Someone Please Help

Discussion in 'Windows Desktop Systems' started by lostprophet, Aug 17, 2004.

  1. lostprophet

    lostprophet OSNN One Post Wonder

    Messages:
    8
    I somehow got infected with a ridiculous amount of spyware and its getting annoying. My homepage keeps getting hijacked and there's this stupid side find thing that keeps opening in every window. I deleted it but it keeps saying that the .dll file cannot be deleted so now, even though the button doesnt appear in my toolbars, it still keeps opening but it doesnt show anything. Can someone please help me? If i run Hijack This will someone take a look at the log for me? Thanks in advance for your help.
     
  2. Lee

    Lee OSNN Proxy

    Well log? Where is it?

    Please also add ops, thanks.
     
  3. lostprophet

    lostprophet OSNN One Post Wonder

    Messages:
    8
    I added the logfile as an attachment.
    thanks for the help.
     

    Attached Files:

  4. Lee

    Lee OSNN Proxy

    Goto windows update and gets some patches, go update and run again.
     
  5. dreamliner77

    dreamliner77 The Analog Kid

    Messages:
    4,702
    Location:
    Red Sox Nation
    and run spybot and adaware in safe mode.
     
  6. Hsn

    Hsn King

    Messages:
    1,082
    Location:
    Calgary, Canada
    Does it make a difference when you run it in safe mode?
     
  7. muzikool

    muzikool Act your wage. Political User

    Yeah it can, because limited processes are loaded when booting into Safe Mode. This can prevent the spyware from running while you scan and clean the system, which will make things easier and more effective.
     
    Hsn likes this.
  8. Hsn

    Hsn King

    Messages:
    1,082
    Location:
    Calgary, Canada
    Thank you for clearing that up :)
     
  9. muzikool

    muzikool Act your wage. Political User

    Sure thing. I can't say with absolute certainty that cleaning off spyware in Safe Mode will be 100% effective every time, but it's still the best option. :)
     
  10. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Hi lostprophet, you've got a bit of things to clean, first download the latest version of HJT, http://www.majorgeeks.com/download3155.html and download CWShredder, http://www.majorgeeks.com/download4086.html

    Go into Add/Remove Programs and uninstall WinTools.

    First download this tool to fix the peper infection you have, http://downloads.subratam.org/PeperFix.exe Run it and reboot if it asks you to.

    Run CWShredder, let it fix everything it finds. Then have HJT fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://line-plus.com/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ls0.net/home.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.do-jaja.com/search/index.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\secure.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ls0.net/home.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\secure.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
    R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\Program Files\IntBar\rundlg32.dll
    F0 - system.ini: Shell=Explorer.exe monitor.exe
    F1 - win.ini: run=C:\WINNT\inetdata\winlogon.exe
    F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINNT\msopt.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {690EC3C0-E676-45B2-9403-B18CFAAF0074} - C:\WINNT\System32\bck.dll
    O2 - BHO: (no name) - {6AAF6229-B01D-2D90-8752-60550FA92F15} - C:\WINNT\System32\mldxr.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
    O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
    O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Administrator\Local

    Settings\Temp\WYMJ4WpaW.dll (file missing)
    O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\winnt\sr.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
    O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\IntBar\rundlg32.dll
    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [38Z3MSR3DDD##A] C:\WINNT\System32\NipM9X44.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetdata\winlogon.exe
    O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
    O4 - HKCU\..\Run: [monitor] monitor.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetdata\winlogon.exe
    O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
    O9 - Extra button: SideFind (HKLM)
    O15 - Trusted Zone: *.iwantsearch.com
    O15 - Trusted Zone: www.mt-download.com
    O15 - Trusted Zone: install.xxxtoolbar.com
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {11010101-1001-1111-1000-110112345678} -

    ms-its:mhtml:file://c:\nosuch.mht!http://69.50.179.54/winsearchie32.chm::/winsearchie32.exe
    O16 - DPF: {11010101-1001-1111-1000-115676576811} -

    ms-its:mhtml:file://c:\nosuch.mht!http://www.ustimerz.com/cm11111/var.chm::/var.exe
    O16 - DPF: {11010101-1001-1111-1000-115676576822} -

    ms-its:mhtml:file://c:\nosuch.mht!http://www.ustimerz.com/cm11112/var1.chm::/var1.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111171} -

    ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com/newhelp.chm::/newhelp.exe
    O16 - DPF: {11311111-1111-1111-1111-11111121115F} - file://C:\Recycled\Q383302.exe
    O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) -

    http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

    http://public.windupdates.com/get_f...2244d317f6ab2c86bff7585b7e883263ddf35912dd813

    dee463c744961d2b31add589650eef4d876c0fc2a2f745d64562:c31e3730b38c174130e1e2729109a237
    O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://access.babetv.co.uk/000001/us/enter/enter.exe
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) -

    http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

    http://software-dl.real.com/106abb0db27c23459105/netzip/RdxIE601.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50019/QDow_AS2.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) -

    http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O19 - User stylesheet: C:\WINNT\color.css (file missing)

    Now reboot into safemode, tap F8 at boot, and delete:

    C:\Documents and Settings\All Users\Application Data\IEserver\ <--folder
    C:\Documents and Settings\Administrator\Local Settings\Temp\ <--everything in this folder
    C:\Program Files\Common Files\WinTools <--folder
    C:\Program Files\IntBar\ <--folder
    C:\Program Files\SEP\ <--folder
    C:\Program Files\SideFind\ <--folder
    C:\WINNT\inetdata\winlogon.exe <--file
    C:\WINNT\system32\services\msxmidi.exe <--file
    C:\WINNT\system32\monitor.exe <--file
    c:\winnt\tour.reg <--file

    Reboot normally, and post a new log. Please just post it, do not attach it.

