1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

ceres, among other things..

Discussion in 'Malware and Virus Removal Archive' started by arlieyoung, 2005/03/30.

Thread Status:
Not open for further replies.
  1. 2005/03/30
    arlieyoung

    arlieyoung Inactive Thread Starter

    Joined:
    2005/03/30
    Messages:
    10
    Likes Received:
    0
    Hello, I recently came across this forum and I think it's nice that you guys help people out like this. But let me get this straight, I can just post a HJT log and you can tell me which is spyware and virus's? That would be great, especiall if you could do that for me on my wife's computer(she downloads anything and everything and doesnt know anything! lol ) well just in case here is my HJT log..

    Logfile of HijackThis v1.99.1
    Scan saved at 11:31:47 AM, on 3/30/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Browser Mouse\mouse32a.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
    C:\WINDOWS\system32\sstray.exe
    C:\windows\system32\hqqwnb.exe
    C:\Program Files\Warez P2P Client\warez.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\program files\valve\steam\steam.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\windows\system32\packager.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\devnz\gbpvr\GBPVRTray.exe
    C:\Program Files\LimeWire\LimeWire.exe
    c:\program files\devnz\gbpvr\gbpvrrecordingservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\WINDOWS\system32\ap9h4qmo.exe
    C:\WINDOWS\system32\mobsync.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    C:\HJT\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
    O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\mc1.dll
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
    O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
    O4 - HKLM\..\Run: [Shellapi32] svcnet.exe
    O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesud32.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [hqqwnb] c:\windows\system32\hqqwnb.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
    O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{96BF9~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{96BF9~1\reboot.ini
    O4 - HKLM\..\RunOnce: [InstallShieldSetup1] C:\PROGRA~1\INSTAL~1\{F366D~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{F366D~1\reboot.ini
    O4 - HKLM\..\RunOnce: [ixob2.exe] C:\WINDOWS\System32\ixob2.exe /k
    O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
    O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
    O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - HKCU\..\RunOnce: [HPWebUpdate] "C:\Program Files\HP\HP Software Update\hpwucli.exe "
    O4 - HKCU\..\RunOnce: [ixob2.exe] C:\WINDOWS\System32\ixob2.exe /k
    O4 - Startup: GBPVRTray.exe.lnk = ?
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1111804922811
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: GB-PVR Recording Service - - c:\program files\devnz\gbpvr\gbpvrrecordingservice.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
     
    arlieyoung,
    #1
  2. 2005/03/30
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS arlieyoung :)

    Please scan you computer with HouseCall, reboot and post a new HJT log. Let us know if anything was found but not cleaned or deleted.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2005/03/31
    arlieyoung

    arlieyoung Inactive Thread Starter

    Joined:
    2005/03/30
    Messages:
    10
    Likes Received:
    0
    so you're saying let housecall run and delete anything, but post what it doesnt delete?
     
    arlieyoung,
    #3
  5. 2005/03/31
    arlieyoung

    arlieyoung Inactive Thread Starter

    Joined:
    2005/03/30
    Messages:
    10
    Likes Received:
    0
    ok before i post the log, btw, i figured out what you meant.. here is what housecall couldnt delete or clean

    c:\windows\system32\hqqwnb.exe

    and here is the log...

    Logfile of HijackThis v1.99.1
    Scan saved at 6:16:39 PM, on 3/31/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    c:\PROGRA~1\Toolbar\radio.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\cisvc.exe
    c:\program files\devnz\gbpvr\gbpvrrecordingservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Toolbar\TBPSSvc.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\Browser Mouse\mouse32a.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\WINDOWS\system32\sstray.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\windows\system32\hqqwnb.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ap9h4qmo.exe
    C:\Program Files\Media Access\MediaAccK.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Media Access\MediaAccess.exe
    C:\WINDOWS\system32\patofmt.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\Program Files\Warez P2P Client\warez.exe
    C:\windows\system32\packager.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\program files\valve\steam\steam.exe
    C:\WINDOWS\system32\p2prmko.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\devnz\gbpvr\GBPVRTray.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\CxtPls\CxtPls.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
    O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\mc1.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
    O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesud32.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [hqqwnb] c:\windows\system32\hqqwnb.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\Run: [o74g39l] patofmt.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
    O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
    O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
    O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
    O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [ZwvmRVJFQ] p2prmko.exe
    O4 - HKCU\..\RunOnce: [ixob2.exe] C:\WINDOWS\system32\ixob2.exe /k
    O4 - Startup: GBPVRTray.exe.lnk = ?
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c338.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1111804922811
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: GB-PVR Recording Service - - c:\program files\devnz\gbpvr\gbpvrrecordingservice.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
    O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
    O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe



