more programs in start-up

Unknown

I might be asking in the wrong forum or something...is there another place where I can find out about this stuff? I'm so confused and frustrated!

Earlier, I said "Spyware"...I meant "SpySweeper".

Things in start-up that are causing me concern:

AEIWLRAD.exe
precisiontime.exe
qttask.exe-atboottime (quicktime)
alchem.exe
clearsearch\loader.exe
omniscient.exe
messenger\msmsgs.exe/background
system32\ctfmon.exe

I think the rest are legit.

If anyone would consider a little help or a site where I can receive help...I would so deeply appreciate it.

Thanks,
Michelle

Kwitko

AEIWLRAD.exe - Too random of a filename to be good. Disable for now
precisiontime.exe - Adware
qttask.exe-atboottime (quicktime) - QuickTime updater. Can be removed to save resources.
alchem.exe - Adware
clearsearch\loader.exe - Adware
omniscient.exe - Adware
messenger\msmsgs.exe/background - MS Messenger
system32\ctfmon.exe - Legitimate Windows process

You've got several malware programs running. If you haven't already, do a Spybot & Ad-Aware sweep. Follow the guide here.

mkmullis

That really seemed to get me off to the right start! Thanks so much.

System 32 error is gone.
My Documents is not longer coming up when computer is turned on.

I tried to disable AEIWLRAD.exe and rebooted. I got a message about putting it back to normal under the general tab because it was in diagnostic mode...blah blah.

Ad-aware did pick up the krzoxr.exe, said it couldn't delete it. Then ZoneAlarm said it was trying to access the internet.

I rebooted, ran ad-aware again, quarantined krzoxr. I rebooted again. Then I checked my start menu again and it was still there. Could this one be something more serious?

System is still painfully slow at start-up, though.

Maybe irrelevant, but...when I came onto this site and read your response, I saw a figure pulling its hair out. Then I logged in, and the box just said "NULL". What's with that? lol.

I really appreciate you taking the time to help me!

Michelle

Kwitko

Please post a HiJackThis log.

As for my avatar, it rotates pics, so that's nothing to worry about.

mkmullis

Umm..exactly how do I do that? What is it? How does it work?

Sorry, for being lame and not understanding.

Kwitko

Download HiJackThis, extract it from the ZIP file into its own folder- c:\HJT, for example- run the program, click Scan, then click Save log. Open the logfile you saved and copy & paste its contents here.

mkmullis

Ok..that was easy enough...Here it is!

Logfile of HijackThis v1.98.0
Scan saved at 2:26:35 PM, on 7/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\AEIWLSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\carpserv.exe
C:\WINNT\System32\S3tray2.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\WINNT\System32\AEIWLRAD.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Realtek\Rtl8180\RtlWake.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michelle\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8082
R3 - URLSearchHook: (no name) - _{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SideStep Browser Helper - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINNT\Downloaded Program Files\SbCIe026.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vzvsusnxovqq] C:\WINNT\System32\krzoxr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [1AEIWLRAD.EXE] AEIWLRAD.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - (no file)
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe026.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://www.sidestep.com/get/k42037/sb026.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {91602283-B7B5-11D3-A32A-005004B0E00E} (DiscoverWhy Class) - http://216.132.173.29/CabFiles/dwInfo.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v11/investor.cab

gibbonsl

you might want to turn off system restore untill you are clean of infections

mkmullis

thanks for the suggestion gibbonsl...and....how do I do that exactly? I feel so stupid in here...geez. thanks.

primesuspect

Right click my computer --> properties --> system restore --> "turn system restore off"

mkmullis

thanks...ok, it's turned off now. :smiles:

mkmullis

I haven't heard anything in several hours, but it seems lots of people have looked at it. Does that mean my hijack this log looks alright?

Thanks,
Michelle

Dexter

Patience, please...we do this in our spare time, and we all have lives...

OK, reboot your computer in SAFE MODE. Run Hijack This. FIx the following items:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

(An .htm / .html page that is in your system folder somewhere and is being called as a main page or search page is usually adware of some sort. Get rid of this.)


R3 - URLSearchHook: (no name) - _{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)

(Items with no name or file are usually leftover pieces of infections that were cleaned up by AdAware anbd Spybot. They often clean the file away but leave the BHO entry behind. Fix these.)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

(Not a bad file, just not needed, wastes resources.)

O4 - HKLM\..\Run: [vzvsusnxovqq] C:\WINNT\System32\krzoxr.exe

O4 - HKLM\..\Run: [1AEIWLRAD.EXE] AEIWLRAD.EXE

(My good friend Mr. Google says these are random file names. Probably part of your problem. Toast it.)

Next, manually locate the exe, and htm files I specified above. Move these to a new folder called :C:\Quarantine. Rename the .exe's to .xxx. and the htm's to .hhh. That way you can always replace them if it somehow turns out that these are necessary files....which is not likely, but quarantining is safer than deleting them.


Reboot normally, check things out, and let us know how it looks.

Dexter...

primesuspect

It's the weekend, we're all out having fun.. Spyware removal isn't always that fun

Dexter

I'm not out having fun It's too hot here, it was hard work getting the babies to bed tonight, I'm too tired out from our trip, and I have an ice pack on my knee because I smacked it into the bottom of a sheld when I was putting some old computer cases underneath the shelf...big puffy bruised knee now.... Oh, and my wife wants me to come fold laundry....sigh.

Have some fun for me, ok Prime?

Dexter...

primesuspect

I was at a party tonight that got crashed by an 18 year old kid who was carrying a half-polished off bottle of Finlandia.... He was totally wasted, and started hitting on my wife! Good times!

mkmullis

Guys, thank you so much for all the help. I really do appreciate it and all you have done for me and continue to do for everyone else in your spare time. I'm going to wait until my husband can help me with the safe mode/deleting operation because I'm not too saavy with the computer anymore. He's working five 12 hour shifts in a row at the ER so it might take a few days before I can get back to you on how it worked out. I will definitely come back to let you know.

Thanks again!
Michelle

Dexter

Safe mode is easy: reboot the computer, then keep tapping the F8 key until you get a screen full of boot options. There will be 3 choices that say SAFE MODE, just choose the one with no other options on it. It will boot slowly, and the screen will look a bit different. When it is booted up, re-run HJT, and follow the instructions we gave you.

Dexter...