Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi! I'm a blonde college student who happened to download a toolbar that has plagued my computer with popups as i search with internet explorer. I ran Adware, and cwshredder. It finds new files everyday, but it doesn't get rid of the popups. The websites are bannerfarm and metarewards.com that I have seen today. I looked around for help and I found the hijack software. I followed the instructions to post my running processes found on my computer. I need an expert to tell me what I can and cannot delete, and also for any additional tips to forget about these popups.
Thank You!
Log from Hijack
Logfile of HijackThis v1.97.7
Scan saved at 8:37:23 PM, on 7/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\RPCSS.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.exe
C:\WINDOWS\SYSTEM\CTHELPER.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\YFRKSUZ.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.exe
C:\PROGRAM FILES\AIM95\AIM.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\CASE'S LADDER\CHATCLIENT.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.exe /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO}
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [dcmndivsm] C:\WINDOWS\SYSTEM\yfrksuz.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://play.igl.net/clo/install/CLOActiveXInstallerProj1.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38047.5185648148
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
Thanks!
Jen, I don't see an antivirus running and I think C:\WINDOWS\SYSTEM\YFRKSUZ.exe may be a virus,don't know for sure but you should run an online scan. A free online virus scan here Housecall
Download this free spyware remover Ad-aware 6.0 be sure to update it and set to this:
Launch the program, and click on the Gear at the top of the start screen.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.You can get a free antivirus here avg antivirus
After you run the online scan and ad-aware 6.0 post another log.These to two items are probably causing you the problem but may be cleaned up after running an antivirus scan and ad-aware:
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O4 - HKLM\..\Run: [dcmndivsm] C:\WINDOWS\SYSTEM\yfrksuz.exe
0 
Hello.
I ran housecall and it picked up 8 viruses. I rebooted and I am running it again. It was unable to remove one virus. "Troj agent.ea" Also, I updated the settings on adware and I am running it again. After they finish, I will reboot and post another hijack log. Thanks!
0
To get rid of the trojan you have to disable your system restore:
This is my clean-up Me schpiel:
ARE YOU UPDATED ON WIN ME, OUTLOOK, AND IE? If not, do that first.I run Adaware, Spybot and I update and run them every three days or less, plus Script Sentry, MRU Blaster, Spyware Blaster in the background, and A Squared once a week or so just to double check; update it also every three days.
If you have, or think you have trojans, virus, etc., do this:Dump system restore:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?Open&src=sec_doc_nam&docid=2001111912274039&nsf=tsgeninfo.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvlThat is not an option, bugs hide in the system restore files. Do not re-enable them until you are sure you are clean.
General clean-up:
Expose Hidden Files:
http://www.xtra.co.nz/help/0,,4155-1916458,00.htmlGo into safe mode and run Adaware, Spybot, your updated AV, and then do this:
Use these in order:
Trojan Hunter trial version:
http://www.misec.net/Trojan Scan:
http://www.windowsecurity.com/trojanscan/SWATIT:
http://swatit.org/download.htmlreboot, back into safe mode:
Tools > Intenet Options> General Tab > Delte files > check the box to delete off line content > click ok > delete cookies > click ok.
%TEMP% files:
Dble click My Computer icon on desk top > type %TEMP in the address bar > click enter > delete all you can delete.Empty recycle bin.
Go to start > Programs > Accessories > System Tools > Run disk clean up, then scan disk, if scan disk tells you there are programs running in the background--ctrl+alt+delete and end-task on everything except sytray and explorer, the run scan disk > then defragmenter.
Read this yet?:
Me set up page, Trev:
http://www.burzurq.com/forum/trevtweak.htmlIf you do not have a firewall or want a great free service, i use:
Free Sygate firewall:
http://smb.sygate.com/products/spf_standard.htmDiagnostics:
Jason’s Browser Security Test:
http://www.jasons-toolbox.com/BrowserSecurity/Gibson tests:
http://www.grc.com/default.htmI use LeakTest, DCOMbobulator, ShieldUp, and UnplugNpray
Thresher
0
Hello.
Ok, so I keep running adware, spybot and cwsshredder and the virus. THe trojan ea virus is still on my computer, I will try and fix that today. I just wanted to post a new hijack log and see if there is anything else bad.
Thanks!!
Logfile of HijackThis v1.97.7
Scan saved at 2:29:40 PM, on 7/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\RPCSS.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.exe
C:\WINDOWS\SYSTEM\CTHELPER.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\WINDOWS\SYSTEM\YFRKSUZ.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\AIM95\AIM.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\PROGRAM FILES\WINZIP\WINZIP32.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO}
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.exe" +c
O4 - HKLM\..\Run: [xwczqrv] C:\WINDOWS\SYSTEM\YFRKSUZ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
0
This is the source of your pop-ups.
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
Read this.
Adware Alert - TWAINTEC.DLL - MXTarget
This is bulls--- too.
