Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Suspicious Programs 4

Status
Not open for further replies.

ScotsLass

MIS
Sep 9, 2003
99
US
Hello Everybody:

I have several programs on a User's machine that I wonder if anyone
can help identify what they are and what they do.

1) HXDLAZM
2) Dist1
3) saveinstCm
4) NLNP071
5) ss_IGN7_setup
6) superbarinst

Thanks
 
Hi,

A quick google search for each name has returned 0 results for each. Remember however that some viruses can save themselves as random names, so I would run good up to date virus and spyware scanners over the machine. If nothing is found, I would think the machine is clean, especially if they are located in the temp directory as all sorts of stuff gets in there.

John
 
You could also do a bootlog and see if there is any information showing there.

Ed Fair
Any advice I give is my best judgement based on my interpretation of the facts you supply. Help increase my knowledge by providing some feedback, good or bad, on any advice I have given.
 
Download spybot 7.0 and let it run a scan on your machine this also has the ability to inform you of everything that starts up on your machine very useful
 
hi!
I use WinXP Pro and I also have

Dist1.exe
icinstaller.exe
SaveInstCm.exe
ss_IGN7_setup.exe

and I also have

setup_td.exe

all in "C:\". Not even in a folder or anything.

I had HXDLAZM.exe
If you look at the properties, you'll see ""sear1". if you google this you'll see this is a spyware. Delete it.

Any information on the programs above would be greatly appreciated. (^o^)
 
Hi uminchu,

The same advice from previous messages in this thread still applied: download and run Spybot or Ad-Aware over your machine.
Those files again don't bring up anything in a google search (apart from a link to this thread). None are standard files supplied with XP (or any other OS) however, so I would see what spybot or ad-aware come up with, also check the file properties of them to see if there are any clues as to what they really are, and finally check msconfig to see if they are set to load at system startup.

John
 
Please Download hijackthis from


Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam
 
This is what hijackthis.exe found

Logfile of HijackThis v1.97.3
Scan saved at 7:55:53 PM, on 10/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\FarStone\GameDrivePro\GDTask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael Leaning\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: (no name) - {76A3256A-E24F-4CCB-8D59-564FF9ECE948} - C:\WINDOWS\System32\gdierrgorrc.dll (file missing)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Michael Leaning\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Michael Leaning\Client\HelpExp.exe
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Michael Leaning\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Spades - O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) -
I have no idea what most of this stuff is...(?_?)
 
Close all browser windows - run hijackthis and tick to fix :-

O1 - Hosts: 216.177.73.139 auto.search.msn.com

O1 - Hosts: 216.177.73.139 search.netscape.com

O1 - Hosts: 216.177.73.139 ieautosearch

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL

O2 - BHO: (no name) - {76A3256A-E24F-4CCB-8D59-564FF9ECE948} - C:\WINDOWS\System32\gdierrgorrc.dll (file missing)

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - (no file)

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [TkBellExe] &quot;C:\Program Files\Common Files\Real\Update_OB\realsched.exe&quot; -osboot

O4 - HKLM\..\RunServices: [CMD] cmd32.exe

O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe

O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Michael Leaning\HXIUL.EXE

O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Michael Leaning\Client\HelpExp.exe

O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Michael Leaning\HXDL.EXE -from=&quot;HXIUL.EXE&quot; -to=&quot;HXIUL.EXE&quot;

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} -
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) -

------
do a search for this file and delete it (it is a virus)
cmd32.exe file

delete
C:\WINDOWS\System32\winservn.exe file

C:\Program Files\Common Files\GMT\GMT.exe (folder)


HXDL.EXE
or
HXIUL.EXE
Believed to be spyware - made by a company called Alset . Also known as &quot;HelpExpress&quot;. Will install itself if you have previously had Attune by Aveo installed as they're by the same company. Uninstall via Add/Remove programs

------
THEN

Do a free on-line virus scan here :-


or here :-


And a free on-line trojan scan here :-

---------
THEN

Please Download and install SpyBot,


click the online tab to search for and download the updates, then shut down and relaunch SpyBot.

Go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, after closing down Internet Explorer, click 'Check for problems', and have SpyBot remove all it finds 'Fix selected problems'

you may have to run spybot more than once to clear everything

Remove everything pre-ticked in Red

good luck

steam
 
Hi Folks,

I'm having some of the same problems and probably manually removed some cookies last nite that might have been needed. B/C of that I thought I'd see if you might be able to lend me a hand here too. As you can see, my problems are remarkably similar to ScotsLass's.

Here's the Highjackthis output from this morning.

PS: I've been using adAware freeware and have been continually removing morphing ad/popup items.

Thanks in advance for any help you can provide! I'm getting crushed by this stuff!

Logfile of HijackThis v1.97.3
Scan saved at 11:02:54 AM, on 10/14/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\isysedit.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\tbctray.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\YAHOO!\PARENT~1\YPCSER~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\wisptis.exe
C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R3 - URLSearchHook: CleverHook Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] &quot;C:\Program Files\Common Files\Symantec Shared\ccApp.exe&quot;
O4 - HKLM\..\Run: [2ECZW7H27#9HMH] C:\WINDOWS\System32\IpuFmd.exe
O4 - HKLM\..\Run: [isysedit.exe] C:\WINDOWS\System32\isysedit.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Ad-aware] &quot;C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe&quot; +c
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] &quot;C:\PROGRA~1\MESSEN~1\msmsgs.exe&quot; /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [isysedit.exe] C:\WINDOWS\System32\isysedit.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: Yahoo! Chat - O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - O16 - DPF: {3185BD6A-176F-42C0-B932-9C037F8F32A4} (WebDeployer5.ctlLoader) - O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - O16 - DPF: {62360003-D8A7-418B-9DC6-2B9DE95273A0} (MS Investor Ticker) - O16 - DPF: {79BB2CA8-6079-462B-B68A-C7AAA588FD8A} (WebDeployerUtil.ctlUtil) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - O17 - HKLM\System\CCS\Services\Tcpip\..\{4D627BEC-A33E-431F-B56F-867407B99D94}: Domain = sbcglobal.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D627BEC-A33E-431F-B56F-867407B99D94}: NameServer = 151.164.1.8,151.164.1.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2123948-E8C6-4CDF-B2CC-1D99C1D11CCE}: NameServer = 151.164.1.8 151.164.11.201
 
Close all browser windows - run hijackthis and tick to fix :-


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
R3 - URLSearchHook: CleverHook Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll

O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll

O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe

O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

--------
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

Do you have multiple monitors?

&quot;This is a DLL to enable multiple display monitors on a single computer. It can be a cause of numerous problems on some computers.&quot;

If you only have and intend to have 1 monitor - fix this
-------
This line which appears twice, I can find very little information on - but what I have found points to a possible virus

O4 - HKLM\..\Run: [isysedit.exe] C:\WINDOWS\System32\isysedit.exe

O4 - HKCU\..\Run: [isysedit.exe] C:\WINDOWS\System32\isysedit.exe


Do a free on-line virus scan here :-


or here :-


And a free on-line trojan scan here :-


And a free on-line trojan port scan here :-


If none of the above resolve the identity of the file, I would also consider fixing these two lines and deleting the file - if you keep it in the bin for a few days and all is well - ditch it.

-----
Also despite running adaware you still have spyware - run spybot as per my above post

steam
 
I've got much of it done....Here it is....

How important is it to get rid of the Yahoo stuff?

These two really need to go, right?

O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

I'll do spybot too! It feels good to be making progress! Some of the problems root in Kazaa which never fully uninstalled. Do you see any problem with just deleting the remaining pieces and putting it in the Recycle Bin...
 
Ooops here's the Hijackthis output....

Logfile of HijackThis v1.97.3
Scan saved at 4:04:02 PM, on 10/14/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\tbctray.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\YAHOO!\PARENT~1\YPCSER~1.EXE
C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] &quot;C:\Program Files\Common Files\Symantec Shared\ccApp.exe&quot;
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Ad-aware] &quot;C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe&quot; +c
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] &quot;C:\PROGRA~1\MESSEN~1\msmsgs.exe&quot; /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: Yahoo! Chat - O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - O16 - DPF: {3185BD6A-176F-42C0-B932-9C037F8F32A4} (WebDeployer5.ctlLoader) - O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - O16 - DPF: {62360003-D8A7-418B-9DC6-2B9DE95273A0} (MS Investor Ticker) - O16 - DPF: {79BB2CA8-6079-462B-B68A-C7AAA588FD8A} (WebDeployerUtil.ctlUtil) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - O17 - HKLM\System\CCS\Services\Tcpip\..\{4D627BEC-A33E-431F-B56F-867407B99D94}: Domain = sbcglobal.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D627BEC-A33E-431F-B56F-867407B99D94}: NameServer = 151.164.1.8,151.164.1.7
 
Some of the problems root in Kazaa which never fully uninstalled when I got rid of it a couple of weeks ago. Do you see any problem with just deleting the remaining pieces and putting it in the Recycle Bin?
 
Yes delete everything I posted in bold using hijackthis- you can go to Tools/internet options and set your homepage to yahoo.com when you've cleaned up the log.

This is what say about mosearch

MOSearch.exe - resource hog

(Microsoft) Microsoft Office XP Fast Search. Well, well, remember the nightmarish Find Fast of previous versions of Microsoft Office ? MO Search is the Office XP equivalent.

Recommendation :
New name, same problems. Endless trashing of your hard disk when you are not using it, and sometimes when you are, with delays in mouse movements, or downright temporary inability to do anything for a few seconds (while MOSEARCH is updating its indexes). The search speed gains are negligible and yet, as with Find Fast, the constant disk activity and response delays irritate end-users immensely. Try disabling MOSEARCH with Startup Manager. If that is not possible, then you will have to de-install &quot;Support for fast searching&quot; out of Microsoft Office XP, and then rename the program files MOSEARCH.EXE and MOSDMN.EXE by adding .old at the end of their names.

NVIEW ? - see what i said in the post above - it's up to you.

jeired.dll - is a browser hijacker

IEDriver.exe Installed as part of adware (Cydoor) based peer-to-peer file sharing software called URLBlaze
 
Steamwiz,
I've run hijackthis and can see no obvious problems with the output. I don't want to post the output here for your opinion, as I'm sure you dont want half a million users doing the same. Where can I find some further info for self analysis of the output provided by hijackthis.

Have a star by the way for your consistently clear and helpful advice in this and many other threads.

Marc
 
Cheers Mark

There is no need to worry about posting your hijackthis log

There is absolutely NO user identifiable or sensitive data in the log - just an anonymous readout of areas where problems may occur

I don't know of an f.a.q. or such for interpreting logs - it just comes with experience of seeing several hundred logs

steam
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top