Ok, I use Mozilla and IE6 to browse. I also have Norton 2006 installed as well. But here's the thing, Norton is not picking anything up when I run full scans. I know it works because it killed a trojan horse a week or so ago. But the weird thing is I keep getting these pop up ads out of nowhere and they are the same ones.
The main two are for anti-virus stuff. One is a page that pops up and looks like a Windows add/remove program page. I almost thought it was the windows thing until I looked at te url and could see that it was not really from microsoft. I just x out of the thing and then it still gives me more pop ups.
Here is the url (it just popped up as I was typing this);
http://scanner.sysprotect.com/pages/scanner/?p=20&ex=1&ax=2&aid=nm_ap_spt_r5&lid=keyin
When I close that out by clicking on the X I get this message:
Notice: You have not completed the scan. If your computer has errors in the registry or database file system, it could cause unpredictable or erractic behavior, freezes or crashes.
Sysprotect can perform a quick and completely FREE scan of your system for errors.
Would you like to download Sysprotect to scan for and, if found, correct any registry problems now (recommended)?
The other ones I get are all things that says something like (insert virus name here) could be affecting your system. That url always starts with www.ameana.com and has other stuff after that. Some virus names are Mytob and Backteria.
I know I don't have these things and it is some type of spyware stuff. Am I right? and if so, how to I remove it since Norton doesn't seem to get it?
Help!
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1
Go there and download ad-aware. Update and scan. Remove anything harmful it picks up.
http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1
Download that and update and scan. Remove anything harmful it picks up.
http://www.download.com/HijackThis/3000-8022_4-10379544.html?tag=lst-0-1
Then download that and install it, but don't run it yet. Just have it ready just in case.
How up to date is your Norton by the way?
Thank you. :yay
Big time help.
Both of them picked up stuff and the stuff I was describing in my first post were all spybot shtein.
buy a mac. problem solved. ^-^
Quote from: mussa on May 21, 2006, 05:51:13 AM
buy a mac. problem solved. ^-^
Not necessarily. (http://news.yahoo.com/s/macworld/20060515/tc_macworld/security20060515_1)
Quote from: Geowhizzer on May 21, 2006, 08:45:49 AM
Quote from: mussa on May 21, 2006, 05:51:13 AM
buy a mac. problem solved. ^-^
Not necessarily. (http://news.yahoo.com/s/macworld/20060515/tc_macworld/security20060515_1)
thats 1/100 the problems PC users could and do encounter.
Quote from: mussa on May 21, 2006, 09:53:06 AM
Quote from: Geowhizzer on May 21, 2006, 08:45:49 AM
Quote from: mussa on May 21, 2006, 05:51:13 AM
buy a mac. problem solved. ^-^
Not necessarily. (http://news.yahoo.com/s/macworld/20060515/tc_macworld/security20060515_1)
thats 1/100 the problems PC users could and do encounter.
I'm sure that there's no doubt about that. But, if the Mac market share grows as anticipated, the virus threat will grow with it. The more people use Macs, the more appealing target it will make for the vengeful nerds that are trying to strike back for being stuffed in the locker in high school.
Windows is the bigger target because of its immense target size- attacking Windows gets attention around the world. It's folly to think that Mac is inherently immune from such attacks.
(BTW, I've run Windows for 12+ years without a virus attack.)
Second Virus Attacks Mac OS X: Security firms say Mac is likely to become a bigger hacker and malware target. (http://www.redherring.com/article.aspx?a=15777)
i though most hackers ran off macs. either way Ive never had a problem and I am confident that it won't become a problem like it has for pc's. mac osx is just way more solid than windows. nothing is safe though from those who know how to exploit it. if you are smart, like you mentioned 12 yrs without problems, then you really have nothing to worry about. just keep up with updates and don't download or open anything your not sure about.
i've used a mac for 10 years now....the number of virus or security threats to me personally = 0
which is also how much money i have spent on antivirus or security software.
it's simply not needed. and a security threat is different from a virus. your typical virus wouldnt effective on a mac at all. the OS's security require you to authenticate any changes made to the core system library. so the trojan horse is useless, which is what most mainstream virus' are.