O4 - HKLM\..\Run: [xwczqrv] C:\WINDOWS\SYSTEM\YFRKSUZ.exe
You'll probably have to go into safe mode and delete that file.
Then I suggest you go into msconfig and start unchecking the unneccessary start up items.
This should help for that.
Sysinfo -- Startup Applications List
0
Unable to clean trojan file C:\WINDOWS\Temporary Internet Files\Content.IE5\9B7FXP4A\clo[1].zip/clo.exe because it is contained in an archive
Unable to clean trojan file C:\WINDOWS\Temporary Internet Files\Content.IE5\ADRWXGR6\BlackAndRed[1].zip/BlackAndRed.exe because it is contained in an archive
Renamed file C:\WINDOWS\Temporary Internet Files\Content.IE5\K5AVGTMJ\leaktest[1].exe to C:\WINDOWS\Temporary Internet Files\Content.IE5\K5AVGTMJ\leaktest[1].exe.tcf
Unable to clean trojan file C:\WINDOWS\Temporary Internet Files\Content.IE5\KXAF6J8P\BlackAndRed[1].zip/BlackAndRed.exe because it is contained in an archive
0
Dear Computer Geniuses,
I have to say my computer is much better, but is not to your par. This is everything I have done, following the instructions of the last two replies posted by Thresher and Viking.
I updated WinMe, Outlook and Internet Explorer.
I ran Adware, a few times, and tracking cookies are results.
SpyBot Results include DSO exploit Data Sonic HKEY_USERS\.Default\Software\Microsoft\Windows\ Registry Change
Script Sentry Results... None, I don't understand how this program works. Am I suppose to run each file or only files I am suspicious of...MRU BLASTER found 1343 defected files... I just clicked the clean now button, i hope that's good. Oh, it says system status "good" so that's a plus!
Spyware Blaster is up and running
I disabled system restore, and took a bold step and just deleted the entire _Restore folder. Oh well, things are working swell, and a trojan was hiding there before.
Trojan Hunter Found a mess of stuff, I tried deleting and I got the following results.
Trojan Results
Unable to clean trojan file C:\WINDOWS\Temporary Internet Files\Content.IE5\ADRWXGR6\BlackAndRed[1].zip/BlackAndRed.exe because it is contained in an archive
Unable to clean trojan file C:\WINDOWS\Temporary Internet Files\Content.IE5\KXAF6J8P\BlackAndRed[1].zip/BlackAndRed.exe because it is contained in an archiveAlso, after running a gibson test, it asked me to run trojan hunter again. I received the errors
Second ResultsUnable to clean trojan file C:\WINDOWS\Temporary Internet Files\Content.IE5\9B7FXP4A\clo[1].zip/clo.exe because it is contained in an archive
Unable to clean trojan file C:\WINDOWS\Temporary Internet Files\Content.IE5\ADRWXGR6\BlackAndRed[1].zip/BlackAndRed.exe because it is contained in an archive
Renamed file C:\WINDOWS\Temporary Internet Files\Content.IE5\K5AVGTMJ\leaktest[1].exe to C:\WINDOWS\Temporary Internet Files\Content.IE5\K5AVGTMJ\leaktest[1].exe.tcf
Unable to clean trojan file C:\WINDOWS\Temporary Internet Files\Content.IE5\KXAF6J8P\BlackAndRed[1].zip/BlackAndRed.exe because it is contained in an archiveTrojan Scan would not work from my machine, I don' tknow why.
The Swatit link was not working either.
I deleted cookies and all offline content.
The %temp% instructions did not yield me any files to choose from, but sent me to a search website for msn. I think there was an error in reading your instructions.
I emptied the recycle bin and the tests diskcleanup, scandisk and defrag all went perfectly.
The set up page for ME was great, thank you!
Other security tests I ran included these results, please explain...
Shield Up Results
Common Ports
GRC Port Authority Report created on UTC: 2004-07-07 at 06:12:57 Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113, 119, 135, 139, 143, 389, 443, 445, 1002, 1024-1030, 1720, 5000 1 Ports Open 22 Ports Closed 3 Ports Ste Ports Tested The port found to be OPEN was: 1026 Ports found to be STEALTH were: 135, 139, 445 Other than what is listed above, all ports are CLOSED. TruStealth: FAILED - NOT all tested ports were STEALTH, - NO unsolicited packets were received, - A PING REPLY (ICMP Echo) WAS RECEIVED.All Service Ports
------------ GRC Port Authority Report created on UTC: 2004-07-07 at 06:15:56 Results from scan of ports: 0-1055 1 Ports Open 1049 Ports Closed 6 Ports Ste056 Ports Tested The port found to be OPEN was: 1026 Ports found to be STEALTH were: 135, 136, 137, 138, 139, 445 Other than what is listed above, all ports are CLOSED. TruStealth: FAILED - NOT all tested ports were STEALTH, - NO unsolicited packets were received, - A PING REPLY (ICMP Echo) WAS RECEIVED.
NO MESSENGER SPAM
To Viking,I deleted the files your recommended that was the cause of my pop up problems. That worked wonderfully and I am no longer plagued with pop ups. Thank you very much.
Below is another hijack log incase you notice anything else I should fix. I'm trying to get my computer into the best shape ever!!
Thanks,
Jenny!
Logfile of HijackThis v1.97.7
Scan saved at 1:41:49 AM, on 7/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.exe
C:\WINDOWS\SYSTEM\RPCSS.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.exe
C:\PROGRAM FILES\AIM95\AIM.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\TROJANHUNTER 3.9\TROJANHUNTER.exe
C:\PROGRAM FILES\WINZIP\WINZIP32.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO}
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.exe" +c
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.exe"
O4 - HKLM\..\Run: [ScriptSentry] C:\WINDOWS\DESKTOP\COMPUTER FIX-IT\SCRIPTSENTRY.exe /check
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKLM\..\RunOnce: [WMC_0] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\drmstor.dll"
O4 - HKLM\..\RunOnce: [WMC_1] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\drmclien.dll"
O4 - HKLM\..\RunOnce: [WMC_2] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\drmv2clt.dll"
O4 - HKLM\..\RunOnce: [WMC_3] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\blackbox.dll"
O4 - HKLM\..\RunOnce: [WMC_4] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\msnetobj.dll"
O4 - HKLM\..\RunOnce: [WMC_5] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmnetmgr.dll"
O4 - HKLM\..\RunOnce: [WMC_6] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmadmod.dll"
O4 - HKLM\..\RunOnce: [WMC_7] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmsdmod.dll"
O4 - HKLM\..\RunOnce: [WMC_8] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\mp4sdmod.dll"
O4 - HKLM\..\RunOnce: [WMC_9] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\mp43dmod.dll"
O4 - HKLM\..\RunOnce: [WMC_10] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmvdmod.dll"
O4 - HKLM\..\RunOnce: [WMC_11] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\mpg4dmod.dll"
O4 - HKLM\..\RunOnce: [WMC_12] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmspdmod.dll"
O4 - HKLM\..\RunOnce: [WMC_13] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\laprxy.dll"
O4 - HKLM\..\RunOnce: [WMC_14] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmadmoe.dll"
O4 - HKLM\..\RunOnce: [WMC_15] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmsdmoe2.dll"
O4 - HKLM\..\RunOnce: [WMC_16] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmspdmoe.dll"
O4 - HKLM\..\RunOnce: [WMC_17] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmvdmoe2.dll"
O4 - HKLM\..\RunOnce: [WMC_18] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\qasf.dll"
O4 - HKLM\..\RunOnce: [WMC_19] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmvcore.dll"
O4 - HKLM\..\RunOnce: [WMC_20] "C:\WINDOWS\SYSTEM\logagent.exe" /RegServer
O4 - HKLM\..\RunOnce: [WMC_21] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\mswmdm.dll"
O4 - HKLM\..\RunOnce: [WMC_22] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\msscp.dll"
O4 - HKLM\..\RunOnce: [WMC_23] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\mspmsp.dll"
O4 - HKLM\..\RunOnce: [WMC_24] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmdmps.dll"
O4 - HKLM\..\RunOnce: [WMC_25] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmdmlog.dll"
O4 - HKLM\..\RunOnce: [WMC_26] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\CEWMDM.dll"
O4 - HKLM\..\RunOnce: [WMC_27] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmp.dll"
O4 - HKLM\..\RunOnce: [WMC_28] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmpshell.dll"
O4 - HKLM\..\RunOnce: [WMC_29] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmpdxm.dll"
O4 - HKLM\..\RunOnce: [WMC_30] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\wmpasf.dll"
O4 - HKLM\..\RunOnce: [WMC_31] C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\Program Files\Windows Media Player\mpvis.dll"
O4 - HKLM\..\RunOnce: [WMC_32] C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://play.igl.net/clo/install/CLOActiveXInstallerProj1.cab
0
Disable system restore first and then do an online virus scan at Panda Active Scan. Disinfect whatever turns up. Yes, I know you've done Housecall already, I can see it.
Then run Trojan scan
Next, download and run Delindex 5.1. You need an ME startup disk or bootdisk (make one, or get one).
Now go in msconfig (Start >> Run >> type, msconfig >> click the startup tab) and uncheck anything to do with: WMP, Windows Media Player, Windows Media Player 7, WMC, etc etc.
Now post a log file.
0
Change of running order:
Delindex 5.1
Disable system restore
Panda scan
Trojan scan (try it after delindex).
Then msconfig >> then new log file
0  |
 Newest CWShredder 7-01-04
|
Quicklaunch toolbar
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
