Need some help with this one guys!

RADARADA Apple Valley, CA Member
edited May 2004 in Spyware & Virus Removal
I can't seem to find the hijacker the keeps coming back. You guys see anything?

Logfile of HijackThis v1.97.7
Scan saved at 7:36:19 PM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
O4 - HKLM\..\Run: [hgxuzyr] C:\WINNT\hgxuzyr.exe
O4 - HKLM\..\Run: [bypubmp] C:\WINNT\bypubmp.exe
O4 - HKLM\..\Run: [krilaron] C:\WINNT\krilaron.exe
O4 - HKLM\..\Run: [dqdarin] C:\WINNT\dqdarin.exe
O4 - HKLM\..\Run: [zmn] C:\WINNT\zmn.exe
O4 - HKLM\..\Run: [wfyxqryt] C:\WINNT\wfyxqryt.exe
O4 - HKLM\..\Run: [ijovadwd] C:\WINNT\ijovadwd.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Comments

  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    You've got a few different ones in there:

    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    ClickAlchemy

    O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe
    Not sure about this one, but looks too random to be legitimate. Rename it to idctup20.bak and see if any programs complain about its disappearance. if not, I'd remove it.

    O4 - HKLM\..\Run: [Image] rundll32 C:\WINNT\image.dll,Install
    Aureate.Radiate

    O4 - HKLM\..\Run: [hgxuzyr] C:\WINNT\hgxuzyr.exe
    O4 - HKLM\..\Run: [bypubmp] C:\WINNT\bypubmp.exe
    O4 - HKLM\..\Run: [krilaron] C:\WINNT\krilaron.exe
    O4 - HKLM\..\Run: [dqdarin] C:\WINNT\dqdarin.exe
    O4 - HKLM\..\Run: [zmn] C:\WINNT\zmn.exe
    O4 - HKLM\..\Run: [wfyxqryt] C:\WINNT\wfyxqryt.exe
    O4 - HKLM\..\Run: [ijovadwd] C:\WINNT\ijovadwd.exe
    Random file names. Never a good sign.

    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    Another one I'm suspicious of. Same as above, rename and see if anything complains.

    You should install SpywareBlaster, and run Ad-Aware and/or Spybot at least once a week. All can be downloaded from here.

    <nagging parent voice>
    RADA, you've been here a while, so you should know better about spyware. Am I talking to a wall? Does my advice go in one ear and out the other? Why do I even bother! Now go to your room and think about what you've done, young man!
    </nagging parent voice>
  • RADARADA Apple Valley, CA Member
    edited May 2004
    Kwitko,

    This isn't my computer. It belongs to a friend who knows nothing about computers. She asked me if I could help her clean it up. I've already loaded and run AdAware 6 and SpyBot 1.3 and removed omegasearch and CoolSearch
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Okay, then give the nagging parent rant to her. :)
Sign In or Register to comment.