Ok, I need some help again, y'all.
I have scanned my computer with Norton three times in the last two days. I have used the programs that Bunkley78 recommended (only the first two, Spybot and AdAware) numerous times as well and they are not catching whatever I have. They bring up a few problems (Ad and Spy) and none on Norton.
I have no problems when I am using just Mozilla. But when I load up Internet Explorer...that's when the shtein starts.
This is the link that I see (http://62.4.84.53/trafc-2/rfe.php?cmp=spt_h&nid=ap&uid=1D6E2B7ECA6F11DA8C84000B6AC2AAE3&guid=f8372ad0+DFF1692788E64EAAA097460B7E65289B)
That pops up like 40-50 times. IE goes into a fit and it starts opening 40-50 new windows. It takes forever to get the computer to stop and then close them all out. I am also getting popups for stuff and that popup like I had the last time for some anti-virus stuff.
I use IE6.
So obviously there is a virus in the IE, right? How do I get rid of it? Sometimes it makes my computer run reallllly slow too.
Can I just uninstall IE and the reinstall it? How do I do that?
Please help.
Edit-- I just clicked on that link and it goes to that system protect crap that I had talked about earlier. I couldn't see what it was when it was popping up 50 times on IE because all of the windows just showd the page could not load thing. But it is for that program that is made to look like the Microsoft unistall/remove programs thing but is really not.
Just stop using IE, man. Stooooooop.
I don't really use it that much anymore. But I need two different browsers so I don't have to switch my PE.com accounts all the time. I use one for my real s/n and one for my other s/n.
And even if I don't use IE anymore, what other browsers are out there?
And I still need to get the crap off of my system, right?
Also, if you notice the beginning of that link is an IP address. This is a different one than what I saw the first time this happened. The last time it started with a 202. This time it is 62.4.84.53
And I just did a WHOIS search...its registered to some dickbag from Belgium.
QuoteRequest: 62.4.84.53
connected to whois.arin.net [192.149.252.44:43] ...
connected to whois.ripe.net [193.0.0.135:43] ...
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '62.4.84.0 - 62.4.84.255'
inetnum: 62.4.84.0 - 62.4.84.255
netname: CYBERTECHNOLOGY
descr: Cyber Technology BV BA/SPRL
descr: Belgium
country: NL
admin-c: OVL3-RIPE
tech-c: OVL3-RIPE
status: ASSIGNED PA
remarks: *******************************************
remarks: * Abuse contact: abuse@mycyberhosting.net *
remarks: *******************************************
mnt-by: ABOVENET-P
mnt-lower: ABOVENET-P
mnt-routes: ABOVENET-P
source: RIPE # Filtered
person: Oliver van Loven
address: Cyber Technology BVBA/SPRL
address: 56 Avenue du printemps
address: 1410 Waterloo Brussels
address: Belgium
e-mail: Leole@infonie.be
phone: +32 2 479 87 16
fax-no: +32 2 479 87 16
mnt-by: ABOVENET-P
nic-hdl: OVL3-RIPE
source: RIPE # Filtered
% Information related to '62.4.64.0/19AS6461'
route: 62.4.64.0/19
descr: AboveNet Europe
origin: AS6461
remarks: AboveNet
mnt-by: ABOVENET-P
source: RIPE # Filtered
What is your homepage for IE?
http://www.download.com/HijackThis/3000-8022_4-10227353.html
I know my share about computers, but I'm not a tech head. Download that, scan and post the log on here in a quote so it doesn't take up the whole page.
I'll copy it and let some techies look at it and get back to you.
couple of suggestions:
-make sure latest Windows updates have been installed (it has updated security features)
-make sure your NAV has been updated -run Live Update (I assume you are on NAV2006)
-make sure IE has security turned on (or you may need to adjust to a higher setting)
-run your NAV scan and spyware scans in SAFE mode
-try installing Spyware Blaster (it has Moxilla protections too)
-have your ISP check your PC (you may be a virus/trojan source)
-drink heavily
one suggestion:
get a mac :P
(cue link to the 3 security warnings on the mac over the last 5 years)
I can't believe no one has stated the obvious.
