I have the identical problem. I've tried to dig it out several times. So far I have found the following New Folder in Program Files, WebSiteViewer New Dial up connection called TIBS41 HKLM/Software/Microsoft/windows/Current Version/Run dumprep 0 -k 123070.exe in Temp folder k.exe in Temp folder 123070.dlr prefetch file 123070.exe prefetch file k.exe prefetch file Websiteviewer in Registry in a couple places One time when I was shutting down spontaniously, a program wouldn't shut down called "O". It wasn't running in my process list and I've never seen it running before. It's a trojan porn dialer that reloads it self daily when you start internet explorer. I can't bust this one with hijack this, spybot, adaware, trendmicro, or norton. It's deep and it's tricky and its new. Any help with this would be greatly appreciated.

0

I have the exact same thing and have no idea to fix it. Everytime I delete the folder from the program files it reinstalls itself. Please help! Its driving me nuts!

0

fanore Your log looks fine. I am currently having a few problems with a couple utilities of mine designed to analyse this stuff...investigating... Is everything working ok now? Is that hot teens icon gone? You can restore those entries (your home page from ISP) from within Hijackthis: Start hijackthis Click config Click backups Have only hijackthis window open. For each of the following entries hilight and click the "restore" button: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.localtoolbox.com/lakesregion R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.localtoolbox.com/lakesregion R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.localtoolbox.com/lakesregion R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.localtoolbox.com/lakesregion Reboot That will reset your home page settings. Sorry for any confusion. Take care and all the best. ___________________________________ I never give up! Windows Update

0

Blender -- Yes, everything is working fine....and the hot teens icon is gone.....Because it seems to wait a few days between popping up, I'll hold my breath a bit longer. But I think you got it!! Thanks for all your help...... Can I ask you one last question? Is there anything -- other than being very careful about the sites that I visit -- to protect myself from this sort of thing. I think in our first message (the one that got lost), you mentioned some program I should get? Anyway, I believe you solved my problem and I am very grateful to you.... Fanore.

0

I'm glad I finally found something on this thing - I've had it for a week. Fanore - just for kicks (and to see if it's gone for good) - bump up your system clock by a day or two. Then boot & open Internet Explorer. As we've all discovered, after deletion the thing waits for a while to reappear. In my case, confusing it with the system clock at least lets me know that my attempts to kill it have failed without having to wait and see.

0

Blender -- I guess it's not so easy to get rid of this thing. It seems I have some of the same issues that others have raised in this line of messages. I just found a folder called website viewer with more of the icons in it and a few other files. I deleted it, but as others seem to be finding, it still comes back.......anything else you can suggest would be greatly appreciated... Fanore

0

I'm pretty sure it's gone!! O.K I didn't read carefully enough earlier, but once I got rid of the avisynth32.dll (along with everything else) the porn chick quit showing up. THANKS Blender

0

hi all, i've tried the things above, and tested changing the date. the thing still keeps popping up and won't die. none of the things show up in hijackthis, but it still pops up. any suggestions? thanks

0

fanore Do you also along with seems like most of the others in this thread have "Website viewer"? Check in add/rem programs (in control panel) to see if its there...and try uninstalling it. Since your origional post dissapeared and I don't remember exactly what all I said..(I do remember answering it tho) Have you used the "tweaked" settings on ad-aware? After getting the latest updates... Here is the url to set it up for best results: http://www.lavahelp.com/howto/fullscan/index.html Once set up like that page describes...go offline, preferrably in safe mode (tap f8 on boot)and run its scan...use the "custom scanning" option. Let it remove all it finds. Reboot to finish cleaning. While still offline... Again empty out temp internet files, offline content, history. I would also empty out c:\windows\temp, and anything that looks remotely suspicious in this location: C:\documents and settings\your name\local settings\temp (you will need to enable show hidden files/folders) Here is a program that will help remove all those files safely and completely: http://www.it-mate.co.uk/support/idsuite.asp Reboot after cleanup. You may be getting re-infected because of IE security settings not set up correctly and/or missing a few MS updates. There must be some site you keep hitting that re-infects you....so I wouldn't go surfin until stuff below is set up.... First visit windows update and install any missing critical updates. Then visit here to help with IE security settings help: (Default settings are not adequate) http://www.boards.cexx.org/viewtopic.php?t=957 Once that is set up... The program I was talking about is Spywareblaster and IE-Spyad. http://www.javacoolsoftware.com/spywareblaster.html Once set up...let it go thru the tutorial...and then enable protection for all in the list (it will show all unprotected) Once set up...it will show all protected. IE-Spyad puts several thousand known bad sites in the restricted zone of IE which has active x, java, scripting, and anything else potientially dangerous disabled. If you happen to hit a bad site...they can't do anything to you. Downside is alot of pages don't display right...but if it's in my restricted zone...I dont want to be there anyway. Many of these sites look neutral but are not. Download here: http://www.staff.uiuc.edu/~ehowes/main.htm Read carefully on install instructions...it is a little different install procedure. Your spybot also has additional protection: Start spybot (advanced mode) Click red Immunize button Ok the prompt Click the immunize button at bottom of window Scroll down to install the "bad download blocker for IE" Click "install" I also use another spyware detector...it has shown a few things that both ad-aware and spybot has missed. It's just a scanner tho, but if anything does show up...clicking on the detected item(s) will bring you to a page with good instructions for removal. Program is Bazooka and is free: http://www.kephyr.com/spywarescanner/ Something else that has me wondering.... I see your antivirus running in the list of running processes but it is not showing up in the 04 entries of your hijack log..(the 04's are the auto start entries...that is what starts up with windows) Are you having to start your antivirus manually all the time?...does it work ok? Just to rule out possible virus...I would run a full scan of your system. If you want 2nd AV opinion...try a scan here: http://www.ravantivirus.com/scan (you will need to shut off your own AV to prevent conflicts. If something does turn up in virus scan that can't be cleaned...let me know what and exactly where it is located. (full file path) Let me know if a rscan with ad-aware, spybot, Bazooka if you use it always flag the same things other than cookies. Thanks When we are sure all is cleaned out....going to need to purge your system restore points as windows may have backed up some of the nasty little buggers. If anything is in system restore...it cant do anything unless you use it...so we will wait till last to do. I never give up! Windows Update

0

Here is my HT file log... I have all the same problems with that stupid icon popping up... Some one please check my Log over and see if I am running ok... If not, please help out with some instructions... I followed some of the above ones... but I still need help... Logfile of HijackThis v1.97.7 Scan saved at 1:50:58 PM, on 4/1/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\System32\GEARSEC.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\ehome\ehtray.exe C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\HP\KBD\KBD.exe C:\WINDOWS\ehome\ehmsas.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\Program Files\Winamp\winampa.exe c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\DefyMessFour\Multi loud time.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\hp center\137903\Program\BackWeb-137903.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Administrator\Desktop\Foolio\Applications\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/ N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\d0v4dvtu.slt\prefs.js) O2 - BHO: TX4 - {00000000-387E-9D50-0079-1744044CB22A} - C:\WINDOWS\System32\authz32.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {759D05FA-ABDA-3E8D-AF07-CFBAF5B889E1} - C:\WINDOWS\system32\tfprgiga.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [p] C:\WINDOWS\System32\artdbj.exe O4 - HKLM\..\Run: [z] C:\WINDOWS\System32\artdbj.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ozfegdbu] C:\WINDOWS\ihisojjr.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Style Owns] C:\PROGRA~1\DefyMessFour\Multi loud time.exe O4 - HKLM\..\RunServices: [Altnet] C:\windows\Altnet.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Altnet] C:\windows\Altnet.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O9 - Extra button: AIM (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

OK it's not showing up after changing dates any more, so I'm pretty sure it's dead... Here's what worked for me: - booted to SAFE MODE - manually deleted websiteviewer folder, all files in my temp folder, the prefech file, and avisynth32.dll - manually deleted any registry keys referencing websiteviewer, 123070, & avisynth32 - ran all the various spyware, adware, etc. programs to see if they caught anything else - rebooted to normal mode (changed system clock for testing) - ran all the various programs again (just for piece of mind) - opened Internet Explorer - all was good! I've since changed the date several times and rebooted - still hasn't reappeared. Oh yea - don't forget to delete the dial-up connection that it creates. Don't know if this will help anybody else, but thought I would offer.

