|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
05-26-2004, 11:23 PM
|
#1 |
|
Member (9 bit)
Join Date: May 2003
Location: California
Posts: 300
   |
spyware?
ok so i scan with spybot 1.3 and it says i got spyware and cant remove it unless i restart my computer so i do that and its gone or i have some otehr spyware totally different. does the spyware just go away or something?
|
|
|
|
05-26-2004, 11:39 PM
|
#2 |
|
Barefoot on the Moon!
Staff
Premium Member
Join Date: Aug 2002
Location: Northeastern USA
Posts: 13,805
|
Try running Adaware. If one of these two programs isn't taking care of the problem, the other usually does.
__________________
There are two secrets to staying young, being happy, and achieving success. You have to laugh and find humor every day, and you have to have a dream.
|
|
|
|
|
05-26-2004, 11:44 PM
|
#3 |
|
Member (9 bit)
Join Date: May 2003
Location: California
Posts: 300
|
yea thats what i doing currently. ill see if it pulls it up again if not what up then?
|
|
|
|
|
05-28-2004, 10:40 PM
|
#4 |
|
Barefoot on the Moon!
Staff
Premium Member
Join Date: Aug 2002
Location: Northeastern USA
Posts: 13,805
|
Could be a virus/worm/trojan. On a few of the really bad computers I've had to clean off, those two programs have picked up klez and a couple of others, but couldn't get rid of them on their own. AV software killed them, though.
|
|
|
|
|
05-28-2004, 10:43 PM
|
#5 |
|
Member (9 bit)
Join Date: May 2003
Location: California
Posts: 300
|
hmm i had av but it didnt seem to clean any of my stuff
|
|
|
|
|
05-28-2004, 10:51 PM
|
#6 |
|
Member (13 bit)
Join Date: Aug 2003
Location: Richmond, VA
Posts: 7,835
|
What AV do you have? Norton? McAfee? Either way, try running Housecall - an online AntiVirus scanning service.
kram
__________________
"For today, goodbye. For tomorrow, good luck. And forever, Go Blue!"
University of Michigan President Mary Sue Coleman |
|
|
|
|
05-28-2004, 10:52 PM
|
#7 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
Please do this. Click here to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).
Close all open windows and open HIJACK THIS. Click “Scan” . When the scan is finished (it only takes a second), the scan button will change to“Save Log”. Click on“Save Log” and save it to NotePad. Copy the entire log and paste it here. DO NOT FIX ANYTHING YET , most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise. |
|
|
|
|
05-28-2004, 11:05 PM
|
#8 |
|
Member (9 bit)
Join Date: May 2003
Location: California
Posts: 300
|
here whats i have
Logfile of HijackThis v1.97.7 Scan saved at 9:05:12 PM, on 5/28/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\msCMTSrvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\WINDOWS\mxshx.exe C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\AIM95\aim.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Evo.COMPO\Desktop\Evo\Tiny Key\KeyCount.exe C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Evo.COMPO\Desktop\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-EEFD-ED6DB186CE4D} - C:\WINDOWS\DOWNLO~1\404SEA~1.DLL O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FA44D979-9A32-431A-BDB7-8C6939433DC2} - C:\WINDOWS\hqvplt.dll O2 - BHO: (no name) - {FABB0E5E-882F-4A14-973E-2BB7C3EE79B5} - C:\WINDOWS\zmlf.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {D0762A88-70D6-481C-BCA0-EEFDE125F519} - (no file) O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [HRJWEOZ] C:\WINDOWS\HRJWEOZ.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [VCFMTZGMT] C:\WINDOWS\VCFMTZGMT.exe O4 - HKLM\..\Run: [BOVFPVC] C:\WINDOWS\BOVFPVC.exe O4 - HKLM\..\Run: [FCIMSZGMT] C:\WINDOWS\FCIMSZGMT.exe O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [tbymas] C:\WINDOWS\mxshx.exe O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [IMArchive_Start] C:\Program Files\IMArchive\IMArchive.exe O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.88-big.dll/cmtrans.html O9 - Extra button: Yahoo! Login (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtm_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmg...C_1_0_0_41.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...867.8523842593 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...23/mcfscan.cab |
|
|
|
|
05-28-2004, 11:17 PM
|
#9 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
give me a sec to go through your log
|
|
|
|
|
05-28-2004, 11:19 PM
|
#10 |
|
Member (9 bit)
Join Date: May 2003
Location: California
Posts: 300
|
ok
|
|
|
|
|
05-28-2004, 11:45 PM
|
#11 |
|
Member (10 bit)
Join Date: Mar 2004
Location: California
Posts: 936
|
ok Took me longer then a sec
First Create a folder just for hijack this reason it makes backups once it runs smoothly you can delete the backups you may want to copy this to notepad so when you go into safe mode HijackThis is not able to remove this line so do this R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Download Registrar Lite Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor. Copy and paste the follow text into the address bar, then hit 'Go': HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks In the pane on the right are the values associated with that key. We want to remove this one -> _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} Notice the underscore at the end, all the others with that need to go as well. Right click on it, and select delete. If you get a confirmation question, respond OK then close out the program download this just in case you have webhancer http://www.cexx.org/lspfix.htm if you lose internet connection then ust this next -------------------------------------------------------------------------- uninstall these Gozilla webhancer Run hijack this put a check next to these close all browsers and hit fix Make sure not to miss one R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/ O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-EEFD-ED6DB186CE4D} - C:\WINDOWS\DOWNLO~1\404SEA~1.DLL O2 - BHO: (no name) - {FA44D979-9A32-431A-BDB7-8C6939433DC2} - C:\WINDOWS\hqvplt.dll O2 - BHO: (no name) - {FABB0E5E-882F-4A14-973E-2BB7C3EE79B5} - C:\WINDOWS\zmlf.dll O3 - Toolbar: (no name) - {D0762A88-70D6-481C-BCA0-EEFDE125F519} - (no file) O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [HRJWEOZ] C:\WINDOWS\HRJWEOZ.exe O4 - HKLM\..\Run: [VCFMTZGMT] C:\WINDOWS\VCFMTZGMT.exe O4 - HKLM\..\Run: [BOVFPVC] C:\WINDOWS\BOVFPVC.exe O4 - HKLM\..\Run: [FCIMSZGMT] C:\WINDOWS\FCIMSZGMT.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [tbymas] C:\WINDOWS\mxshx.exe O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKCU\..\Run: [IMArchive_Start] C:\Program Files\IMArchive\IMArchive.exe O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlm...DC_1_0_0_41.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab ----------------------------------------------------------------------------------------------------------------------------------- Next Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click"Apply to all folders" Click "Apply" then "OK reboot into safe mode How to boot into safe mode delete what is in Bold C:\Program Files\WebHancer folder these files C:\WINDOWS\VCFMTZGMT.exe C:\WINDOWS\BOVFPVC.exe C:\WINDOWS\FCIMSZGMT.exe C:\WINDOWS\xshx.exe C:\WINDOWS\HRJWEOZ.exe come back and post a fresh log Last edited by Lobos; 05-28-2004 at 11:49 PM. |
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
