Options
it seems i get more spyware everday.... :(
every day i have new prograsm on my computer, like stopzilla, daily horoscope, smiley central, spyware stormer, i constantley get p[op ups all the time, i run ad-aware like 5 times a day and i still get all these pop ups and programs and crud, i relly need help. here i s my hi jack log
Logfile of HijackThis v1.98.2
Scan saved at 2:10:20 PM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\iepv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\gwrcgku\skilwwb.exe
C:\WINDOWS\System32\ukidnjy\svdpqmb.exe
C:\WINDOWS\System32\cvss.exe
C:\Program Files\Bcpc\bcpc.exe
C:\WINDOWS\System32\uhlspjb\wxnxpkl.exe
C:\WINDOWS\System32\uhlspjb\imopjnu.exe
C:\WINDOWS\System32\tsrvoko\swnpbxt.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\WINDOWS\mfcij.exe
C:\WINDOWS\System32\Aff9.exe
C:\WINDOWS\System32\OwgRD.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Documents and Settings\David\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {D1BFEC24-B586-E127-595E-0E71235E38BB} - C:\WINDOWS\system32\winoo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [skilwwb] C:\WINDOWS\System32\gwrcgku\skilwwb.exe
O4 - HKLM\..\Run: [svdpqmb] C:\WINDOWS\System32\ukidnjy\svdpqmb.exe
O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [netsr.exe] C:\WINDOWS\system32\netsr.exe
O4 - HKLM\..\Run: [sdkfa.exe] C:\WINDOWS\system32\sdkfa.exe
O4 - HKLM\..\Run: [wtkohsed] C:\WINDOWS\System32\rcfthup.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [appml.exe] C:\WINDOWS\system32\appml.exe
O4 - HKLM\..\Run: [mfcfj.exe] C:\WINDOWS\system32\mfcfj.exe
O4 - HKLM\..\Run: [BCPC] "C:\Program Files\Bcpc\bcpc.exe"
O4 - HKLM\..\Run: [wxnxpkl] C:\WINDOWS\System32\uhlspjb\wxnxpkl.exe
O4 - HKLM\..\Run: [imopjnu] C:\WINDOWS\System32\uhlspjb\imopjnu.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\SYSTEM32\EDA76.EXE
O4 - HKLM\..\Run: [swnpbxt] C:\WINDOWS\System32\tsrvoko\swnpbxt.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [vkrdxmy] C:\WINDOWS\System32\ltuawyf\vkrdxmy.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [mfcij.exe] C:\WINDOWS\mfcij.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/m0v1eus.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install100.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50191/QDow_AS2.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/BM/BM.cab
please help, thanks.
Logfile of HijackThis v1.98.2
Scan saved at 2:10:20 PM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\iepv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\gwrcgku\skilwwb.exe
C:\WINDOWS\System32\ukidnjy\svdpqmb.exe
C:\WINDOWS\System32\cvss.exe
C:\Program Files\Bcpc\bcpc.exe
C:\WINDOWS\System32\uhlspjb\wxnxpkl.exe
C:\WINDOWS\System32\uhlspjb\imopjnu.exe
C:\WINDOWS\System32\tsrvoko\swnpbxt.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\WINDOWS\mfcij.exe
C:\WINDOWS\System32\Aff9.exe
C:\WINDOWS\System32\OwgRD.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Documents and Settings\David\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\lmtie.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {D1BFEC24-B586-E127-595E-0E71235E38BB} - C:\WINDOWS\system32\winoo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [skilwwb] C:\WINDOWS\System32\gwrcgku\skilwwb.exe
O4 - HKLM\..\Run: [svdpqmb] C:\WINDOWS\System32\ukidnjy\svdpqmb.exe
O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [netsr.exe] C:\WINDOWS\system32\netsr.exe
O4 - HKLM\..\Run: [sdkfa.exe] C:\WINDOWS\system32\sdkfa.exe
O4 - HKLM\..\Run: [wtkohsed] C:\WINDOWS\System32\rcfthup.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [appml.exe] C:\WINDOWS\system32\appml.exe
O4 - HKLM\..\Run: [mfcfj.exe] C:\WINDOWS\system32\mfcfj.exe
O4 - HKLM\..\Run: [BCPC] "C:\Program Files\Bcpc\bcpc.exe"
O4 - HKLM\..\Run: [wxnxpkl] C:\WINDOWS\System32\uhlspjb\wxnxpkl.exe
O4 - HKLM\..\Run: [imopjnu] C:\WINDOWS\System32\uhlspjb\imopjnu.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\SYSTEM32\EDA76.EXE
O4 - HKLM\..\Run: [swnpbxt] C:\WINDOWS\System32\tsrvoko\swnpbxt.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [vkrdxmy] C:\WINDOWS\System32\ltuawyf\vkrdxmy.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [mfcij.exe] C:\WINDOWS\mfcij.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/m0v1eus.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install100.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50191/QDow_AS2.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/BM/BM.cab
please help, thanks.
0
Comments
I will help you with most of your spyware problems, but you have an infection of HSA. More knowledgable folks will help you get rid of that.
Before doing the following, please Set your computer to show hidden files and folders, Disable System Restore, and Reboot in Safe Mode.