I mean, it's pretty clear where you're getting all these viruses & stuff from.
The solution:
STOP VISITING EXTREMESKINS!!!
;)
Phreak,
I have had users come to me about problems with this before. It seems to be Adware/Spyware, that uses a executable similar to a trojan. Do you have strange entries showing up in your Add/Remove Programs menu, or under Start>All Programs view? Let me know what you find, or any "manufacturer" or names you see showing up. If it is what I think it is, there should be some evidence that a SpyWare program was installed, which will direct you to a site where you can purchase the horseshtein Spyware software. The fix involves some relative simple changes to your registry, and some .DLLs being deleted, which you will have to be in Safe Mode to do. Let me know. The site you linked earlier is blocked here. Oh, and as said earlier, stop using IE. ;)
Mozilla Firefox is way better than IE. Ive been using it for 2 years, you wont be disappointed
Quote from: Geowhizzer on May 21, 2006, 10:09:30 AMBut, if the Mac market share grows as anticipated, the virus threat will grow with it.
That's pretty much my position. At this point, Mac's OS hasn't been an attractive target. But it might be before long.
Ok, here's another problem. When I start my computer it takes FOREVER to get anything to start up. The computer starts fine and it brings up my desktop. But, and tonight was really bad, it will not start any programs up for me. I tried to log onto the internet at 0300. It took me 28 minutes to get past the bullshtein. My internet connection is working fine, so its not that.
I have the latest edition of Norton. The one where the little yellow logo is down by the clock tray. It does a system check on start-up and then says if everything is running OK. That takes forever. Then I clicked on Firefox and it wouldn't load up. The little hourglass thing would go on like it wanted to load and then it would disappear. I re-started my PC three times. Twice I got popups as soon as it started up and went to the desktop. The first was for some porn shtein and the second was for some DVD burner. It took forever to close that as well.
Bunkley,
My homepage on IE is the comcast.net homepage. I will download that program and post the log tomorrow night. I don't have the time to do it now.
Steve,
I have all of the Windows updates DL'ed.
The Norton stuff via Live Update are all up to date as well.
The IE security stuff is good as well.
The running Norton and spyware stuff in safe mode is something I have no idea how to do. I am ignorant when it comes to this computer stuff. How do I do that?
I will be drinking heavily starting tomorrow night.
:-D @ Rome. I haven't visited there in awhile.
DC,
I am not sure by what you mean as strange entries. I can tell you this...I had some things that appeared on my desktop. There were like 7 things that were shortcuts to crazy programs. I never clicked on them. I deleted them immediatley though.
Like I said, I am a fool when it comes to this stuff. How could I check to see if I have what you think I have. I don't know how to run stuff in safe mode either. How do I change my registry stuff and delete those DLL things?
Thanks for all of your help, y'all. I don't know how I got this stuff. This is a relatively new PC and I have it protected, or at least I thought I did, and this shtein is crazy. Why would it be taking so long to load stuff when I first start it up? Why does it not start programs until I restart several times?
Whatever the deal is, hijack this should find it. Post a log when you can and I'll pass it along to some tech heads, and tell you what to fix.
Buy a new computer.
Download and run Spybot (http://spybot)
Buy an abacus. They don't get viruses.
Seriously, though...another thing to think about if you keep having these problems is to just wipe your system and start fresh. Just back up your stuff and pop in your system restore disks for a clean slate. I find that it really helps every couple of years or so.
As long as all the stuff you're backing up is clean.
Quote from: Zanshin on June 09, 2006, 09:36:47 AM
Seriously, though...another thing to think about if you keep having these problems is to just wipe your system and start fresh. Just back up your stuff and pop in your system restore disks for a clean slate. I find that it really helps every couple of years or so.
yeah, but hes saying that the computer is new. He might just need to call his helpdesk--if you dont have one, call your manufacturer and purchase one, its worth the money for these headaches-- and have him do a walkthrough of any unwanted adware or programs that are on his hard drive. He can do a full system scan and manually delete. You will be amazed what pops up on your drive without your knowledge. If you are looking at porn in prison Phreak, 2 things: watch your back and watch your back.