0

Hydrak11 You have a few issues to deal with...may take a few steps to clean up. First what looks like cool websearch hijack... Download the CWShredder that is shown in response # 5 Save it to disk, go offline and d.click to run. Reboot and run again...just to be sure. Next Make a seperate folder just for hijackthis: Hit the ctrl+e keys, double click (c:) Right click, point to new, click new folder Name it HJT Move hijackthis.exe to that folder. If we need to restore anything with hijack...it makes it easier to do. Next start hijack again and check the following entries if present: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis O2 - BHO: TX4 - {00000000-387E-9D50-0079-1744044CB22A} - C:\WINDOWS\System32\authz32.dll O2 - BHO: (no name) - {759D05FA-ABDA-3E8D-AF07-CFBAF5B889E1} - C:\WINDOWS\system32\tfprgiga.dll O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [p] C:\WINDOWS\System32\artdbj.exe O4 - HKLM\..\Run: [z] C:\WINDOWS\System32\artdbj.exe O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe O4 - HKLM\..\Run: [ozfegdbu] C:\WINDOWS\ihisojjr.exe O4 - HKLM\..\Run: [Style Owns] C:\PROGRA~1\DefyMessFour\Multi loud time.exe O4 - HKLM\..\RunServices: [Altnet] C:\windows\Altnet.exe O4 - HKCU\..\Run: [Altnet] C:\windows\Altnet.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - Reboot safe mode (tap f8 key on boot) and delete the following: c:\windows\system32\artdbj.exe <-file c:\windows\system32\zzb.exe <-file c:\windows\ihisojjr.exe <-file c:\program files\DefyMessFour <-folder c:\windows\system32\p2p networking <-folder While still in safe mode... Clean out temporary internet files: Start> settings> control panel> internet options. Click delete files Check delete offline content at the popup Click ok Click "clear history" Click ok Next go to C:\windows\temp Clean out everything in there. Next boot to regular windows and check add/remove programs in control panel for: Altnet points manager P2P Networking Websiteviewer If either are present...remove them. Go to your control panel> dial up connections> check for a connection listed...TIBS41...if listed...delete it. The file Altnet.exe does not look right(altnet points manager by rights loads from the program files folder...this one isn't)...can you check that file here: http://www.kapersky.com/remoteviruschk.html Once you get to the site browse to the folder: c:\windows\altnet.exe and get them to scan it....let me know results. Post new log along with whatever kapersky says about altnet.exe ____________________________________ I never give up! Windows Update

0

I've had this hot teens thing for at least a week now, and can't seem to get rid of it. Spybot only seems to get rid of a couple parts of it, and it just keeps coming back no matter how many registry entries I delete. I don't have Hijack This, so I've been mainly just searching through my hard drive and registry for files/entries that I know are associated with this damn dialer and deleting them. I tried Bill's suggestions about booting in safe mode and deleting everything, and I thought that had done the trick, but today I set my system clock ahead and up popped that damn hot teens icon. Here's a list of the files that this dialer installs on my drive: 123070.EXE-075F3B7E.pf in c:\windows\prefetch 123070.DLR-337EF64B.pf in c:\windows\prefetch 123070.dlr in c:\program files\websiteviewer 123070.ban in c:\program files\websiteviewer 123070.dd in c:\program files\websiteviewer 123070.ico in c:\program files\websiteviewer 123070.exe in c:\program files\websiteviewer 123070.dlr in c:\documents and settings\<current user>\local settings\temp K.EXE-2A53B521.pf in c:\windows\prefetch k.exe in c:\documents and settings\<current user>\local settings\temp folder c:\program files\websiteviewer dial up connection: TIBS41 Right now I'm not finding the avisynth32.dll file, but I've found it before. When I go into the registry, I find entries for k.exe, 123070.exe, avisynth32.dll, etc., and they all are in folders under something called Search Assitant, which I find in different parts of the registry, eg: HKCU\software\microsoft\search assitant\ACMru\5604\ In there we have the values: 000 - avisynth32 001 - TIBS 002 - 123070 003 - k.exe 004 - websiteviewer Last night I booted in safe mode and deleted every file on my hard drive that came up when I search for avisynth32, k.exe, 123070, websiteviewer, etc., and every registry key that came up when I searched for search assistant, 123070, k.exe, avisynth32, TIBS, etc. I figured that would do it, but as you know, it came back today. Interestingly, the registry key for search assistant that I described above is the only one I can find today, whereas I found it at least three or four times last night. I have now found these keys in HKCU\software\microsoft\windows\ShellNoRoam\MUIcache c:\docume~1\<current user>\locals~1\temp\123070.exe c:\program files\websiteviewer\123070.exe c:\program files\websiteviewer\123070.dlr That's it for now, although I'm sure there's something else lurking around that will make all this stuff come back. Sorry for having to write so much, but hopefully all this info will help us figure out what's allowing this dialer to keep reinstalling itself. I've installed Mozilla Firefox in the hope that this thing only works through IE, but I'm not even sure that did the trick (the last time it reinstalled - which you can see coming because the screen flickers - I was working in Firefox). I really REALLY want to get rid of this damn thing, so let's figure out a way to kill it.

0

Bill nailed it just as I did. I kept forgeting avisynth.dll or avifile32.dll or something like that. It's a BHO (Browser Helper Object) and it helps hot teens come on when you run internet explorer. Now it doesn't reload itself anymore. Your registry shows those values in the search assistant file cause you've been searching for them bosterton. They do nothing of value there except remember stuff you are looking up. Just do what bill did, except I didn't put it in safe mode and all is well. Download hijack this (it's free on download.com) cause it helps to get rid of the nastiness. Here is the best steps #1 reload computer #2 cancel the k.exe and 123070.exe if they are running in the process list #3 delete Program Files/Websiteviewer Hot Teens on Desktop and Start Menu Documents and Setting/User Name/Local Files/Temp-- k.exe and 123070.exe WinNT/Prefetch--123070.exe, 123070.dlr WinNT/System32/avifile32.dll (or avisynth) #4 Search for k, 123070, and websiteviewer in registry and delete #5 Find HKLM/Software/Microsoft/Windows/Run dumprep 0 -k and delete #6 Run "msconfig" and take the check off of dumprep 0 -k #7 Restart walla! Now don't press the accept button when it pops up on the porn site when you want to watch the free movie. (suspected origination) blah

0

oh, other quick notes. I have just found out that the avisynth or avifile is actually legit. That's the catch. Hijack this finds the one with the common name, but it's a BHO instead of a microsoft file. also delete the TIBS41 dialer too. 3 days with no hot teens and running. blah

0

Ok, I got Hijack This so here's my log file if it helps you knowledgeable types. Logfile of HijackThis v1.97.7 Scan saved at 1:17:45 AM, on 4/3/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\Creative\ShareDLL\MediaDet.exe C:\Program Files\Winamp5\winamp.exe C:\Download\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: TX4 - {00000000-0000-5DFC-5652-1705043F6518} - C:\WINDOWS\System32\audiosrv32.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.exe /run O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: AIM (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1080806805200 O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB O16 - DPF: {69432678-2906-2705-1128-068943397621} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.027349537 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

Bosterson, and whoever else... Wow...all these logs in one thread is confusing....not only to me but I imagine to all posting here... Anyhow; if you can find a copy of that darn 123070.exe file...email me a copy of it...I want to analyze it and submit it to several anti-malware sites. Please zip it if possible. Click my name for email addy. Once I find info on this little bugger...I will advise what next...it will take a couple days. Until then...If you havn't already; download Ad-aware, update it. (reference file is now 01R 279 Restart ad-aware, set it up like this page suggests: http://www.lavahelp.com/howto/fullscan/index.html Ad-aware download: http://www.lavasoftusa.com/support/download/ Once updated and set up like that....go offline to run the scan preferably in safe mode (tap f8 on boot) Make sure custom scanning mode is checked. Once scan is done...click next> right click in results window> click "select all" Ok the prompt. Reboot. Re-scan. Empty out all temporary internet files including offline content. Clear history Clean out c:\windows\temp Clean out c:\documents and settings\your name\*local settings\temp *=hidden file...enable show hidden files and folders in "folder options" within the control panel. If any other users are on your computer... Do the same procedures as above for all users. There is another program that might remove that crap.. http://www.emsisoft.com/en/ Download the a2 free.(on the left) You will need to register with them to get updates. Update the program. Run it's scan while offline and disable antivirus to prevent conflicts. Wait till I get more info on that file before doing anything else...I don't want this getting out of hand and see someone deleting system files. There may be specific removal instructions we are missing. ______________________________________ I never give up! Windows Update

0

To all - Something I should have stated earlier... You probably don't want to try some of the things I've posted unless you really know what you're doing (or want to learn). Blender's right - it could turn ugly. Of course, no matter what you try, the worst thing that could happen would be Windows crapping out completely and you have to re-install. If you think about it though, that only takes a couple of hours (as long as you've backed everything up) -which is probably less time than you've spent trying to kill the freakin' bug. For the record - I'm not suggesting a re-install here. I'm just stating the obvious.

0

To whoever sent the file I asked for.. I recieved it ok...thanks!...now I will need a day or 2 to get it sorted. I will advise of what is to be done to remove the pest here in this thread and in a new topic. I never give up! Windows Update

0

Damn, Blender, you are THE MAN! Honestly, thanks for your help... If anything else occurs, I know where to come for help... here is my new HT Log... tell me if it is all spic and span... You rock man... Good Luck everyone else who has this icon.. It sucks... Logfile of HijackThis v1.97.7 Scan saved at 10:29:44 PM, on 4/4/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\ehome\ehtray.exe C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\HP\KBD\KBD.exe C:\WINDOWS\ehome\ehmsas.exe C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\System32\GEARSEC.exe C:\Program Files\Winamp\winampa.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Microsoft Office\Office\WINWORD.exe C:\Documents and Settings\Administrator\Desktop\Foolio\Applications\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\d0v4dvtu.slt\prefs.js) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O9 - Extra button: AIM (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

Hydrak11 Your log looks clean. Now before something else infects you... Download Spywareblaster from here: Spywareblaster Once installed, update it...go through its little tutorial and suggestions to set up all its protection. Check for updates about once a week to keep up with the new nasties. Another program I use is IE-Spyad.. It puts several thousand known adware/crapware sites in your restricted zone in IE which by default has java, active x, downloading, and anything else that may be harmful disabled...so if you happen on a bad site...they can't mess you up. It is updated about once a month. Follow instructions on the page for install/update...the procedure is a little different. It will not affect safe sites operation. Download here: IE-Spyad Both programs mentioned above are free! Don't forget to keep windows up to date too. Here is a good page to read: How Did I Get Infected? Take care. __________________________________ I never give up! Windows Update

0

Blender -- Just thought I'd let you know and thank you....I followed everything you suggested -- along with the programs you suggested others start using.....several days now and nothing has popped up. I think I'm clean!!! I really appreciate all that you did. I was lost otherwise......I'll keep looking for when you figure out what 123070.exe does....I have no doubt you will....it was on my computer as well....but it's gone now..... -- Fanore

0

fanore Glad it's finally gone! I have never had so much trouble hacking a dialer out of a system yet...nasty! It seems it is a newer varient of this: The file name is different but seems to do the same thing. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PORNDIAL.BP&VSect=T You were likely told that it was a tool to assist viewing the site that installed it...they called it websiteviewer and it was really a premium rate dialer. I had recieved a copy of the file and had a look at it...pretty much the same as one I downloaded. Symantec calls it something else... http://securityresponse.symantec.com/avcenter/venc/data/dialer.wsv.html Take care and all the best. ________________________________ ________________________________ Bosterson If after running ad-aware the following items remain in your hijack log... Start hijack again while offline and check the following: O2 - BHO: TX4 - {00000000-0000-5DFC-5652-1705043F6518} - C:\WINDOWS\System32\audiosrv32.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) If you did not lock IE settings then check this too: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: {69432678-2906-2705-1128-068943397621} - Once all are checked close all windows except hijack and click fix checked Reboot the computer While still offline... Empty out temporary internet files including offline content, history. Clean out: C:\windows\temp c:\documents and settings\your name\*local settings\temp *=hidden (show hidden files and folders) If there is a dialup account for TIBS anything...delete the account: Start> settings> control panel> dialup networking> check account info in there.. Just hilight the tibs one> click remove Repost new log when done. Did you get that ad-aware prog? Also check in above posts for spywareblaster and IE-Spyad links for protection. ____________________________________ I never give up! Windows Update

0

similar problem..i have followed some steps to take care of the situation but i am not sure if my log file is clean. thanks for your help...brandon Logfile of HijackThis v1.97.7 Scan saved at 4:02:12 PM, on 4/9/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Softex\OmniPass\Omniserv.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\Explorer.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\ALCXMNTR.exe C:\Program Files\WildTangent\Apps\GameChannel.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\dl.exe C:\WINDOWS\dlm.exe C:\WINDOWS\sxchost.exe C:\WINDOWS\System32\RUNDLL32.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\wt\updater\wcmdmgr.exe C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\93QR3L3L\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\sxchost.exe O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: ieSpell (HKLM) O9 - Extra 'Tools' menuitem: ieSpell (HKLM) O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38034.6091782407 O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

blender Ive followed your excellent help with fanore and im hoping you can help me with my log as well. I have essentially the same problems as fanore: hot teens desktop icon, websiteviewer folder that wont delete, homepage changed, etc. I will post my HijackThis log if you can help me. Many thanks.

