl.exe
O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogon.exe
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O13 - DefaultPrefix: http://list2004.com/p/
O13 - WWW Prefix: http://list2004.com/p/
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://connect.online-dialer.com/cax.cab
O16 - DPF: {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} (Search Bar) - http://www.cameup.com/download/ToolBandXP.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR39126/turbo.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load9.exe
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/LOT14126/thin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} (Squire Class) - http://update.searchsquire.com/SearchSquire33.CAB
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/new/bridge.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://203.199.200.61/ads/shareit/da/cab/SysUpd.CAB
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.53/EPlugin_US.cab
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}
O19 - User stylesheet: C:\WINDOWS\system32\readme.txt
O19 - User stylesheet: C:\WINDOWS\hh.htt (file missing) (HKLM)

alisapikaart

10 Posts

March 30th, 2004 12:00

Here is my boyfriends scan on the same xp.  I tried to submit this but it doesn't allow profanity (S#X), so anyware that it should be you will see this abbreviation S#X highlighted in purple.  If you have any questions, let me know.

Logfile of HijackThis v1.97.7
Scan saved at 5:09:57 AM, on 3/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\view media city\idle info seek.exe
C:\WINDOWS\SysUpd.exe
C:\WINDOWS\winh.exe
C:\WINDOWS\svchost.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Orbit\update.exe
C:\Program Files\Orbit\view.exe
C:\Program Files\Window Active\winactive.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\WINDOWS\System32\tnynkgrl.exe
C:\WINDOWS\System32\IEDriver\IEDriver.exe
C:\WINDOWS\System32\dp-k13w13.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\uptodate.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\rundll16.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Raul Garcia Jr\Application Data\ttuh.exe
C:\WINDOWS\system\explorer.exe
C:\WINDOWS\System32\wtssvsu.exe
C:\WINDOWS\system32\winproc32.exe
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\s#xcl40m.exe
C:\Documents and Settings\Raul Garcia Jr\Application Data\Microsoft\sr32\sr32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.alfa-search.com/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.alfa-search.com/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.alfa-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://omega-search.com/go/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://list2004.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - C:\WINDOWS\System32\p90z3y2iti.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [SearchSquire33] C:\WINDOWS\System32\SearchUpdate33.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [pile file] C:\Program Files\view media city\idle info seek.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [system] c:\Free_S#x_Download.exe
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [ahgeqxmw] C:\WINDOWS\System32\tnynkgrl.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [7mycj5n2e8] C:\WINDOWS\cfekh235x4.exe
O4 - HKLM\..\Run: [s#xcl40m] C:\WINDOWS\System32\s#xcl40m.exe
O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Raul Garcia Jr\Application Data\ttuh.exe
O4 - HKCU\..\Run: [defragm_check] C:\WINDOWS\System32\defragment.exe
O4 - HKCU\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtssvsu.exe
O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\system32\winproc32.exe
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\explorer.exe
O4 - HKCU\..\Run: [sr32] C:\Documents and Settings\Raul Garcia Jr\Application Data\Microsoft\sr32\sr32.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [h1hup9xugg] C:\WINDOWS\5t2pk84aaz.exe
O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - Startup: Microsoft Data Helper.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogon.exe
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O13 - DefaultPrefix: http://list2004.com/p/
O13 - WWW Prefix: http://list2004.com/p/
O13 - Home Prefix: http://www.nkvd.us/
O13 - Mosaic Prefix: http://www.nkvd.us/
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://connect.online-dialer.com/cax.cab
O16 - DPF: {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} (Search Bar) - http://www.cameup.com/download/ToolBandXP.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR39126/turbo.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load9.exe
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19119/flash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} (Squire Class) - http://update.searchsquire.com/SearchSquire33.CAB
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/new/bridge.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://203.199.200.61/ads/shareit/da/cab/SysUpd.CAB
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.53/EPlugin_US.cab
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F80-00104B107C96}
O19 - User stylesheet: C:\WINDOWS\system32\readme.txt
O19 - User stylesheet: C:\WINDOWS\hh.htt (file missing) (HKLM)

 

 

ChrisRLG

3.9K Posts

March 30th, 2004 19:00

Both of you have a cwshredder infection. - It might  be cleared by running this program in one user name - but run  in both to be sure.

Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.

CWShredder available from :-

http://www.aluriasoftware.com/tools/cwshredder.zip

please post a new hijackthis log after a reboo

alisapikaart

10 Posts

March 31st, 2004 00:00

I went to that website and didn't see anything about cwshredder to download, only software for sale...do I have to buy something for this?>???  I am broke, isn't there anything to download to fight this for free?

jwatt

4.4K Posts

March 31st, 2004 00:00

Clearly they've altered that site since Chris posted the link.

This one will fetch CWShredder.exe from www.spywareinfo.com.

Jim

ChrisRLG

3.9K Posts

March 31st, 2004 10:00

Yep another link to update.

Also available from www.zerosrealm.com/downloads.php

 

Was this post helpful?

View All

0 events found

No Events found!

Top