QuoteLogfile of HijackThis v1.99.1
Scan saved at 1:37:51 AM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: ohb - {E8888041-B24A-4B0B-911B-12B018E43F21} - C:\WINDOWS\system32\rlmtcs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146726124343
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -
QuoteC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
There is the file, Bunkley.
I passed it on to some techies. I'll get back to you after I hear from them.
Thanks, man.
I think that I found some of the stuff that is causing my problem.
That gopher search shtein seems suspicious. I clicked on the description of it and it said it was not needed and could cause a change in the start up and homepage.
I did not delete anything though. I will wait to see what your peeps have to say.
That gophersearch thing was the first thing I noticed, too.
Phreak,
Do this (print it first, you may not be able to access this page when you are in Safe Mode.)
When in Safe Mode:
Locate and delete: C:\WINDOWS\system32\gpstool.dll
Open HijackThis and put a check by these (if you find them, if not, no worries some may not be there) but don't hit the fix checked button yet.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
O2 - BHO: ohb - {22DFEAE8-9AD2-4FC6-9CBA-A6566CA3B6EB} - C:\WINDOWS\system32\gpstool.dll
Now Make sure all the windows/browsers/other apps (minus HijackThis) are closed and then hit the "Fix Checked Button."
Scan with AdAware, and remove anything it finds and and then delete evertyhing in the quarantine.
After that, restart and go into safe mode again, and delete any of these files if you find them. Restart into "normal" mode and see how the machine is running. Do more scans if it seems okay. Either way, run hijack this again and post it back in here.
Go back to Safe Mode and Locate and Delete these
C:\Program Files\Common files\updmgr (Folder)
C:\Program Files\Common Files\CMEII (Folder)
C:\Program Files\Common Files\GMT (Folder)
C:\Program Files\Altnet (Folder)
C:\Documents and Settings\as\Favorites\Health<< Folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
Phreak,
Couple of questions, one, do you own a Dell? And two, do you the "MyWay Search Assistant"? It is a program that comes with Dell PCs, from what I know of it, it will show news and things, but also advertise all kinds of Dell products. Some people like, other consider it Spyware/Adware. If you want to remove it, let me know and I'll walk you through it.
Good stuff, bro. I will do this stuff tonight.
Yes, I do own a Dell. But the MyWay thing hasn't been a problem. I don't even know if I have it and if I do, it likely isn't activated because I have never seen anything from it.
Hey dude, those two links aren't working for me. I get a message saying that file 404 not found or some shtein.
Well, it should show up under your Add/Remove programs menu (Start>Control Panel>Add/Remove Programs) and you should be able to remove it under there if you want. I generally don't like to have shtein on my PC that one, I didn't install, and two, that I don't use.
In regards to switching operating systems, I like the Mac stuff, but I currently use a version of Linux (which is absolutely free, and virtually virus free) called Ubuntu. You can get a free copy to play with (you can put in on a CD/DVD and boot from it and run it without installing it and deleting your Windows installation) at www.ubuntu.com (http://www.ubuntu.com).
Quote from: PhillyPhreak54 on June 10, 2006, 04:13:32 PM
Hey dude, those two links aren't working for me. I get a message saying that file 404 not found or some shtein.
Sorry, they're probably old.
Try this for safe mode:
QuoteWindows XP
If Windows XP is the only operating system installed on your computer, booting into Safe Mode with these instructions.
If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.
And for show hidden files and folders:
Quote
Show Hidden Program or System Files
Showing hidden files can come in handy—for example, say you've tried to delete everything from a floppy disk and the disk properties still indicate 100K of disk space is being used by hidden files.
To see hidden files and folders:
1. On the Tools menu in Windows Explorer, click Folder Options.
2. Click the View tab.
3. Under Hidden files and folders, click Show hidden files and folders.
Note: To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer.
