Need some assistance

Unknown

Logfile of HijackThis v1.97.7
Scan saved at 11:50:02 AM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp2\Winampa.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\INTERN~3\inetmgr.exe
C:\PROGRA~1\INTERN~3\inetsvc.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\joyv.exe
C:\WINDOWS\System32\ICSTOREP.exe
C:\Program Files\Winamp2\winamp.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\MozillaFirebird-0.6-win32\MozillaFirebird\MozillaFirebird.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\dmloader.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp2\Winampa.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [3Fog33U] lsank.exe
O4 - HKLM\..\Run: [bup] C:\WINDOWS\bup.exe
O4 - HKLM\..\Run: [joyv] C:\WINDOWS\System32\joyv.exe
O4 - HKLM\..\Run: [ICSTOREP] C:\WINDOWS\System32\ICSTOREP.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [dmloader] C:\WINDOWS\System32\dmloader.exe
O4 - HKCU\..\Run: [Io7mRTY3i] odpcp60.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/01a62113574da5432220/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37787.551724537
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks.

shwaip

Welcome to short-media.


read this:
http://www.short-media.com/forum/showthread.php?t=13628

ROY4L

Sorry for my rude behavior. I am a college student at Carnegie-Mellon going into my sophmore year.

Well, before I posted this hijack log I ran ad-aware and spybot 1.3 but I am still concerned with the bup.exe, joyv.exe, and alchem.exe. I am wondering if those are necessary or just spyware.

Thanks

-Chris

Straight_Man

alchem.exe is trash, the others I am not sure of right now.

shwaip

No problem. It's just kinda hard to find all the problems without knowing what you've done, and what problems you are having.

You've got a couple different problems there:

first, download and run CWShredder from the link in my sig.

nex,t boot into safe mode, remove these entries, if they haven't been removed:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about_:blank
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe
O4 - HKLM\..\Run: [3Fog33U] lsank.exe
O4 - HKLM\..\Run: [bup] C:\WINDOWS\bup.exe
O4 - HKLM\..\Run: [joyv] C:\WINDOWS\System32\joyv.exe
O4 - HKLM\..\Run: [ICSTOREP] C:\WINDOWS\System32\ICSTOREP.exe
O4 - HKCU\..\Run: [dmloader] C:\WINDOWS\System32\dmloader.exe
O4 - HKCU\..\Run: [Io7mRTY3i] odpcp60.exe

also, check to see if any of the files remain on your computer after removing with hijackthis and CWShredder.

reboot, and please tell us if it worked.

Straight_Man

EDITTED A BIT MASSIVELY, after further looking on the web: As far as joyv.exe, try instructions at link below:

http://www.pestpatrol.com/PestInfo/d/dealhelper_com.asp

Both can be valid, looks like both can be junk also. The valid doced usages for joyv.exe are kinda strange, I would see if you are dealing with dealhelper junkware.

ADDED-- Notes on bup.exe:

Bup.exe actually can be used with Veritas software, circa 2000. One way to get info about this particular one, without running it, is to right-click the exe, choose properites, and see if publisher is Veritas. If not, and no publisher info or other info, then I would back it up and delete separately in HJT only. This pulls the reg key for it, does not delete the file. so, if a Veritas product or an accounting app that is quite old malfs, you can restore with HJT that way.