1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

hijacked homepage

Discussion in 'Malware and Virus Removal Archive' started by ugostar, 2004/10/22.

Thread Status:
Not open for further replies.
  1. 2004/10/22
    ugostar

    ugostar Inactive Thread Starter

    Joined:
    2003/03/01
    Messages:
    98
    Likes Received:
    0
    My home page seems to be hijacked by

    http://a-search.biz?wmid=1010

    I have run adaware and spybhot nothing came up
    When I run spyblaster it always disables 1 protection that being
    coolwebsearch (55)
    I check the box close it open it again and it has been disabled
    My antivirus is trend micro internet security

    Thank You

    Here is my log from HJT

    Logfile of HijackThis v1.98.2
    Scan saved at 1:09:19 AM, on 23/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\WINDOWS\System32\TPSMain.exe
    C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\TPSBattM.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
    C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Justin\My Documents\HijackThis.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\Program Files\SpywareBlaster\spywareblaster.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by iiNet
    F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
    O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe "
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iinet.net.au
     
  2. 2004/10/22
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    CoolWebSearch is a real bear to get rid of. Download and run CWShredder. It was developed to remove this particular critter and unless you have a really new version, it may fix you up.

    I didn't see anything exciting in your HJT log. At least one of the Toshiba pieces doesn't really need to be running at startup but it certainly isn't harmful.
     
    Newt,
    #2

  3. to hide this advert.

  4. 2004/10/22
    ugostar

    ugostar Inactive Thread Starter

    Joined:
    2003/03/01
    Messages:
    98
    Likes Received:
    0
    Thank You for your reply Newt
    I downloaded CWShredder and ran it, it said that it did not find any coolwebsearch on my system.
    When I open spywareblaster It still unables coolwebsearch (55) aifind.info

    I have also noticed a file keeps poping up on my desktop called

    sysinfo

    when i delete it Ifind it in c/windows sysinfo it keeps popping back
    Here is a new log if it helpsLogfile of HijackThis v1.98.2
    Scan saved at 11:19:51 AM, on 23/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\System32\TPSMain.exe
    C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\TPSBattM.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\Documents and Settings\Justin\My Documents\HijackThis.exe
    C:\Documents and Settings\Justin\My Documents\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by iiNet
    F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
    O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe "
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iinet.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F240609B-5E5F-476E-B7BB-DD5EB715A3FF}: NameServer = 203.0.178.191


    Here is another HJT Log if it helps

    Thank you
     
  5. 2004/10/22
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
  6. 2004/10/23
    ugostar

    ugostar Inactive Thread Starter

    Joined:
    2003/03/01
    Messages:
    98
    Likes Received:
    0
    Thanks Loney Jones
    o.k I downloaded the s ymantec fx agentb exe and the result was that it did not find anything on my computer.

    Symantec Backdoor.Agent.B Removal Tool 1.0.1.2


    C:\System Volume Information: (not scanned)
    Backdoor.Agent.B has not been found on your computer.



    When I run adaware now it always comes with these two critical objects

    Ad-Aware SE Build 1.05
    Logfile Created on:Saturday, 23 October 2004 4:20:06 PM
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R14 22.10.2004
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    MRU List(TAC index:0):13 total references
    Possible Browser Hijack attempt(TAC index:3):2 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Ad-Aware SE Settings
    ===========================
    Set : Search for negligible risk entries
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : During removal, unload Explorer and IE if necessary
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Include alternate data stream details in log file
    Set : Play sound at scan completion if scan locates critical objects


    23-10-2004 4:20:06 PM - Scan started. (Full System Scan)

    Listing running processes
    Objects found so far: 13


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Trusted zone presumably compromised : aifind.info

    Possible Browser Hijack attempt Object Recognized!
    Type : Regkey
    Data :
    Category : Vulnerability
    Comment : Trusted zone presumably compromised : aifind.info
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aifind.info