    :) :) :) thanks again for all the help...maybe we'll get to my wifes computer soon.... lol and i consider my computer squeaky clean compared to hers!!
     
    arlieyoung,
    #4
  6. 2005/03/31
    arlieyoung

    arlieyoung Inactive Thread Starter

    Joined:
    2005/03/30
    Messages:
    10
    Likes Received:
    0
    aagggh!! I cant stand the pop-ups!
     
    arlieyoung,
    #5
  7. 2005/03/31
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hang in there. I'm working on a fix for you. ;)
     
    noahdfear,
    #6
  8. 2005/03/31
    arlieyoung

    arlieyoung Inactive Thread Starter

    Joined:
    2005/03/30
    Messages:
    10
    Likes Received:
    0
    k, cool...thanks!! alot!!
     
    arlieyoung,
    #7
  9. 2005/03/31
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    You should print this out and/or save it to text where you can access it in safe mode.

    Download Ad-aware SE Personal and Spybot 1.3 from my signature. Install and update both Programs. Allow Spybot to load SDHelper. We'll run them later.

    Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll
    O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\mc1.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesud32.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [hqqwnb] c:\windows\system32\hqqwnb.exe
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e "
    O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe "
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\Run: [o74g39l] patofmt.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
    O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
    O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -hO4 - HKCU\..\Run: [ZwvmRVJFQ] p2prmko.exe
    O4 - HKCU\..\RunOnce: [ixob2.exe] C:\WINDOWS\system32\ixob2.exe /k
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (HKCU)
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...bridge-c338.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
    O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
    O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe


    Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

    Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

    Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.

    Open the saved text file, then open HijackThis to the Misc Tools section. Click the Delete an NT Service button. Copy the following from your text file and paste it into the window, then click OK.

    TBPSSvc

    Then do each of these.

    WinToolsSvc
    ZESOFT

    Close HijackThis.

    Open C:\Windows and delete the files farmmext.exe and zeta.exe

    Open C:\WINDOWS\system32 and delete the following files.
    elitesud32.exe
    hqqwnb.exe
    gah95on6.exe
    ap9h4qmo.exe
    patofmt.exe
    p2prmko.exe
    ixob2.exe

    Open C:\Program Files and delete the following folders.
    CxtPls
    Toolbar
    Ebates_MoeMoneyMaker
    Media Access
    BullsEye Network
    Internet Optimizer


    Open C:\Program Files\Common Files and delete the folder WinTools.
    Open C:\Temp if present, select all and delete.
    Open C:\Windows\Temp, select all and delete.
    Open C:\Windows\Prefetch, select all and delete.
    Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
    Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content. Close Internet Options. Then, still in the control panel, open the Java Plug-in, click the cache tab and then clear.

    Open Spybot and run a scan. Fix everything it finds.
    Open Ad-aware and run in full scan mode. Delete all it finds.

    Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

    If you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

    Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

    Run another HijackThis scan and post the log. Let us know if the popups have stopped or if you're having any other problems.
     
    noahdfear,
    #8
  10. 2005/04/01
    arlieyoung

    arlieyoung Inactive Thread Starter

    Joined:
    2005/03/30
    Messages:
    10
    Likes Received:
    0
    ok, i had quite a few problems(including that I already typed this out once and IE closed!! lol and I have to run RAV again). For about an hour now though there have no popups! thanks! SearchBar is still here but, here's what happened...

    Couldn't find them in the text file, so I just typed them in..It worked for ZESOFT but,
    Got the error "The service TBPSSvc is enabled and/or running. Disable it first, using HJT itself(from the scan results) or the Services.msc window "

    Perhaps I just missed them? Im almost positive though that I checked everything on the list..Same error for WinToolsSvc.