0

yeroc Your log still shows some things that need cleaning. First place hijack in it's own folder in case we need to recover anything...it makes backups which do not work when run from a temp file. Before fixing/deleting anything can you send me a zipped copy of the following files please to analyze? c:\windows\dl.exe <-this file c:\windows\dlm.exe <-this file c:\windows\sxchost.exe <- this file Copy them all to one folder and zip if possible. Refer to title of this thread in subject of email so I can identify and not delete email. Click my name for email addy. Next while offline check the following in hijack: O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe O4 - HKLM\..\Run: [Upgrade Service] C:\WINDOWS\sxchost.exe Once checked close all windows except hijack and click fix checked Reboot the computer to safe mode (tap the f8 key on boot) and delete the following: c:\windows\dl.exe <-file c:\windows\dlm.exe <-file c:\windows\sxchost.exe <-file While still in safe mode clear out your temporary internet files: Start> settings> control panel> internet options (may need to switch to classic view to see icons) On the general tab click "delete files" On the popup check "delete all offline content" Click ok Click "clear history" Yes at the prompt. Next go to: c:\windows\temp Clean out that folder...yes all can go. Reboot to normal windows and post new hijack log. Check links in response #27 for protection. _________________________________________ Any others with similar problems please start new topic of your own. I will not answer any new logs in this thread. I'm not trying to be a snob...just trying to maintain some order and prevent myself from catching hell and prevent confusion. Thanks _________________________________ Any who has already posted logs in this thread I will continue to help clean up as I have asked you to post them. That is the following people: fanore, Bosterson, yeroc, hydrak11. _______________________________________ bmass Please start thread of your own... State you used ad-aware, spybot and that I asked for your log...or the mods will delete it. Thanks. ______________________________________ I never give up! Windows Update

0

thanks blender for your help...sorry but i had already deleted the files you requested before i read your post this morning...thank you again.

0

here is a copy of my new hijackthis log: Logfile of HijackThis v1.97.7 Scan saved at 8:27:45 AM, on 4/7/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\alg.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Softex\OmniPass\Omniserv.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\Explorer.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\ALCXMNTR.exe C:\Program Files\WildTangent\Apps\GameChannel.exe C:\WINDOWS\wt\updater\wcmdmgr.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\RUNDLL32.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Documents and Settings\Owner\My Documents\My Pictures\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe" O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: ieSpell (HKLM) O9 - Extra 'Tools' menuitem: ieSpell (HKLM) O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38034.6091782407 O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

yeroc Hello again. Dont worry about those files.. Start hijack again and check the following: (I missed these the first round) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/ Once all are checked close all windows except hijack and click "fix checked" Reboot the computer when done. Things working better now? __________________________________ I never give up! Windows Update

0

your awesome man...thank you!!!!!!!! things are running much better. hijack log...just incase=) Logfile of HijackThis v1.97.7 Scan saved at 11:11:21 AM, on 4/7/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\alg.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Softex\OmniPass\Omniserv.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\Explorer.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\ALCXMNTR.exe C:\Program Files\WildTangent\Apps\GameChannel.exe C:\WINDOWS\wt\updater\wcmdmgr.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\RUNDLL32.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Documents and Settings\Owner\My Documents\My Pictures\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe" O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: ieSpell (HKLM) O9 - Extra 'Tools' menuitem: ieSpell (HKLM) O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38034.6091782407 O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

yeroc Log looks good. :) Now to protect yourself from future infection....follow some of the links in my above replies. Particularly IE-Spyad, spywareblaster, All critical windows updates, Spywareguard, Ad-aware, Spybot S&D....I use em all. Good luck and all the best. _______________________________________ I never give up! Windows Update

0

Blender - Thanks for the help. I ended up installing Ad-Aware at some point last week and it apparently killed the entire dialer without me having to even be in safe mode. I've been free of the program for 3 or 4 days at least, and I'm back running IE without it having popped up. If you had time to analyze the files I sent you, did you figure out how it keeps reinstalling itself despite our attempts to delete its main files and registry keys? I'm curious. Thanks again.