    Possible Browser Hijack attempt Object Recognized!
    Type : RegValue
    Data :
    Category : Vulnerability
    Comment : Trusted zone presumably compromised : aifind.info
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aifind.info
    Value : *

    Deep registry scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 2
    Objects found so far: 15


    Started Tracking Cookie scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    Tracking cookie scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 15



    Deep scanning and examining files (C:)
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Disk Scan Result for C:\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 15


    Scanning Hosts file......
    Hosts file location: "C:\WINDOWS\system32\drivers\etc\hosts ".
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Hosts file scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    1 entries scanned.
    New critical objects:0
    Objects found so far: 15




    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Conditional scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 15

    4:26:52 PM Scan Complete

    Summary Of This Scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Total scanning time:00:06:46.84
    Objects scanned:87732
    Objects identified:2
    Objects ignored:0
    New critical objects:2


    This sysinfo still keeps poping up on my desktop


    Here is another hjt logLogfile of HijackThis v1.98.2
    Scan saved at 4:40:36 PM, on 23/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\WINDOWS\System32\TPSMain.exe
    C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\TPSBattM.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Justin\My Documents\HijackThis.exe
    C:\Documents and Settings\Justin\My Documents\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by iiNet
    F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
    O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe "
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iinet.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F240609B-5E5F-476E-B7BB-DD5EB715A3FF}: NameServer = 203.0.178.191



    Thank you for your assistant
     
  7. 2004/10/23
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Hello

    fix this with hijackthis, then restart your pc
    F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_

    Surf a few hours then post a new hiajckthis log.
     
  8. 2004/10/24
    ugostar

    ugostar Inactive Thread Starter

    Joined:
    2003/03/01
    Messages:
    98
    Likes Received:
    0
    Thanks for the reply lonny Jones
    I did as you said I checked the
    F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_
    then restarted the comp did a scan and it was back so I checked it again did a scan immediately and it was back straight away
    Here ie my last log


    Logfile of HijackThis v1.98.2
    Scan saved at 1:00:54 PM, on 24/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\WINDOWS\System32\TPSMain.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\System32\TPSBattM.exe
    C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Justin\My Documents\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
    O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe "
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iinet.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F240609B-5E5F-476E-B7BB-DD5EB715A3FF}: NameServer = 203.0.178.191

    Thank You
     
  9. 2004/10/24
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Are you still seeing a-search.biz

    Download : autoruns
    http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

    Run, In the "view" TOP menu,
    select(check)
    [X]show Appininit Dll's
    [X]Show Services and
    [X] Show windows logon notifactions

    And Uncheck the "Show all locations"

    Be sure only those three are checked, Go
    to "Entry" menu, 'Copy to clipboard' and paste it here!...
    Note: The check boxes on the left should be all left alone!
    It's the top "view" menu only that's needed!
     
  10. 2004/10/24
    ugostar

    ugostar Inactive Thread Starter

    Joined:
    2003/03/01
    Messages:
    98
    Likes Received:
    0
    Yes I am Still seeing a-search.biz

    I downloade the autoruns checked the boxes and here it is I hope I did it correct by the way when I went to open autoruns after downloading it
    that sysinfo file poped up.