Quote from: PhillyPhaninDC on June 10, 2006, 03:32:45 PM
After that, restart and go into safe mode again, and delete any of these files if you find them. Restart into "normal" mode and see how the machine is running. Do more scans if it seems okay. Either way, run hijack this again and post it back in here.
Go back to Safe Mode and Locate and Delete these
C:\Program Files\Common files\updmgr (Folder)
C:\Program Files\Common Files\CMEII (Folder)
C:\Program Files\Common Files\GMT (Folder)
C:\Program Files\Altnet (Folder)
C:\Documents and Settings\as\Favorites\Health<< Folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
Ok, when you say delete any of these if you find them when I restart into normal mode am I deleting the ones you listed in the post above or am I deleting the ones quoted in this post at this point in the process? I assume you mean the R1 and RO and 02 stuff, right? Because I don't want to delete the program files stuff until I go into safe mode again, right?
No, in the initial list of things to do, you run (in safe mode) HiJackThis to take care of these:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
O2 - BHO: ohb - {22DFEAE8-9AD2-4FC6-9CBA-A6566CA3B6EB} - C:\WINDOWS\system32\gpstool.dll
Check these in HijackThis, make sure all other windows/apps/browsers are closed then hit the "Fix Select Button". Once it is done, restart and go back into safe mode then...
Delete these files if you find them (remember to clear your Recycle Bin too):
C:\Program Files\Common files\updmgr (Folder)
C:\Program Files\Common Files\CMEII (Folder)
C:\Program Files\Common Files\GMT (Folder)
C:\Program Files\Altnet (Folder)
C:\Documents and Settings\as\Favorites\Health<< Folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
After that, restart the machine in normal mode, and see how it runs. If everything is shiny and happy, update all you virus defs and Spyware/Aware programs, and run them all deleting anything they find. If it is not running right, there are some other things we can look at. Either way, after you have done all of this, get HijackThis to spit out another report and paste it in the thread again.
Ok, I am in safe mode now and have removed these:
QuoteR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
I cannot find this:
QuoteO2 - BHO: ohb - {22DFEAE8-9AD2-4FC6-9CBA-A6566CA3B6EB} - C:\WINDOWS\system32\gpstool.dll
It was not in the HiJack list after I ran it again. Matter of fact, nothing with the gpstool.dll is on the computer than I can find. I searched all files and the hard drive and come up empty on the search.
I also removed this:
QuoteC:\Program Files\Common files\updmgr (Folder)
But I cannot find any of the others you listed after that. The only thing that came up for the GMT was time setting stuff. All other searches came up empty. I am going to restart in normal mode and see whats up and let you know. After that I will restart in safe, run HiJack and post the log
No need to run the HiJackThis in safe mode again. Can run it in the normal Window environment.
Don't worry about the ones you couldn't find....
Well, I restarted in normal mode and everything was moving fast until another one of those popups killed it.
This time it was a porn pop up. Most of the time before it was for that stupid add/remove adware thing. A porn one would come up every so often. But it came up again after I restarted. When it comes up it locks up the system for the most part. I had to restart the system. I am in safe mode again. Because in normal mode it takes forever to close that popup and load Mozilla to start.
How do I get rid of that?
I am about to run HiJack after I restart in normal. I just wanted to post this real quick.
QuoteScan saved at 6:17:13 PM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: ohb - {E8888041-B24A-4B0B-911B-12B018E43F21} - C:\WINDOWS\system32\rlmtcs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146726124343
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Interesting.
That gophersearch shtein is back!!
I am also back in safe mode. When I tried it in normal mode I did not get a pop up, but it was running slow. And I tried to start Mozilla and it took forever. When it finally started I was about to post the HiJack log and it froze up in me. So I restarted in safe again.
I know that the gopher stuff was gone before. And I ran HiJack in safe and normal and they both show the gopher stuff being back.