    A couple of files had .ini files with the same name(farmext.exe and ap9h4qmo.exe) so I deleted them as well. Also, the gah95on6.exe was a .ini file, but no .exe...


    Got error "Could not d/l common.dll, In use" other files in the folder as well such as TBPSSvc


    Could not delete WSup.exe>In use


    Well, Spybot had a few things at first run, but after I clicked fix.. in the middle of fixing it just randomly quit. No errors, messages, nothing. Just closed. Did this twice. So I ran Ad-aware. Files it could not delete are below. After that I ran Spybot again. Lesser files this time, but same problem happened.

    Ad-aware Could not Delete...

    C:\program files\toolbar\common.dll
    C:\program files\toolbar\nzqlihv.wzg
    C:\program files\toolbar\PIB.exe
    C:\program files\toolbar\radio.exe
    C:\program files\toolbar\TBPS.exe
    C:\program files\toolbar\toolbar.dll
    C:\program files\common files\wintools\Wsup.exe
    C:\program files\common files\wintools\WToolsA.exe
    C:\program files\common files\wintools\WToolsB.dll

    Below are Rav Report and another HJT report.....

    RAV
    Scan started at 4/1/2005 12:04:51 AM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\Documents and Settings\Lee Young\Local Settings\Temporary Internet Files\Content.IE5\SJEBMF2T\WinTS[1].cab->WToolsS.exe - TrojanDownloader:Win32/Wintool.B -> Infected
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPUFK52V\protector_update[10].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPUFK52V\protector_update[11].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPUFK52V\protector_update[1].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPUFK52V\protector_update[2].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPUFK52V\protector_update[3].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPUFK52V\protector_update[4].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPUFK52V\protector_update[5].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPUFK52V\protector_update[6].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPUFK52V\protector_update[7].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GPUFK52V\protector_update[8].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\Program Files\Common Files\WinTools\WToolsS.exe - TrojanDownloader:Win32/Wintool.B -> Infected
    C:\Program Files\CTpvr\ctpvrmgr.exe - Win32/Radix.B@mm -> Suspicious
    C:\Program Files\CTpvr\CTtv.exe - Win32/Radix.B@mm -> Suspicious
    C:\WINDOWS\system32\temperror32.dat - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[10].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[11].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[12].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[13].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[14].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[15].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[1].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[2].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[3].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[4].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[5].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[6].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[7].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[8].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4OCOINRU\protector_update[9].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5AW2DHX3\protector_update[10].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LUOPNIA2\protector_update[1].exe - Trojan:Win32/StartPage.NK -> Infected
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MIG8QK6N\protector_update[1].exe - Trojan:Win32/StartPage.NK -> Infected

    Scanned
    ============================
    Objects: 34096
    Directories: 2969
    Archives: 1288
    Size(Kb): -662260
    Infected files: 31

    Found
    ============================
    Viruses found: 2
    Suspicious files: 2
    Disinfected files: 0
    Mail files: 219
     
    Last edited: 2005/04/01
    arlieyoung,
    #9
  11. 2005/04/01
    arlieyoung

    arlieyoung Inactive Thread Starter

    Joined:
    2005/03/30
    Messages:
    10
    Likes Received:
    0
    ok, ill just try a new reply then.. first time tried to edit>windows explorer crashed..second time IE died hmm weird.. btw THANKS a million!

    HJT Log

    Logfile of HijackThis v1.99.1
    Scan saved at 12:39:54 AM, on 4/1/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\PROGRA~1\Toolbar\TBPS.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    c:\PROGRA~1\Toolbar\radio.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\cisvc.exe
    c:\program files\devnz\gbpvr\gbpvrrecordingservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Browser Mouse\mouse32a.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\WINDOWS\system32\sstray.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\program files\valve\steam\steam.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\devnz\gbpvr\GBPVRTray.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\PROGRA~1\Toolbar\TBPSSvc.exe
    C:\HJT\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
    O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesud32.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
    O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - Startup: GBPVRTray.exe.lnk = ?
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1111804922811
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: GB-PVR Recording Service - - c:\program files\devnz\gbpvr\gbpvrrecordingservice.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
    O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
     
    arlieyoung,
    #10
  12. 2005/04/01
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Are you scanning after bootin in Safe Mode? When the computer starts, keep pressing the F8 key until a boot menu appears, then use the up/down arrows to select Safe Mode (not safe mode w/ networking) and then press the enter key. Then run spybot, adaware etc)
     