0

Bosterson Glad you got it worked out. I got the file you sent...thanks! I am just learning to analyze those things but from what I couls see it looks like it also installed a copy to: c:\documents and settings\user name\*local settings\temp *=hidden file If the main files were deleted like we did so many times and even deleting temp internet files...once ie was restarted that dialer would re-load itself from that other temp folder...looks like it was instructed to but not sure of the exact sequence of events leading to re-infection. Ad-aware has had a few updates since last week...mabye it included that dialer. Also using the tweaked settings suggested somewhere in this thread...that should have nailed it. Looks like it did for you. I was unable to send that file to lavasoft (makers of ad-aware)...they sent me email back saying they could not accept contaminated attachments and told me I was infected with Dialer\Tibs.a, they could not read my question and to clean my computer before sending them another email...LOL. Apparently I had used the wrong address...likely someone else did get one sent thru...mabye one of the other guys that analyze these files. Take care. _______________________________________ I never give up! Windows Update

0

This might help some. I think I got rid of mine when I used Hijackthis to remove a line with "c:\windows\system32\authz32.dll". Here's what I did... First, I got rid of everything having to do with k.exe, 123070, websiteviewer, avisynth32 and avifile32. This included removing files, prefetch items, registry items, etc. (as described above THANKS) Second, I advanced my system clock to check the status but I was still getting k.exe in the process list (which I stopped immediately). Third I repeated step 1, and got rid of the authz32.dll line with Hijack. After that, I advanced my clock again and it didn't show up. I advanced it many more times with more advance days and I still didn't get it. I am not a pro so I don't know if I screwed anything up. However, so far, so good. ReX

0

Here's an interesting tidbit. Not sure if it's related though. I've been lurking, had the same problem but somewhat different. I didn't get the icon, but had the K.exe, etc. What I noticed about mine was that it would re-direct my browser, but only after I'd shut the computer down and restarted it. I followed the advice above and so far 3 days and nothing. Keeping my fingers crossed. Anyway, the other thing I noticed was that I was suddenly receiving tons of X-rated emails when this thing started. Since I've (hopefully) gotten rid of it, I haven't had any in 3 days!

0

it has morphed again today. Nasty bugger. I cannot reboot into safe mode now. it goes into a continuos reboot loop moments after choosing any form of safe mode reboot including through msconfig. I am on XP pro fully patched to the hilt. Spybot seach and destroy and adaware have not fixed it. I have hijackthis and may post my processes to you, but What is the most recent definative solution to this nasty thing? It auto opened IE and sent me to a page asking my to click yes to agree to the dialers terms. I did not save the link as I just now saw that you guys have been battling this here for a while. its most recent variant installed here too: C:\Program Files\SBITPlugin Help!

0

herre is my Hijack this log.. Logfile of HijackThis v1.97.7 Scan saved at 1:12:16 PM, on 4/12/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.exe C:\WINDOWS\System32\CTHELPER.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Boltshimsixth\help wma.exe C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\Snop Productions\There_Capture\There_Capture.exe C:\Program Files\ARM Software\MacroMaker\MacroMaker.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\NavNT\defwatch.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\cba\xfr.exe C:\WINDOWS\system32\MsgSys.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Rev Milo\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web2.airmail.net/milo1/droopy.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.attbi.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r3.attbi.com O2 - BHO: TX4 - {00000000-0000-7EBF-57C6-0BAE047EA682} - C:\WINDOWS\System32\autodisc32.dll O2 - BHO: (no name) - {426B43F3-E8B6-4D51-A952-9676D4D4B462} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.exe O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" /run O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [inter lite] C:\PROGRA~1\Boltshimsixth\help wma.exe O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Startup: MacroMaker.lnk = ? O4 - Global Startup: There_Capture.lnk = C:\Program Files\Snop Productions\There_Capture\There_Capture.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://www.attbi.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {69432678-2906-2705-1128-068943397621} - O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - file://C:\DOCUME~1\REVMIL~1\LOCALS~1\Temp\ThereInstallHelper.2.0.2106.0.dll O16 - DPF: {8B486EF6-6B2A-4A1E-BB0D-236CB2DBB8D2} (There Voice Trainer) - file://C:\Program Files\There\ThereClient\ThereVoiceTrainer.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37599.4134837963 O16 - DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} (There Launcher) - file://C:\Program Files\There\ThereClient\ThereLauncher.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

C:\Program Files\Boltshimsixth\help wma.exe is newly created today about the time I think this hot teens dialer updated itself. This is the nastiest bug I have ever had! Any idea why I cant go into safemode without going into a bootloop?

0