    Please let me know if this is not correct



    HKLM\System\CurrentControlSet\Services
    + AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
    + BITS Uses idle network bandwidth to transfer data. Microsoft Corporation c:\windows\system32\svchost.exe
    + Browser Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
    + CFSvcs Service of ConfigFree. (Not verified) TOSHIBA CORPORATION c:\program files\toshiba\configfree\cfsvcs.exe
    + CryptSvc Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
    + Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\svchost.exe
    + dmserver Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
    + Dnscache Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
    + DVD-RAM_Service Service of RAMAsst for Windows XP (Not verified) Matsushita Electric Industrial Co., Ltd. c:\windows\system32\dvdramsv.exe
    + ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation c:\windows\system32\svchost.exe
    + Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe
    + helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
    + lanmanserver Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
    + lanmanworkstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
    + LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\svchost.exe
    + MDM Manages local and remote debugging for Visual Studio debuggers (Not verified) Microsoft Corporation c:\program files\common files\microsoft shared\vs7debug\mdm.exe
    + Messenger Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
    + PccPfw Manages the Trend Micro Personal Firewall. (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\pccpfw.exe
    + PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe
    + PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\windows\system32\lsass.exe
    + ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\windows\system32\lsass.exe
    + RegSrvc RegSrvc Module (Not verified) Intel Corporation c:\windows\system32\regsrvc.exe
    + RemoteRegistry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
    + RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\windows\system32\svchost.exe
    + S24EventMonitor Event Monitor - Supports driver extensions to NIC Driver for wireless adapters. (Not verified) Intel Corporation c:\windows\system32\s24evmon.exe
    + SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe
    + Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
    + seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
    + SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\windows\system32\svchost.exe
    + ShellHWDetection Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
    + Spooler Loads files to memory for later printing. Microsoft Corporation c:\windows\system32\spoolsv.exe
    + srservice Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Microsoft Corporation c:\windows\system32\svchost.exe
    + Themes Provides user experience theme management. Microsoft Corporation c:\windows\system32\svchost.exe
    + Tmesrv TOSHIBA MobileExtension Service (Not verified) TOSHIBA c:\program files\toshiba\tme3\tmesrv31.exe
    + Tmntsrv Enables scanning in real time. (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\tmntsrv.exe
    + tmproxy Manages the Trend Micro tmtdi module. (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\tmproxy.exe
    + TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation c:\windows\system32\svchost.exe
    + UMWdf Enables Windows user mode drivers. (Not verified) Microsoft Corporation c:\windows\system32\wdfmgr.exe
    + uploadmgr Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
    + W32Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    Microsoft Corporation c:\windows\system32\svchost.exe
    + WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe
    + winmgmt Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe
    + wuauserv Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. Microsoft Corporation c:\windows\system32\svchost.exe
    + WZCSVC Provides automatic configuration for the 802.11 adapters Microsoft Corporation c:\windows\system32\svchost.exe
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    + cscdll Offline Network Agent Microsoft Corporation c:\windows\system32\cscdll.dll
    + ScCertProp Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
    + Schedule Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
    + Sebring LogonNotify DLL (Not verified) Intel Corporation c:\windows\system32\lgnotify.dll
    + SensLogn Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
    + termsrv Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
    + wlballoon Common DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    + _huytam_ c:\windows\system32\_huytam_.exe
    + Userinit.exe Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    + Explorer.exe explorer (Not verified) c:\windows\system32\explorer.exe
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    + 000StTHK c:\windows\system32\000stthk.exe
    + 00THotkey THotkey (Not verified) TOSHIBA Corporation c:\windows\system32\00thotkey.exe
    + AGRSMMSG SoftModem Messaging Applet (Not verified) Agere Systems c:\windows\agrsmmsg.exe
    + Apoint Alps Pointing-device Driver (Not verified) Alps Electric Co., Ltd. c:\program files\apoint2k\apoint.exe
    + dla Drive Letter Access Component (Not verified) Sonic Solutions c:\windows\system32\dla\tfswctrl.exe
    + HotKeysCmds hkcmd Module (Not verified) Intel Corporation c:\windows\system32\hkcmd.exe
    + IgfxTray igfxTray Module (Not verified) Intel Corporation c:\windows\system32\igfxtray.exe
    + pccguide.exe PCCGuide (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\pccguide.exe
    + PCClient.exe PCClient (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\pcclient.exe
    + PRONoMgr.exe PRONotifyMgr Module (Not verified) Intel(R) Corporation c:\program files\intel\prosetwireless\ncs\proset\pronomgr.exe
    + SigmaTel StacMon (Not verified) SigmaTel Inc. c:\program files\sigmatel\sigmatel ac97 audio drivers\stacmon.exe
    + SmoothView SmoothView (Not verified) TOSHIBA Corporation c:\program files\toshiba\toshiba zooming utility\smoothview.exe
    + TFncKy TFncKy (Not verified) TOSHIBA Corporation C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    + TFNF5 TFnF5 (Not verified) TOSHIBA Corp. c:\windows\system32\tfnf5.exe
    + TM Outbreak Agent TrendMicro Outbreak agent (Not verified) Trend Micro Incorporated. c:\program files\trend micro\internet security\tmoagent.exe
    + TMERzCtl.EXE TMERzCtl (Not verified) TOSHIBA c:\program files\toshiba\tme3\tmerzctl.exe
    + TMESRV.EXE TOSHIBA MobileExtension Service (Not verified) TOSHIBA c:\program files\toshiba\tme3\tmesrv31.exe
    + TouchED TouchPad On/Off Utility (Not verified) TOSHIBA Corporation c:\program files\toshiba\touched\touched.exe
    + TPSMain C:\Program Files\TOSHIBA\Power Saver\TPSMain.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    + Microsoft Office OneNote 2003 Quick Launch.lnk Microsoft Office OneNote Quick Launcher Microsoft Corporation c:\program files\microsoft office\office11\onenotem.exe
    + Microsoft Office.lnk Microsoft Office XP component (Not verified) Microsoft Corporation c:\program files\microsoft office\office10\osa.exe
    + RAMASST.lnk CD Burning of Windows XP disabling tool for DVD MULTI Drive (Not verified) Matsushita Electric Industrial Co., Ltd. c:\windows\system32\ramasst.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    + ctfmon.exe CTF Loader Microsoft Corporation c:\windows\system32\ctfmon.exe
     