    TonyT,
    #11
  13. 2005/04/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Run this Websearch removal tool from Symantec, then reboot.
    Open C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5, select all and delete.
    Open C:\WINDOWS\system32 and delete the file temperror32.dat
    Open C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5, select all and delete.
    Open C:\Program Files and delete the folders CTpvr and Toolbar if present.
    Open C:\Program Files\Common Files and delete the folder WinTools if present.
    Open Internet Options in the control panel and delete the temporary internet files, including offline content.
    Empty the recycle bin.

    Reboot, run Spybot, Ad-aware and RAV again, then post a new HJT log.
     
    noahdfear,
    #12
  14. 2005/04/01
    arlieyoung

    arlieyoung Inactive Thread Starter

    Joined:
    2005/03/30
    Messages:
    10
    Likes Received:
    0
    yes I was running in safe mode... I used msconfig..
     
    arlieyoung,
    #13
  15. 2005/04/01
    arlieyoung

    arlieyoung Inactive Thread Starter

    Joined:
    2005/03/30
    Messages:
    10
    Likes Received:
    0
    alrighty then...Spybot kept finding "HuntBar "(43 entries) and it could never fix them all, even on startup.. so i got to looking at them. Alot of it was the Wtools and Toolbar... The main things were the folder they were in and the registry key.. So I opened up Regedit..looked thru, and found a path for an uninstall .exe so i typed the full path in Run with the uninst at the end..and a window popped up for both with the program name that they were under and to uninstall them in Add/Remove programs.. Sure enough there they were.

    They were listed as Web Search Toolbar and Windows Tools(I think)
    ran spybot again after reboot fixed the remaining things..scan again>clean!

    ran adaware, it was able to delete everything..

    then RAV, only things there were the things in the recycle bin that i forgot to empty..

    oh, also, how do i get rid of the words that appear in green that appear as links? bottom right of screen they say sponsered link
    here's my HJT log

    Logfile of HijackThis v1.99.1
    Scan saved at 12:05:11 PM, on 4/1/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\cisvc.exe
    c:\program files\devnz\gbpvr\gbpvrrecordingservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Browser Mouse\mouse32a.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\WINDOWS\system32\sstray.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\program files\valve\steam\steam.exe
    C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
    C:\Program Files\Warez P2P Client\warez.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\devnz\gbpvr\GBPVRTray.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\HJT\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
    O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesud32.exe
    O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
    O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
    O4 - Startup: GBPVRTray.exe.lnk = ?
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1111804922811
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: GB-PVR Recording Service - - c:\program files\devnz\gbpvr\gbpvrrecordingservice.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe

    hopefully we're done with mine and can start on hers...
     
    arlieyoung,
    #14
  16. 2005/04/01
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    TonyT,
    #15
  17. 2005/04/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I fully agree with Tony. Fix those two entries with HJT, then delete the file if present in C:\Windows\System32.
    Fix these also;
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitesud32.exe
    Make sure the file and folder in red are gone. Check for and delete the msview folder in C:\Windows if present.
    Limewire is still listed as infected also. http://www.spywareinfo.com/articles/p2p/
    There are better alternatives listed in that link. If you uninstall it, uninstall the Warez P2P Client too and fix the following entries if still present.
    O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    Then delete the folders. Empty the recycle bin.

    You're the second person in as many days to report the Symantec tool didn't work. Bummer :( Had high hopes for it.

    The rest of the log looks good, so re-enable System Restore and create a manual restore point. Also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it (always recheck this setting after downloading updates). Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly and watch for any protection being disabled. Then, still in Spybot, click the tools button, then IE tweaks and at least lock the HOSTS file.
    Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

    That will give you some added layers of protection against unwanted parasites.
     
    noahdfear,
    #16
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...