It was running fast when that stuff was off of there. But now that it is back I am moving slow again. Except when I am in safe. In safe I am flying. But when I am in normal, it is slooooooooow
It's hard to say Phreak. There are thousands of different types. There is something on your machine that is causing it to run, that's for sure. When in save mode, delete your internet caches, history, cookies, etc. Go into your Temp folder and delete everything in there. Remember to have "Hidden Files and Folders" shown, and go into you Temporary Internet Files folder and others that are similar, and delete everything in there. Run all your scans and delete everything, including anything that is quarantined. Shoot another HijackThis log up when you get a chance. I know it is porn stuff, and you can't post some of it here, but I need names to know what is going on. Look for titles in the Window from companies, or on the Window header in Internet Explorer. If it is something you can't post because it says something like "Greatest studs on the net, Chuggie rates us number one!" Send it in a PM.
And guess what?
I just got that goddamn SysProtect popup in safe mode now! That is the one that has been giving me trouble for awhile now that I thought I got rid of. That has to be the gopher thing. Has to be.
Here is the url for that popup:
the link (http://scanner.sysprotect.com/pages/scanner/download2.php?resize=1&aid=nm_ap_sptff_r2_us_en_exit&lid=keyin)
why not just save your important files and wipe the entire drive clean. install windows fresh again and reload your files. could have done all of that by now.
(http://www.techgeeks2u.com/picts/sledgehammer.jpg)
Quote from: PhillyPhreak54 on June 10, 2006, 06:20:00 PM
Interesting.
That gophersearch shtein is back!!
I am also back in safe mode. When I tried it in normal mode I did not get a pop up, but it was running slow. And I tried to start Mozilla and it took forever. When it finally started I was about to post the HiJack log and it froze up in me. So I restarted in safe again.
I know that the gopher stuff was gone before. And I ran HiJack in safe and normal and they both show the gopher stuff being back.
It was running fast when that stuff was off of there. But now that it is back I am moving slow again. Except when I am in safe. In safe I am flying. But when I am in normal, it is slooooooooow
This isn't all bad, now we know exactly what is farging up your machine. Now to make sure it's completely gone....
Ok, check this out...
I went into my control panel to make sure I was showing all hidden folders again.
I clicked on the Folder Options icon.
That comes up and it has three tabs to it...
General, View and File Types
Under the View tab is where I see the hidden thing. I am showing hidden files.
But when I clicked on the File Types tab I see a thing that says URL: Gopher Protocol and it has a picture of the internet explorer icon next to it.
IE logo (NONE) URL: Gopher Protocol
Thats was it looks like
Okay, go ahead and run the Hijackthis in safe mode again and check and fix these...
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
Then go to start > run> and type %temp% and hit enter. Delete every file there (have to be in safe mode).
Go to start > run > and type cleanmgr and hit enter. Select your C: Drive, then when it is done "Compressing" make sure "Downloaded Program Files", "Temporary Internet Files", "Offline Web Pages", "Recycle Bin", "Temporary Files" and "WebClient/Publisher Temporary Files" are checked and click okay. Hit yes to continue. Do all of your virus and other scans again, then reboot in normal mode and see what we get....
Ok, I am about to start all of that now.
I owe you a case of beer, by the way. Thank you for your help.
You will also want to go to microsoft.com and download Windows Defender (ha!) and install it. It's free, and it does a decent job of nabbing Spyware and Adware....
Ok, I am still in safe and just finishing up. But one thing I did find and hope I fixed...
When I ran adaware it came up with a possible hack attempt and it was in my favorites and settings for the computer. I looked at the link and it was some sex link shtein that was embedded in my documents and settings. So I then searched for the link that I was given and found it on the PC and deleted it.
I am about to restart in normal and see whats up.
I have some of the same problems, Phreak. I'm going to Temple on monday night and a computer nerd is going to fix things. Even though I'm not enrolled this semester, I guess I'm still able to use computer services. Pays to live 25 minutes from campus.
Quote from: PhillyPhreak54 on June 10, 2006, 06:44:24 PM
Ok, I am about to start all of that now.
I owe you a case of beer, by the way. Thank you for your help.
damn, after all that I think you owe him an entire liquor store!
...good luck men, we're all counting on you!
Quote from: dis12 on June 10, 2006, 07:25:12 PM
damn, after all that I think you owe him an entire liquor store!