    Go to Windows Update, you NEED TO GET SP4 for Win2000, along with ALL CRITICAL UPDATES. I also do not see an Antivirus program running, but it could have been corrupted by your infection. If you do not have one, install AVG 6.0 Free, as the name says it is free, and very good. You must keep yourself updated.
     
  11. wadada

    wadada Moderator

    Messages:
    707
    Location:
    netherlands
    holy cow, what a mess :eek:
     
  12. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    I've seen worse :)
     
  13. logisticprism

    logisticprism Time Dr. Freeman?

    Messages:
    203
    when a computer is extremely cluttered and plagued with spyware beyond belief, nothing beats a good old reformat and a fresh install of win xp sp2.
     
  14. dreamliner77

    dreamliner77 The Analog Kid

    Messages:
    4,702
    Location:
    Red Sox Nation
  15. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    You never learn anything from formatting, should always be the last option, not the first.
     
  16. lostprophet

    lostprophet OSNN One Post Wonder

    Messages:
    8
    Logfile of HijackThis v1.98.2
    Scan saved at 10:30:25 PM, on 8/17/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\scagent.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\explorer.exe
    C:\WINNT\System32\tp4serv.exe
    C:\WINNT\System32\ltcm000c.exe
    C:\WINNT\System32\Promon.exe
    C:\WINNT\System32\RunDll32.exe
    C:\WINNT\System32\PRPCUI.exe
    C:\WINNT\loadqm.exe
    C:\WINNT\loadqm.exe
    C:\documents and settings\administrator\local settings\temp\7.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINNT\System32\rtifnet.exe
    C:\WINNT\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\winnt\winserv.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    C:\Hijack This\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: run=C:\WINNT\inetdata\winlogon.exe
    O2 - BHO: (no name) - {6AAF6229-B01D-2D90-8752-60550FA92F15} - C:\WINNT\System32\mldxr.dll
    O2 - BHO: (no name) - {8CA79A4D-9A99-46A7-BEE3-4555B3724620} - C:\WINNT\System32\gcc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [7] C:\documents and settings\administrator\local settings\temp\7.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [o23U36T] rtifnet.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [winlogon] c:\winnt\winserv.exe
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O18 - Filter: application/hta - {D962EF38-5FB0-4761-8638-C86F085E25E6} - C:\WINNT\mwshelp.dll
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINNT\mwshelp.dll
    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
    O18 - Filter: text/plain - {ED8D9D23-E9D1-4014-A91F-49E4C9705C8E} - C:\WINNT\System32\gcc.dll
     
  17. dreamliner77

    dreamliner77 The Analog Kid

    Messages:
    4,702
    Location:
    Red Sox Nation
    yeah, but there are alot of downsides to having that much spyware and then removing it, not to mention all the other crap that has probably been on there at one point. The registry is probably bloated beyond belief, there's probably a bunch of crap left over from uninstalls that don't remove everything, etc, etc,
     
  18. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    OK, much cleaner than before but you have some new spyware.

    Rerun CWShredder again, then have HJT fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: run=C:\WINNT\inetdata\winlogon.exe
    O2 - BHO: (no name) - {6AAF6229-B01D-2D90-8752-60550FA92F15} - C:\WINNT\System32\mldxr.dll
    O2 - BHO: (no name) - {8CA79A4D-9A99-46A7-BEE3-4555B3724620} - C:\WINNT\System32\gcc.dll
    O4 - HKLM\..\Run: [7] C:\documents and settings\administrator\local settings\temp\7.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [o23U36T] rtifnet.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINNT\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKCU\..\Run: [winlogon] c:\winnt\winserv.exe
    O18 - Filter: application/hta - {D962EF38-5FB0-4761-8638-C86F085E25E6} - C:\WINNT\mwshelp.dll
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINNT\mwshelp.dll
    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
    O18 - Filter: text/plain - {ED8D9D23-E9D1-4014-A91F-49E4C9705C8E} - C:\WINNT\System32\gcc.dll

    Reboot into safemode and delete:

    C:\documents and settings\administrator\local settings\temp\ <--everything in this folder
    C:\Program Files\AutoUpdate\ <--folder
    C:\Program Files\Common Files\Dpi\ <--folder
    C:\WINNT\inetdata\winlogon.exe <--file
    C:\WINNT\system32\pcs\ <--folder
    C:\WINNT\system32\rtifnet.exe <--file
    c:\winnt\winserv.exe <--file

    Do yourself a favor, update Windows as I had previously suggested and download Firefox to use as a browser. Reboot and post a new log.
     
  19. lostprophet

    lostprophet OSNN One Post Wonder

    Messages:
    8
    Logfile of HijackThis v1.98.2
    Scan saved at 8:36:53 AM, on 8/18/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\scagent.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\tp4serv.exe
    C:\WINNT\system32\ltcm000c.exe
    C:\WINNT\system32\Promon.exe
    C:\WINNT\system32\RunDll32.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    C:\Hijack This\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot7_x.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINNT\mwshelp.dll
    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
     
  20. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    OK, these aren't playing nice, boot into safemode first and delete:

    C:\WINNT\httpfilter.dll <--file
    C:\WINNT\mwshelp.dll <--file

    Reboot and run CWShredder again and then have HJT fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - C:\WINNT\mwshelp.dll
    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll

    Reboot and post a new log.