  11. 2004/10/24
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Hello
    If possible put this file in a zip
    c:\windows\system32\_huytam_.exe
    password it and send>To This address<

    I will make sure an expert or two get a look.
     
  12. 2004/10/24
    ugostar

    ugostar Inactive Thread Starter

    Joined:
    2003/03/01
    Messages:
    98
    Likes Received:
    0
    hi loney I appreciate your persistence I just cannot find

    c:\windows\system32\_huytam_.exe

    I have looked in c:\windows\system32 I have done searches etc the only place i find it is in autoruns and in HJT scan please advise of next step

    Thank You
     
  13. 2004/10/24
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    I should have mentioned it will probaly be hidden
    Set Windows to show Hidden Files:
    Open any folder > Tools > Folder Options - View [tab]:
    Scroll down to the "Files and Folders" section.
    Select: "Display the contents of system folders ".
    Select: "Show hidden files and folders ", Ok the prompt
    Uncheck: "Hide file extensions for known file types"
    Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply
    Click the "Apply to all Folders" button. Close Windows Explorer.
     
  14. 2004/10/24
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    Oops. Lonny - I didn't even notice the line until you pointed it out.

    The only place I can find other mentions of it are like this one and they recommend fixing/removing it.

    Only problem I can see with just doing that is the way the line is written, userinit.exe is calling that entry at startup which means there are probably more parts of it on the PC.

    If you did much searching, you probably found the same thing that I did. Couple of references to it from Singapore (but nothing specific - just the huytam name, and quite a few Vietnamese hits since Huy Tam is a music group and a reasonably common part of people's name.

    I'd have to suggest removing the entry and looking around for any name matches on the PC and removing them as well unless it turns out to be related to Huy Tam mp3 files or something.
     
  15. 2004/10/24
    ugostar

    ugostar Inactive Thread Starter

    Joined:
    2003/03/01
    Messages:
    98
    Likes Received:
    0
    Hi Lonny Thanks again
    O.K Idid what you said to show hidden files then I did a search and suprise huytam showed up in

    c:\WINDOWS\Prefetch

    When I opened that file it has the huytam and all those sysinfo and the new stop.exe files that keep popping up

    Lonney I do not know how to password it and send it to you, would you like me to post the contents of the prefetch file here or will you explain how to do it.

