Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with my Hijackthis please! 2

Status
Not open for further replies.
anatamez

anatamez

Technical User
Oct 14, 2004
14
MX
my problem mainly is that tehre is a toolbar i didn't istall, and another toolbar in the window space, above the task bar, plase I will be more than pleased if you can help me
i had already erased this one
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = but it appeared again, thank you, and here's the log:


Logfile of HijackThis v1.98.2
Scan saved at 08:09:17 p.m., on 14/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\ARCHIV~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Common files\updater\wupdater.exe
C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\bundle.exe
C:\Archivos de programa\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Progress\bin\AdmSrvc.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccProxy.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
c:\archiv~1\intern~1\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Archivos de programa\DAP\DAPBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\ARCHIV~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Archivos de programa\Archivos comunes\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\ARCHIV~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Archivos de programa\Archivos comunes\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Desktop Zoom] C:\Archivos de programa\HPQ\Desktop Zoom\hpwinadj.exe -s
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\ARCHIV~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Archivos de programa\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Archivos de programa\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [mmtask] C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [updater] C:\Archivos de programa\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ViewMgr] C:\Archivos de programa\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Archivos de programa\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [mdajizyx] C:\WINDOWS\mdajizyx.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Puredog] C:\ARCHIV~1\Elsenurbtype\Dvd cool.exe
O4 - HKLM\..\Run: [extrabindtheamok] C:\Documents and Settings\All Users\Datos de programa\64 dupe extra bind\Five Dead.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Definition - http:\\wordreference.com\english\j\0300.htm
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: =>&Deutsch - http:\\wordreference.com\de\j\iede99.htm
O8 - Extra context menu item: =>&Englisch - http:\\wordreference.com\de\en\j\deen40.htm
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: =>English - http:\\wordreference.com\es\en\j\iespen109.htm
O8 - Extra context menu item: Backward &Links - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Graffiti - O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -
 
Sort by date Sort by votes
Hola,

the following should be cleaned out and destroyed:

C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\bundle.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\bundle.exe
O4 - HKLM\..\Run: [mdajizyx] C:\WINDOWS\mdajizyx.exe

always clear out your TEMP folders, especially after you've been in the internet or done P2P...

I'd suggest also that you download SpyBot Search and Destroy, aswell as Ad-Aware and do a scan for other nasties...



Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
ok, i erased those in the Log, and in the Windows folder, also de Temp files and the cookies.
Just for information, I installed the Messenger Plus, and after that, the thing appeared, and my sister has te same problem in her computer, I erased them in safe mode, and with SpyBot, and she says it is still in her window, just saying for more information, and the messenger plus does not have an uninstall file, and i dont know if that is the problem, because my cousin also has the program installed and she doesn't have that problem, I really don't know what to do!
oh, and thank you so much for your help, hope you can give me some advise about this
 
Upvote 0 Downvote
Hi,
I do not have time to go through this carefully, so a few comments for you.

Definitely Ben's stuff, fix lines, delete files, clean temp stuff. You probably should check add/rremove programs for something like shop at home and remove it.

Your toolbar is lop. You need to look back through the old threads for a post by makeitso. It has a link to his thread at swi where he got the fix steps. The lines you are looking at in your log are:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O4 - HKLM\..\Run: [Puredog] C:\ARCHIV~1\Elsenurbtype\Dvd cool.exe
O4 - HKLM\..\Run: [extrabindtheamok] C:\Documents and Settings\All Users\Datos de programa\64 dupe extra bind\Five Dead.exe

You also need to check this one, I get my updating programs confused on what is good and bad, check this to see which it is:
O4 - HKLM\..\Run: [updater] C:\Archivos de programa\Common files\updater\wupdater.exe

I see this recommended for removal as a "worthless kazaa addin".
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

And cross check me on this, but I believe messenger plus things are a problem-I think maybe associated with lop too.
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe"

Take care of those things, do an online virus scan, and run adaware.

After that post a new log and someone can let you know if there are any other problems left.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
thank you guys so much!
it's late in here and i'm falling asleep right here
the stupid toolbar is still there but i think i'll restar the machine in safe mode and erase all that things uneraseable in normal mode, and see if it works, but my poor laptop wil have to wait for tomorrow, how stupid i was for installing msn plus, damn me, i did it even when my sister is fighting with these problems, well, se ya tomorrow, and i hope i can find the answer, thanks again.
 
