"heretofind"

kilroy4605 · 2004/10/17

My Superporn.exe problem

Could you please help with my superporn.exe. This is my report after running spybot and a couple of other spy programs. This is the plugin variant.

Thanks in advance for your help.

Logfile of HijackThis v1.98.2
Scan saved at 10:43:22 PM, on 10/17/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\toshiba\ivp\ISM\pinger.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINNT\System32\mmuxyw.exe
C:\WINNT\System32\systime.exe
C:\WINNT\updatetc.exe
C:\WINNT\System32\NWTRAY.EXE
C:\WINNT\System32\ctfmon.exe
C:\spywarebegone\SpywareBeGone.exe
C:\Documents and Settings\ldwilson\Application Data\ctee.exe
C:\WINNT\System32\w?nspool.exe
C:\winnt\winln.exe
C:\WINNT\System32\systime.exe
C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\ldwilson\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [apoljftq] C:\WINNT\System32\mmuxyw.exe
O4 - HKLM\..\Run: [SysTime] C:\WINNT\System32\systime.exe
O4 - HKLM\..\Run: [tpcupdater] C:\WINNT\updatetc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan
O4 - HKCU\..\Run: [Aram] C:\Documents and Settings\ldwilson\Application Data\ctee.exe
O4 - HKCU\..\Run: [Zsayygv] C:\WINNT\System32\w?nspool.exe
O4 - HKCU\..\Run: [winltmpv] c:\winnt\winln.exe
O4 - HKCU\..\Run: [SysTime] C:\WINNT\System32\systime.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Corel Network monitor worker - {01C61943-B8E7-46D3-B853-D4802269A078} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Corel Network monitor worker - {01C61943-B8E7-46D3-B853-D4802269A078} - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-6.0.0.25/holdem/holdem-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.9.4.30/whackdown/whackdown-ob-assets.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon.com/ct/pm3/iwonpm_8_1,0,2,5.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINNT\msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_02) - http://kronos.crc/wfc/plugins/j2re-1_3_1_02-win.exe
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9DD8D9F-A42B-4410-863A-A2408FD5BA41}: NameServer = 198.81.19.4

Lonny Jones · 2004/10/18

Hello kilroy4605 , Welcome to windows BBS

where do you see superporn.exe ?

Download CWShredder 1.59.1
http://www.allsecpros.com/cws.html
Dont use it just yet.

Its best if you make a folder and run hijackthis from there.

Start Hijackthis and place a check next to these items,
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) Then Hit fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll

O4 - HKLM\..\Run: [apoljftq] C:\WINNT\System32\mmuxyw.exe
O4 - HKLM\..\Run: [SysTime] C:\WINNT\System32\systime.exe
O4 - HKLM\..\Run: [tpcupdater] C:\WINNT\updatetc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan
O4 - HKCU\..\Run: [Aram] C:\Documents and Settings\ldwilson\Application Data\ctee.exe
O4 - HKCU\..\Run: [Zsayygv] C:\WINNT\System32\w?nspool.exe
O4 - HKCU\..\Run: [winltmpv] c:\winnt\winln.exe
O4 - HKCU\..\Run: [SysTime] C:\WINNT\System32\systime.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O9 - Extra button: Corel Network monitor worker - {01C61943-B8E7-46D3-B853-D4802269A078} - (no file)
O9 - Extra button: Corel Network monitor worker - {01C61943-B8E7-46D3-B853-D4802269A078} - (no file) (HKCU)

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://download.iwon.com/ct/pm3/iwonpm_8_1,0,2,5.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
============
In control panel addremove programs uninstall TV Media and SpywareBeGone

Run Cwshredder click fix as apposed to scan

Restart the PC find and delete (ONLY THESE EXACT) files and folder's,
If still there.
Set windows to show hidden file's, folder and extensions
>click here for instructions<.
c:\ied_s7m.cab
c:\winnt\winln.exe
C:\WINNT\System32\systime.exe
C:\Program Files\TV Media
C:\WINNT\System32\mmuxyw.exe
C:\WINNT\updatetc.exe
C:\spywarebegone
C:\Documents and Settings\ldwilson\Application Data\ctee.exe

Post a new log after you get back.

kilroy4605 · 2004/10/19

I did all the process that you recomended. There were two that would not delete. The short cut to the original problem appears to be fixed though.

C:\Program Files\TV Media
C:\WINNT\updatetc.exe

Now my internet explorer home page is still hijacked to the following address.
http://a-search.biz/?wmid=1010

Thank you for your assistance.

Lonny Jones · 2004/10/19

Hello

The tv media folder wont delete after a restart ?. Its usualy an easy fix.
Try Microsofts tool
T.V. Media Removal Tool (KB 886590): http://www.microsoft.com/downloads/...27-B656-45CD-9668-73134A18231B&displaylang=en

Restart the PC afterwards and post a New hijackthis log
Also
Copy the bolded below into a new Notepad document.
Name the file Appinit.bat
Save as type All Files
Save on the Desktop.

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat
This will create a file on the desktop named windows.txt, post the Windows.txt

Log in or Sign up

"heretofind"

kilroy4605 Inactive Thread Starter

Lonny Jones Inactive Alumni

kilroy4605 Inactive Thread Starter

Lonny Jones Inactive Alumni

Share This Page

Log in or Sign up

"heretofind"

kilroy4605 Inactive Thread Starter

Lonny Jones Inactive Alumni

kilroy4605 Inactive Thread Starter

Lonny Jones Inactive Alumni

Share This Page

Useful Searches