1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

icons? "cs4po28" "silent.exe" and "o"

Discussion in 'Security and Privacy' started by pc593, 2004/08/10.

Thread Status:
Not open for further replies.
  1. 2004/08/10
    pc593

    pc593 Inactive Thread Starter

    Joined:
    2004/08/10
    Messages:
    2
    Likes Received:
    0
    Hi, some kind of spyware has hijacked my system and three suspicious icons have shown up on my desktop: "cs4po28." "silent.exe" and "o" (i'm not sure about the extension on this).

    I have a Windows 98 system, and I use Internet Explorer, version 6. 00
    When I click on IE, multiple windows pop up and eventually block the entire screen.. for some reason, my homepage is set to:
    http://default-homepage-network.com/start.cgi?new-hkcu
    My programs run noticeably slower than before...

    I've tried everything from running my Norton AntiVirus (which doesn't seem to detect problems with these weird new icons on my desktop), Spybot Search and Destroy 1.3 which I've cleared away many suspicious files.. but still these weird icons stay on the desktop. I don't think they're damaging anything yet, but I'm worried. I've even downloaded Hijackthis, ran a scan and saved a log, but I'm not sure which ones to select for fixing......

    Logfile of HijackThis v1.97.7
    Scan saved at 11:34:53 AM, on 8/10/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSGLOOP.EXE
    C:\WINDOWS\SYSTEM\MSG32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\TEMP\EGTT9FP.EXE
    C:\WINDOWS\SYSTEM\IEHOST.EXE
    C:\WINDOWS\SYSTEM\SHOACLEN.EXE
    C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\VAELTC3.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
    C:\WINDOWS\SYSTEM\TWI9.EXE
    C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
    C:\WINDOWS\SYSTEM\AVCYL.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\CS4P028.EXE
    C:\WINDOWS\DESKTOP\CS4P028.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\ANTISPYWARE\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netian.com
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
    O4 - HKLM\..\Run: [Egtt9fp] C:\WINDOWS\TEMP\EGTT9FP.EXE
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\SYSTEM\IEHost.exe
    O4 - HKLM\..\Run: [2XQCB4G4W@5G2R] C:\WINDOWS\SYSTEM\Ahn9.exe
    O4 - HKLM\..\Run: [q85P36Q] SHOACLEN.EXE
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    O4 - HKCU\..\Run: [bzuFRWc7T] VAELTC3.EXE
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SPYDOCTOR.EXE" /Q
    O4 - HKCU\..\RunOnce: [Web Offer] C:\EZSTUB.EXE
    O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.netian.com
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
     
    Last edited: 2004/08/10
    pc593,
    #1
  2. 2004/08/10
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Hi

    Download the peper uninstaller, close all programs that show in the taskbar then run it, when it is done restart the PC.
    http://downloads.subratam.org/PeperFix.exe

    In control panel addremove programs uninstall
    PGate and/or PGTools, PG Basic
    Web Offer if listed, while there look for and uninstall anything else suspisious
    I highly recommend uninstaling Kazaa
    restart the PC if prompted to.

    Download, then close all open windows and run CWShredder.exe 1.59.1
    http://radiosplace.com/
    <<from there Click Fix, don't just scan. You have several CoolWebSearch components which it should remove.
    If you already have it, just download another copy and overwrite the old one..
    To ensure its the latest version. currently its ver 1.59.1 as of 6/28/2004
    Restart the PC

    then go to Radios place again and get the newer version of Hijackthis and post a new log
     
    Lonny Jones,
    #2


  3. to hide this advert.

  4. 2004/08/10
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    To state that in slightly stronger language,
    Get Rid of Kazaa
    Otherwise you will keep getting slammed with spyware that Kazaa invites in without asking your permission.
     
    Newt,
    #3
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...