Upvote 0 Downvote
In regard to the lop issue:


There are the two links. Running the uninstaller was what I could not remember.

On your system - for the lop - the steps would become

Run the uninstaller (you can get to it from the link on the swi post)

Fix these lines in your hijackthis log:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O4 - HKLM\..\Run: [Puredog] C:\ARCHIV~1\Elsenurbtype\Dvd cool.exe <=== (Unless this happens to be a program you have installed.)
O4 - HKLM\..\Run: [extrabindtheamok] C:\Documents and Settings\All Users\Datos de programa\64 dupe extra bind\Five Dead.exe

Then delete these folders:
O4 - HKLM\..\Run: [Puredog] C:\ARCHIV~1\Elsenurbtype <=== folder.
O4 - HKLM\..\Run: [extrabindtheamok] C:\Documents and Settings\All Users\Datos de programa\64 dupe extra bind <=== folder

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
As a recap, these are the lines that should be fixed:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [updater] C:\Archivos de programa\Common files\updater\wupdater.exe <==
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\bundle.exe
O4 - HKLM\..\Run: [mdajizyx] C:\WINDOWS\mdajizyx.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Puredog] C:\ARCHIV~1\Elsenurbtype\Dvd cool.exe
O4 - HKLM\..\Run: [extrabindtheamok] C:\Documents and Settings\All Users\Datos de programa\64 dupe extra bind\Five Dead.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
This file also needs to be deleted:
C:\Archivos de programa\Common files\updater\wupdater.exe <== file

Here is a link that shows fixing on messenger3plus.
Note that it also suggests that if you want to use it, reinstall it without sponsor software.

Do file deletions and add/remove programs as suggested in other posts.

It would also be wise to finish up with an online virus scan and an adaware scan.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
guys I think i've finished with these things, but my machine is infected with the damn WYX.C, and Norton failed the repair procedure, I don't know why, maybe the question here is, how can I know if it is still infected, because, I can do everything they say to disinfected, but what if I dont have ti anymore? i don't think that is the case, but theres always a chance.

another question:
what does these files do or mean?

RDGDEFRAGSTAT.exe
MICROLOADINFO.exe
ASDEXPLORERIMG.exe

because some of the machines at work have those problems, as a system error or something, what do they do, or where can i get them back? or what the hell with those?

thank you, i know you can help me, and thanks for the other stuff, more thanks for everything, you guys really help
 
Upvote 0 Downvote
Hola,

go to the following website and do an online Virii scan...


the online scan has the latest up to date definitions there are at the time... make sure that you have JAVA 1.4 installed, then disable your Norton (for this scan only)...

about those files, well I haven't been able to locate any information as to what they are or what they are for, they could well be part of programms that where once installed, and haven't been totally cleaned, but as well could be TROJANs or Virii...

go to the following website and download the Programm NTREGOPT, to clean your Registry:


I hope this helps...



Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
thank you so much BadBigBen, I can't tell you if the computers at work are already working because we haven't checked them yet, but i have a question about my machine.
i did the online scan you said, it found a trojan wich was erased, and i scanned it again and it found nothing, does that mean i no longer have the WYX.C? in general terms, my computer doesn't seem to be infected, it is working well, I haven't used the floppy, but i'll do it once i get home to see if there's a problem there. but generally, it works, and i can surf the net, and send e-mails, and burn cd's, listen to music, repeat, doeas that mean my computer is not infected anymore?
thnak you so much for your so helping help :D
 
Upvote 0 Downvote
@anatamez - Basically, you've caught all of the culprits that infected your machine...

always update your AntiVirus software, at least twice monthly, best would be every week...

install a firewall, such as ZoneAlarm or Steganos Personal Firewall or another, run AdAware, SpyBot, etc. and update them, especially when you have been in the internet...

another thing to watch for are attachments in Emails, especially those from people you do not know...

at least this way you will make it more difficult for Nasties to get your PC...



Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
339
Yoko Littner
Yoko Littner
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
157
2ffat
2ffat
2ffat
  • Locked
  • News
Lenovo isn't the only one with bad certificates 5
Replies
6
Views
187
2ffat
2ffat
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
145
DrB0b
DrB0b
BionicJohn
  • Locked
  • Question
URUASY.A Ransomware Trojan - Help needed with removal
Replies
6
Views
119
BionicJohn
BionicJohn

Part and Inventory Search

Sponsor

Back
Top