bothereds turn!

botheredbothered Manchester UK
edited July 2004 in Spyware & Virus Removal
This is the original post in software -
Hi y'all.
The kids have done something to both PCs. I've fixed most of it but there is something odd on mine. I've done all the usual things, S&D, Adaware, Anti virus scans and everything is clean (I think) now.
Whenever I start IE I get a tab at the bottom, http://server2, I can right click it and close it, I can close it in task manager, It won't maximise so I can't see what it is. How can I get rid?
Thanks guys.

Dexter asked for a hijack this log to be posted here. Here it is guys.

Logfile of HijackThis v1.97.7
Scan saved at 10:21:09, on 21/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\SCVHOST.EXE
C:\Program Files\DSB\DSB.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\documents and settings\dad\local settings\temp\gWkCHo.exe
C:\documents and settings\dad\local settings\temp\serRU.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\osudspif.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\WINDOWS\System32\quamcnfg.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dad\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\System32\SCVHOST.EXE
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\System32\REGCPM32.EXE
O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\DSB.exe
O4 - HKLM\..\Run: [gWkCHo] C:\documents and settings\dad\local settings\temp\gWkCHo.exe
O4 - HKLM\..\Run: [serRU] C:\documents and settings\dad\local settings\temp\serRU.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [5Fof38h] osudspif.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [AtiTrayTools] C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
O4 - HKCU\..\Run: [Ko7pRUNti] quamcnfg.exe
O4 - Startup: Folding@home 4.00.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

Comments

  • DexterDexter Vancouver, BC Canada
    edited July 2004
    Bothered,

    restart in SAFE MODE. Run HJT. Fix:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

    O4 - HKLM\..\Run: [gWkCHo] C:\documents and settings\dad\local settings\temp\gWkCHo.exe

    O4 - HKLM\..\Run: [serRU] C:\documents and settings\dad\local settings\temp\serRU.exe

    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe

    O4 - HKLM\..\Run: [5Fof38h] osudspif.exe

    O4 - HKCU\..\Run: [Ko7pRUNti] quamcnfg.exe

    Next, locate those exe files and the searchbar.htm file. (Your log posting has truncated the path names, so I can't tell exactly where they are.)

    Then, create a new folder called :C:\Quarantine. Manually locate all the files named above, and move them into the Quarantine folder. Rename the exe files to .xxx, and rename the .html files to .hhhh. That way you can always replace them if it somehow turns out that I am completely wrong and these are necessary files....which is not likely, but quarantining is safer than deleting them.

    Reboot your computer in normal mode, and see if the bugger went away. If it did not, re-run HJT and post a fresh log. If it did, open your Folding at Home config file and change the user name to Dexter. ;)

    Dexter...
  • muddocktormuddocktor
    edited July 2004
    That's no fair, Dexter. No borging people's computers that are already folding! :p:D
  • DexterDexter Vancouver, BC Canada
    edited July 2004
    I just wanted to see how well he followed directions ;)

    Dexter...
  • gibbonslgibbonsl Grand Forks AFB
    edited July 2004
    http://sarc.com/avcenter/venc/data/adware.energyplugin.html

    C:\Program Files\DSB\DSB.exe

    looks the above
  • DexterDexter Vancouver, BC Canada
    edited July 2004
    Good find Gibbonsl, I missed that one.

    Bothered, add:

    O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\DSB.exe

    to your Fix list in HJT.

    Dexter...
  • botheredbothered Manchester UK
    edited July 2004
    Cheers guys, all fixed.
    Dexter, how long do I need to leave my folding name set as Dexter?
  • DexterDexter Vancouver, BC Canada
    edited July 2004
    Well, let's see, 6 HJT entries to be deleted = 6 WU's, I think? Then you owe gibbonsl one...but he's not folding, so you can donate that one to the SVT regular of your choice..... ;)

    Dexter...
  • botheredbothered Manchester UK
    edited July 2004
    Thanks mate. :thumbsup:
Sign In or Register to comment.