...good luck men, we're all counting on you!
He hasn't seen the bill yet.
Phreak is actually a good customer. Most times at work I get, "Hey, my computer isn't working right." To which I respond, "What's wrong with it? What is it doing? What is it not doing?" And I'll normally get "Uh, I don't know, it just isn't working."
Phreak, do you have a firewall on your computer?
I was going to suggest that as well. McAfee and Norton make good ones. On my wife's 'puter I use Norton Internet Security, and it is pretty easy to use and blocks just about everything...
Zonealarm is good for a free firewall. But if you really want to and know where to go, you can get any software for free on the internet.
Yeah, I definitley owe him big time. :yay
I do have the Norton firewall. Speaking of Norton, it is giving me problems. The system check that it runs on startup is not finishing. It usually will give me a pop up notification after running sayin all systems are running good and it has a little green check mark on the Norton yellow sign that is located on the task bar by the system tray. It just keeps running and running and never gives me that completion notice now.
I am back in safe mode. And I have the gopher search things back as well. I'm going to try a few more things before I have to take a break and save my sanity. I have no patience and am about to throw this goddamn thing out of my window. I'll go at it again tonight if it doesn't work this time.
And I just got that scanner.sysprotect popup again. >:(
Ok, one more thing caught my eye...
In the system tray every once in awhile I see a little gold shield that pops up and says "Downloading updates". The little shield has an exclamation point in it. Isn't that what the windows update thing looks like?
Well this sysprotect popup I keep getting has that goddamn logo on it.
And when I see it on my system tray and I run the mouse pointer over it it always says 0%.
Could there be a link between the logo and these problems?
Yeah, that is the Windows Systems Update. Some of these things will do a lot of what you have described. Like stopping updates or scans to run. Post your HJT this one a final time before you give up for tonight. I'll go over it all tonight and look at everything that is running. I know it is frustrating, and it sounds like who at least two bugs that are a real pain in the ass. Let me know how it goes and post that log, and we'll get it right before the weekend is out.
DC is doing a good job. Let him continue to work with you until the people I passed your log onto get back to me.
They may have spotted something or have a few ideas that I don't.
There's some stuff that I could recommend doing, but I'm not going to ask you to remove it because I don't want to be responsible for messing up your system.
Thanks fellas.
Before I do the HJT scan again, I just went through my system and manually deleted cookies, temp files and other stuff that I recognized. I saw a bunch of shtein on there that was missed earlier. I recognized the IP addresses that I get when I get the sysprotect popups and deleted them. They were saved as cookies and in other areas.
Lets see how this goes
QuoteLogfile of HijackThis v1.99.1
Scan saved at 8:53:37 PM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: ohb - {E8888041-B24A-4B0B-911B-12B018E43F21} - C:\WINDOWS\system32\rlmtcs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146726124343
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I deleted the gophersearch shtein and also deleted the dellmyway shtein too...this is what I have after those 6 things were deleted.
Phreak,
If you are still in Safe Mode and haven't rebooted, select this in HJT and fix it:
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
If you did reboot and got spamed again, do the same procedure as before, but also add the above to the removal. Everytime you try a clean, don't forget to dump the temp, internet cache, etc. too.
I am going through your HJT log bit by bit, and figuring out what each thing is. Could take a bit. I'll get a whole post together of steps that'll hopefully get each bit of it, hopefully before morning.
Edit: I'm an ass. You have a couple of BHO (Browser Helper Objects) that were staring me in the face. These are what is redirecting you to download that shtein. Check and fix these too:
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: ohb - {E8888041-B24A-4B0B-911B-12B018E43F21} - C:\WINDOWS\system32\rlmtcs.dll
That should do it. After you remove it with HJT, do searches for those files, and delete any and instances of them. Run the clean-up steps again, and reboot, and let me know what you get....
Ok, I think I got this sumbitch this time.
I thank you for all of your help, DC. I really appreciate it.
Here's the latest.
I ran my system restore and set it back to a date in May when I know this system wasn't giving me any problems. But that didn't work. The thing was still slow as shtein and not booting up the right way and sometimes not at all.
