Help! Media Player Hijacked
Newbie here,
I can't open my MS Media Player 9. I get a "Browser Enhancment" pop up. I have read a couple other threads where this has happened but I was afraid to delete anything [with hijackthis] before consulting with the experts.
I have run Ad Aware and Spybot and they did not fix it. Here is my Hijackthis log. Thanks in advance for the help guys!!!
I can't open my MS Media Player 9. I get a "Browser Enhancment" pop up. I have read a couple other threads where this has happened but I was afraid to delete anything [with hijackthis] before consulting with the experts.
I have run Ad Aware and Spybot and they did not fix it. Here is my Hijackthis log. Thanks in advance for the help guys!!!
0
This discussion has been closed.
Comments
Logfile of HijackThis v1.98.2
Scan saved at 12:58:50 PM, on 12/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Documents and Settings\Administrator.MPRENO\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\cdmsvc.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\System32\encsvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\mfcom.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\termsrv.exe
C:\Program Files\uphclean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\PROGRA~1\SAV\vptray.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\HiJack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - H:\WINDOWS\Helper101.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SDWin32 Class - {7A903FC7-88A5-4AFA-B471-A91274022E57} - C:\WINNT\system32\tbiic.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - H:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe
O4 - HKLM\..\Run: [ufgbovfb] C:\WINNT\system32\xutxmka.exe
O4 - HKLM\..\Run: [tbiicc] C:\WINNT\system32\tbiicc.exe
O4 - HKLM\..\Run: [434i37i] rsacmon.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.mpreno\windows\system32\rnr20.dll' missing
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mpreno.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: Domain = mpreno.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: NameServer = 192.168.100.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mpreno.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: Domain = mpreno.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: NameServer = 192.168.100.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mpreno.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: Domain = mpreno.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: NameServer = 192.168.100.6
O20 - AppInit_DLLs: mfaphook.dll
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - H:\WINDOWS\Helper101.dll (file missing)
O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdtl.exe
O4 - HKLM\..\Run: [ufgbovfb] C:\WINNT\system32\xutxmka.exe
O4 - HKLM\..\Run: [tbiicc] C:\WINNT\system32\tbiicc.exe
O4 - HKLM\..\Run: [434i37i] rsacmon.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
Fix those entries then find and delete the files listed above, reboot and post a new log.
It looks like I am close to being back to normal [if not already there].
I am interested in using that "Spyware Shooter" as mentioned. I was looking at the FAQ on the website and it says to uninstall it you can download "Uninstaller.reg" but I can't seem to find it. Is that the one that is still a work in progress? I just want to have backup plan in case it doesn't go over well.
The other thing I was going to let you know is that I checked out "ctfmon" and it looks like it is supposed to be there according to http://www.liutilities.com/products/wintaskspro/processlibrary/ctfmon/
so I did not delete that one. Anyway here is the latest log, please let me know if there is anything else I should get rid of and THANKS AGAIN!!!
Logfile of HijackThis v1.98.2
Scan saved at 7:09:02 PM, on 12/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Documents and Settings\Administrator.MPRENO\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\WINNT\System32\cdmsvc.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\System32\encsvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\mfcom.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\termsrv.exe
C:\Program Files\uphclean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\PROGRA~1\SAV\vptray.exe
C:\WINNT\system32\ctfmon.exe
C:\HiJack\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SDWin32 Class - {7A903FC7-88A5-4AFA-B471-A91274022E57} - C:\WINNT\system32\tbiic.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.mpreno\windows\system32\rnr20.dll' missing
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mpreno.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: Domain = mpreno.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: NameServer = 192.168.100.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mpreno.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: Domain = mpreno.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: NameServer = 192.168.100.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mpreno.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: Domain = mpreno.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{23AA715C-B1A8-4783-8BDB-E056696700B0}: NameServer = 192.168.100.6
O20 - AppInit_DLLs: mfaphook.dll
I currently have uninstaller.reg finished, but it is on my other computer, which currently has no internet connection, so I can't upload it. As soon as I get the Internet back I'll upload it.