Once you have done that, Run HijackThis and have it fix the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {D1BFEC24-B586-E127-595E-0E71235E38BB} - C:\WINDOWS\system32\winoo.dll
O4 - HKLM\..\Run: [skilwwb] C:\WINDOWS\System32\gwrcgku\skilwwb.exe
O4 - HKLM\..\Run: [svdpqmb] C:\WINDOWS\System32\ukidnjy\svdpqmb.exe
O4 - HKLM\..\Run: [ee.exe] C:\Program Files\EE\ee.exe
O4 - HKLM\..\Run: [netsr.exe] C:\WINDOWS\system32\netsr.exe
O4 - HKLM\..\Run: [sdkfa.exe] C:\WINDOWS\system32\sdkfa.exe
O4 - HKLM\..\Run: [wtkohsed] C:\WINDOWS\System32\rcfthup.exe
O4 - HKLM\..\Run: [appml.exe] C:\WINDOWS\system32\appml.exe
O4 - HKLM\..\Run: [mfcfj.exe] C:\WINDOWS\system32\mfcfj.exe
O4 - HKLM\..\Run: [BCPC] "C:\Program Files\Bcpc\bcpc.exe"
O4 - HKLM\..\Run: [wxnxpkl] C:\WINDOWS\System32\uhlspjb\wxnxpkl.exe
O4 - HKLM\..\Run: [imopjnu] C:\WINDOWS\System32\uhlspjb\imopjnu.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\SYSTEM32\EDA76.EXE
O4 - HKLM\..\Run: [swnpbxt] C:\WINDOWS\System32\tsrvoko\swnpbxt.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [vkrdxmy] C:\WINDOWS\System32\ltuawyf\vkrdxmy.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [mfcij.exe] C:\WINDOWS\mfcij.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...cab/m0v1eus.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install100.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.8.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50191/QDow_AS2.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/BM/BM.cab
Then find and locate the files listed above and Quarentine Them.
Once you have done that, reboot, scan with HijackThis again, and post a new log.
Logfile of HijackThis v1.98.2
Scan saved at 4:02:14 PM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\iepv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cvss.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\mfcij.exe
C:\Program Files\Winamp\Winamp.exe
C:\Documents and Settings\David\Local Settings\Temp\Temporary Directory 9 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2B1F2F71-1736-ECD8-6C34-D087F9541CA6} - C:\WINDOWS\netml32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [mfcij.exe] C:\WINDOWS\mfcij.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/e2g27.exe
again thanks.
This is a bit tricky, so follow along closely:
First open a window with C:\WINDOWS in it. Then open another window with the same thing, C:\WINDOWS visible in it.
You should have both windows on screen, and everything else closed (internet explorer especially).
Make sure hidden files and folders are viewable.
Scroll down to the part in each window where you can see the problem files. Namely:
C:\WINDOWS\iepv.exe
C:\WINDOWS\mfcij.exe
C:\WINDOWS\sccbh.dll
C:\WINDOWS\netml32.dll
in the windows folder (if you have to open up a seperate window for each file, so be it).
Now, open up the task manager (CTRL-ALT-DEL) and go to the processes tab.
One at a time:
Right click on the C:\WINDOWS\iepv.exe process, and select "END PROCESS TREE". It will give you a warning. Say yes.
as soon as you do that, go into the window where you can see that file and DELETE IT
Next,
C:\WINDOWS\mfcij.exe. Same thing, right click --> END PROCESS TREE. Go to C:\WINDOWS\ and delete it.
Now, delete the other two files (C:\WINDOWS\sccbh.dll and C:\WINDOWS\netml32.dll).
Now, end all IEXPLORE.EXE processes as well.
Once all the bad processes are stopped and all those files are deleted, then remove these entries in HJT:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sccbh.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2B1F2F71-1736-ECD8-6C34-D087F9541CA6} - C:\WINDOWS\netml32.dll
O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [mfcij.exe] C:\WINDOWS\mfcij.exe
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/e2g27.exe
Now, after you have delete all those entries, close HJT and then run it again. If you see anything similar to these entries, delete them as well. You'll have to use judgment here, because if you open a browser to paste your log here, you'll probably get reinfected and have to start all over again.
Basically, we're looking for "randomly named" DLLs and EXE files in C:\WINDOWS and C:\WINDOWS\SYSTEM32., such as tzxtm.dll.
After you have cleaned the HJT log, UNPLUG the computer (no proper shutdown - just yank the cord).
Restart it, and post a new log here.
Scan saved at 5:42:40 PM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\iepv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cvss.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\winstarter.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\windx.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\David\Local Settings\Temp\Temporary Directory 10 for hijackthis.zip\HijackThis.exe
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\System32\winstarter.exe
O4 - HKLM\..\Run: [windx.exe] C:\WINDOWS\windx.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
i did all that u said, but i can only find some of the files u listed, and ievp.exe was in proccesses but not in my windows file, and i did the end process tree to it, and it wouldnt let me, thanks again.
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [windx.exe] C:\WINDOWS\windx.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
Fix those entries, then find and delete the folder "TV Media". Also delete the file windx.exe
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\System32\winstarter.exe
That is also a malicious file.