So I came here and saw what you posted about the jkhfc.dll stuff. The rlmtcs.dll stuff was no longer on the HJT log. I guess the system restore took care of that.
I tried like 5 times to fix it from the HJT and each time I went back it was still there. I even tried deleting it on boot up option and it still didn't go anywhere.
I ran AdAware again and deleted the stuff again. It was still going back on there even after I deleted it. I am going to check that again after this.
I then ran Norton in safe mode and it found a downloader and something else. I deleted them
Then I typed in jkhfc.dll in Google and found a post in a virus help forum that suggested I download Dr. Web, ewido and mwav. I downloaded them all. I haven't run ewido or mwav yet because the Dr. Web search detected these files;
jkhfc.dll
jkhfc.dll
A0005876.dll - Trojan.Downloader.6408
A0038482.dll - Trojan. Downloader.6408
SysProtectScanner - Trojan.Downloader.9306
I deleted them and restarted the system and ran HJT again. It still had the C:\WINDOWS\system32\jkhfc.dll things in there but after the .dll portion it had (file missing). I selected them and hit FIX. I do not know if it removed them yet because I haven't run another HJT yet, but I will. But when I restarted the system after running the Dr.Web program it booted right up and Norton had no problems starting up. It did not seem slow at all.
I am going to post the HJT log in the next post. This is the HJT that I ran a few minutes ago before I fixed the jkhfc.dll lines. YOu'll see the (file missing) thing I was talking about.
QuoteLogfile of HijackThis v1.99.1
Scan saved at 3:44:35 AM, on 6/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Hentz\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146726124343
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll (file missing)
continued...
QuoteO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
continued...
QuoteO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I just ran HJT again and the jkhfc.dll stuff is GONE!
However, I see that there is this still in there;
QuoteR3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
Is that something that I should remove as well? I believe I read on the Virus forum that anything with MyWaySA should be removed.
I am going to run the other programs just to make sure I got everything.
I looked up the MyWaySA stuff and found that it was not harmful. It was that Dell stuff you were talking about earlier. But I removed it anyways.
I also ran the ewido, AdAware and HJT again and everything is gone.
Whew! What a long a frustrating day.
DC, thank you. And thank you Bunkley as well. :yay
Phreak,
The reason the myway stuff is still there is that it is a program that is installed via more traditional means than Spyware or Adware. You have to first go into your Add/Remove programs and uninstall it from there. Then you can do the HJT this clean up on the rest of it. Even though it came from Dell, I've read a bit about it, and I wouldn't want it on my machine.
The latest HJT logs look clean. Glad to hear everything is working well, and that your stream of scat and beastiality porn can begin anew.
Make sure you update all your scanning programs, and get that Windows Defender I was telling you about. Also update your Java and Flash pulgins. I also recommend completely unistalling Internet Explorer from you system. I would do this only when you are completely comfortable with Firefox. Even if you are not browsing with IE, bugs can still exploit it if it is on your system. Let me know if you want some info on how to take it off.
Yeah, a lot of things are planted in system folders that keep installing new stuff. Which is most likely why the stuff kept coming back. You had to remove the source if what was planting those things.
Looks like you got rid of it. I probably won't get the techies to look at your log until monday, but I'll post back what they say and see if there's anything else they spotted on there.
Make sure you have a firewall, spyware, and adware blocker, all up to date.
I went through each folder on the computer and found a bunch of shtein. I deleted all of it and then that DrWeb cleaned the rest of it off.
Everything is updated and running smooth.
Thanks again for all the help, y'all.
I prefer Milwaukee's Best for anyone concerned. Natty Light is acceptable in case there is a very common rush on The Beast at the local Piggly Wiggly. ;)
A case of beer will be yours to enjoy. I will load up my PayPal acct and hook ya up. :yay
Keep it Phreak, I was just messing around. Last night would have been boring as shtein with nothing to do - wife was working the night shift and I didn't make any plans. It gave me something to do.
Either way, I appreciate it bro. :yay