    I dont know what the prefetch file is but it seems to have alot of my problems in it

    Please advise and Thank You
     
  16. 2004/10/24
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Someone suggested it might be an dll not an exe.
    so for now see if you can find anything with that name
    _huytam_.exe
    _huytam_.dll
    or what do you find searching for just huytam
    dont worry about any in the prefetch folders, we are concerned only when found elsewhere
    Hi Newt , yes someone pointed me to that thead :)
     
  17. 2004/10/24
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Ok lets go at it this way, dont worry about sending the files.

    just becouse you cannot see or find it doesnt mean it doesn exist.

    Download KillBox
    http://download.broadbandmedic.com/Killbox.exe

    Close all open programs, windows and browsers
    double-click Killbox.exe

    In the "Full path or file to delete" (paste the following)

    c:\windows\system32\_huytam_.exe

    Select the option "End explorer shell while killing file "
    Next: press the Red X button
    You should get a message that the file was either deleted or not.

    Note: If your desktop does not come back, go to the KillBox Menu
    under Tools and click "Start Explorer shell "

    If you see the "could not delete" message ...
    Repeat the above and use the "Delete on boot" option.

    restart the PC and make/post a new log from hiajckthis
     
  18. 2004/10/24
    ugostar

    ugostar Inactive Thread Starter

    Joined:
    2003/03/01
    Messages:
    98
    Likes Received:
    0
    Hi again sorry to be a pain
    I downloaded killbox when I put in File name it says file does not seem to exist so I did a search for huytam in all different variations and this is the 1 result I always get

    _HUYTAM_.EXE-OBEAE4A6.pf in folder c:\WINDOWS\Prefetch

    does that help

    Thank You
     
  19. 2004/10/24
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Ok

    This time do the kill on reboot option
    paste in one at a time these file
    c:\windows\system32\_huytam_.exe , hit the red x
    cancel the message to reboot for now after each file
    c:\WINDOWS\Prefetch\_HUYTAM_.EXE-OBEAE4A6.pf
    c:\windows\system32\_huytam_.dll

    exit Killbox dont restart the PC yet

    run hijackthis and fix that item
    F2 - REG:system.ini: UserInit=Userinit.exe,_huytam_

    Now restart the PC and when back make and post a new log
     
  20. 2004/10/25
    ugostar

    ugostar Inactive Thread Starter

    Joined:
    2003/03/01
    Messages:
    98
    Likes Received:
    0
    Hi again

    Done the killbox on reboot thing
    Restarted comp did a search for huytam nothing found

    I am still getting that file popping up on my desktop but it is called

    stop.exe now instead of sysinfo

    Here is my latest hjt log as you can see the F2 is still there


    Logfile of HijackThis v1.98.2
    Scan saved at 1:08:48 PM, on 25/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\WINDOWS\System32\TPSMain.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\TPSBattM.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Justin\My Documents\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: UserInit=Userinit.exe,
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
    O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe "
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe "
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iinet.net.au
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F240609B-5E5F-476E-B7BB-DD5EB715A3FF}: NameServer = 203.0.178.191

    Thank You
     
  21. 2004/10/25
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Hi can you send me a copy of stop.exe please, in a zipped file
    no need to password it just rename the file first, example
    stop.exe > stop.OLD

    Next do a file search for each of these and tell us if there found and where ?
    FFRIFNM.exe
    FFRIRFNM.dll
    _huytam_.dll
    _huytam_ex_
    _huytam_.exe
    AORIIDDB.dll
    eeee.exe
    MFABBRNE.dll
    pppchecker.exe
    PSOSPJRS.dll
    stop.exe


    Then take the time to get two free online scans
    BitDefender AntiVirus Free Scan, check all box's except [ ]auto clean !!,
    then have it delete the file's if it cannot clean/repair/cure it,
    turn off any PopupBlockers before accessing the site:
    http://www.bitdefender.com/scan/licence.php

    Panda ActiveScan-Free online scanner,
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    If there are any problems Copy there report's back here please.
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.