-
March 13th, 2004, 10:36 PM
#11
It is possible....have you ran any spyware removale tools recently? They can tell you if you have picked up alot of things. Also updating your AV and running it in safe mode will be benificial.
There are several really good tutorials that cover securing your system:
http://www.antionline.com/showthread...hreadid=255684
http://www.antionline.com/showthread...hreadid=255353
http://www.antionline.com/showthread...hreadid=255443
Are the 3 latest.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
Author Unknown
-
March 13th, 2004, 11:30 PM
#12
Junior Member
Here is the log.
Logfile of HijackThis v1.97.7
Scan saved at 4:47:12 PM, on 3/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aeitv.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus7.hpwis.com/
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\aal4fohw.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [sysme] C:\WINDOWS\System32\sysme.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange.com/Control/Mul...ctComboBox.cab
O16 - DPF: {5D68B82D-C79F-4FFC-83C0-8D0FC794CEF2} (alaWeb.clsGetStats) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://C:\WIN2000\CONTENT\cabs\alaGrid.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {ED29A481-CD46-43D9-85AA-E6E869DF2214} (MercStats.cStats) - file://C:\Program Files\Mercury\Content\cabs\MercStats.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD1A0F6B-A512-49DD-AF83-A629A5EB4517}: NameServer = 24.95.227.36,24.95.227.37
[glowpurple]Provide the Customer with Service that Exceeds their Expectatiions[/glowpurple]
-
March 13th, 2004, 11:42 PM
#13
04 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
This isn't a big deal, but I think most people on AO would rather have this disabled. Search the site for "Disable msmsgs". If your firewall doesn't block it, I think you can receive messenger SPAM.
Are these sites what you would like them to be? Or are these pages that are set from the hijack?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aeitv.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus7.hpwis.com/
Other than that, everything looks ok to me, nothing obvious.
-
March 13th, 2004, 11:57 PM
#14
excuse me but isnt this Radmin? "C:\WINDOWS\System32\r_server.exe" Have you installed radmin on your computer for remote administration? if not your severly owned
also "C:\WINDOWS\System32\sysme.exe" gotta go
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
March 14th, 2004, 01:36 AM
#15
Junior Member
The urls were good. Zone alarm will take good care of me from now on. I do use the radmin for remote administraiton.
Thanks for all of the great advice. I will be sure to pass it on.
-
March 14th, 2004, 03:45 AM
#16
Member
just my 2 rupees...
If I remember correctly, renaming the Messenger folder to something like Messenger_Backup or Messenger_Old seems to work...
Is it possible/probable that the Real Updater or Moneyside application is downloading junk in the background?
Also -- just a humble observation -- but why do you have both Money and Quicken installed?
-
March 14th, 2004, 04:18 AM
#17
Member
Use adware.
It might be spyware on your pc.
\"If knowledge is power. Why doesn\'t everybody read?\"
-
March 14th, 2004, 04:51 AM
#18
As for money and quicken, those probably have safe uninstalls in the add/remove function of the windows control panel. It's probably safer than hacking away at it with Hijack this. If you actually use it, don't freak out about it because it probably doesn't download anything huge.
WarTux:
I have run updated versions of adaware and spybot as well as various other programs all to no avail. Nothing will find it or delete it.
-
March 14th, 2004, 05:09 AM
#19
LOL.. soda.. I pointed out the exact same thing to WarTux in this thread.
it seems he doesn't read very well and thinks adaware is the catch all..
-
March 14th, 2004, 06:39 PM
#20
Just some thoughts:
1) You need to put HijackThis into its own folder . To do so:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
2) O4 - HKLM\..\Run: [sysme] C:\WINDOWS\System32\sysme.exe
This one is a baddie... virus/trojan related. Here is how I have seen the experts fix it:
Click here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste this entry:
C:\WINDOWS\System32\sysme.exe
Click 'Exit' when done.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacoolsoftware.net/downloa...setup.exe. Then try TheKillbox again.
Make sure that you have no other browsers or windows open as this could prevent the fix from working properly.
If you want to read the actual post that I took this from you can view it here
3) Here are some things that should be fixed with HijackThis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
4) These are things that you don't need running on startup- they hog system resources:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
To fix this: 1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
This is a DLL to enable multiple display monitors on a single computer. It can be a cause of numerous problems on some computers
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|