re: New list of utilities Wednesday, May 4, 2005 at 8:45 pm Windows XP Annoyances Discussion Forum Posted by Sonya (3 messages posted) Thanks for your help! Here's the latest log... Logfile of HijackThis v1.99.1 Scan saved at 8:41:24 PM, on 04/05/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ltmsg.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Compaq\EAB\EabServr.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9 O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Cpqset] C:\Program Files\compaq\cpqsetup\cpqset.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing) O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Advisor - {93D153C4-4F21-4022-9D86-04CDAFB3A231} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{81E7055C-2C3E-4124-A230-E693F97E601F}: NameServer = 209.115.142.9 209.115.142.132 O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe On Sunday, May 1, 2005 at 6:17 pm, Falcon wrote: > > Reboot to Safe Mode > Check these entries in HijackThis and press Fix: > >R3 - Default URLSearchHook is missing >O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\gegre.dll >O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll >O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe >O4 - HKLM\..\Run: [Microsoft Service] C:\WINDOWS\system32\syshost.exe >O4 - HKLM\..\Run: [Microsoft IDCN] C:\WINDOWS\system32\mshe1p.exe >O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART >O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime >O4 - HKLM\..\Run: [Norton Personal Firewall] jah.exe >O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\shch.exe /i >O4 - HKLM\..\Run: [Win Update Microsoft] winmode.exe >O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\nerocheck.exe /i >O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N >O4 - HKLM\..\Run: [Windows Secure Connection] winsc.exe >O4 - HKLM\..\Run: [gaSrve] C:\WINDOWS\gaSrve.exe >O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteyrl32.exe >O4 - HKLM\..\Run: [CWETQ] C:\WINDOWS\aidwaew.exe >O4 - HKLM\..\RunServices: [Norton Personal Firewall] jah.exe >O4 - HKLM\..\RunServices: [Win Update Microsoft] winmode.exe >O4 - HKLM\..\RunServices: [Windows Secure Connection] winsc.exe >O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe" >O4 - HKCU\..\Run: [Norton Personal Firewall] jah.exe >O4 - HKCU\..\Run: [Win Update Microsoft] winmode.exe >O4 - HKCU\..\Run: [Windows Secure Connection] winsc.exe >O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) > > > Delete these files and folders: > > C:\WINDOWS\System32\P2P Networking\ > C:\WINDOWS\System32\canada.exe > C:\WINDOWS\aidwaew.exe > C:\WINDOWS\gaSrve.exe > C:\WINDOWS\gegre.dll > C:\WINDOWS\nerocheck.exe > C:\WINDOWS\shch.exe > C:\WINDOWS\svchost.exe > C:\WINDOWS\system32\mshe1p.exe > C:\WINDOWS\system32\syshost.exe > C:\windows\system32\eliteyrl32.exe > c:\windows\system\BHOmod.dll > jah.exe > winmode.exe > winsc.exe > > > Start->Run->"%temp%"->Delete all the files and folders there. > Reboot normally and post another log. > > > > > > My Malware Removal Instructions > > > Perform the following: > > > > Disable System >Restore > > * > > > > Perform an online >virus scan > > * > > > * > > > * > > > * > . > > > Download, update, and run these tools: > > Spybot Search >& Destroy > > * > > > > Lavasoft Adaware > > * > > > > CWShredder > > * > > > > Repeat as necessary until clean. > > > If you still experience problems after doing these steps, download > HijackThis > > * > > and post a log to this forum. > > > To protect against reinfection, download and use these: > If at all possible, I recommend that you use alternative software, particularly >web browsers > and email clients: > > > Web Browsers > > * > > > * > > > * > > > > Email Clients > > * > > > * > > > > If this is not a viable option, or for additional protection, use these: > > Javacool's >SpywareBlaster > > * > > > > Javacool's >SpywareGuard > > * > > > > Malware-blocking >HOSTS file > > * > > > > IE-SPYAD > > * > , Internet Explorer only > > > > Optionally Reenable >System Restore > > * > . Better alternatives >to System Restore. > > > > If you encounter any broken links, please inform > me of them. Also note that these links direct through my web server to >allow me to keep them > up-to-date or post additional info. If you are unable to use the links above, >click the stars > instead, which are a direct link to the page in question. > > > > > > Written in response to: re: New list of utilities (Falcon: Sunday, May 1, 2005 at 6:17 pm) Responses to this message: re: New list of utilities (Falcon: Thursday, May 5, 2005 at 6:20 am) All messages in this thread [show all] New list of utilities (Falcon: Sat, Apr 9, 2005, 5:06 pm) re: New list of utilities (joe: Sat, Apr 9, 2005, 5:35 pm) re: New list of utilities (Paulina: Sun, Apr 10, 2005, 6:38 am) re: New list of utilities (Matthew D. Healy: Thu, May 5, 2005, 6:12 pm) re: New list of utilities (Paulina: Fri, May 6, 2005, 12:45 am) re: New list of utilities (Scott Busche: Sun, Apr 17, 2005, 4:47 pm) re: New list of utilities (Sonya: Sun, May 1, 2005, 4:10 pm) re: New list of utilities (Falcon: Sun, May 1, 2005, 6:17 pm) re: New list of utilities (Sonya: Wed, May 4, 2005, 8:45 pm) re: New list of utilities (Falcon: Thu, May 5, 2005, 6:20 am) re: New list of utilities (Sonya: Thu, May 5, 2005, 1:50 pm) removal of Seeve (barb: Sat, May 21, 2005, 11:28 am) re: New list of utilities (Alex: Mon, Jun 23, 2008, 10:13 pm) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum