Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Suspicious Programs 4

Status
Not open for further replies.
ScotsLass

ScotsLass

MIS
Sep 9, 2003
99
US
Hello Everybody:

I have several programs on a User's machine that I wonder if anyone
can help identify what they are and what they do.

1) HXDLAZM
2) Dist1
3) saveinstCm
4) NLNP071
5) ss_IGN7_setup
6) superbarinst

Thanks
 
Sort by date Sort by votes
Mark

I think I misread your post - I don't mind looking over any log anyone wishes to post

steam
 
Upvote 0 Downvote
I am hoping that one of you can analyze my hijack log. I keep getting random processes showing in my task manager.
Thanks in advance!

Logfile of HijackThis v1.97.3
Scan saved at 12:09:33 AM, on 10/21/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plab.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\ltmsg.exe
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\PROGRA~1\Compaq\Security\Secure32.exe
C:\WINNT\System32\PRPCUI.exe
C:\WINNT\system32\nwscripnt.exe
C:\Documents and Settings\Administrator\Application Data\acco.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\Vyw4.exe
C:\WINNT\System32\YhfUtoO3.exe
C:\WINNT\System32\mdm.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\system32\stlbdist.DLL (file missing)
O2 - BHO: (no name) - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\system32\stlbdist.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [Compaq Computer Security] C:\PROGRA~1\Compaq\Security\Secure32.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [nwscripnt.exe] C:\WINNT\system32\nwscripnt.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [24Q8SQ65GRECP6] C:\WINNT\System32\QlsPBA55.exe
O4 - HKCU\..\Run: [nwscripnt.exe] C:\WINNT\system32\nwscripnt.exe
O4 - HKCU\..\Run: [Saas] C:\Documents and Settings\Administrator\Application Data\naat.exe
O4 - HKCU\..\Run: [Asoe] C:\Documents and Settings\Administrator\Application Data\acco.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE -uninstall
O4 - Startup: LPR Utility.lnk = C:\DIGILPR\DIGILPR.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
 
Upvote 0 Downvote
Hi kipsjag,

Run HT again and check the following items. Doublecheck so as to be sure not to miss one.
Next, close all browser Windows, and have HT 'fix checked'.

You MUST restart your computer when you're done.

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\system32\stlbdist.DLL (file missing)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\system32\stlbdist.DLL (file missing)
O4 - HKLM\..\Run: [nwscripnt.exe] C:\WINNT\system32\nwscripnt.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
O4 - HKLM\..\Run: [24Q8SQ65GRECP6] C:\WINNT\System32\QlsPBA55.exe
O4 - HKCU\..\Run: [nwscripnt.exe] C:\WINNT\system32\nwscripnt.exe
O4 - HKCU\..\Run: [Saas] C:\Documents and Settings\Administrator\Application Data\naat.exe
O4 - HKCU\..\Run: [Asoe] C:\Documents and Settings\Administrator\Application Data\acco.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE -uninstall

After restarting delete the following:
C:\WINNT\system32\stlbdist.DLL (FreeScratchCards parasite)
C:\WINNT\uptodate.exe (BrowserAid parasite)
C:\WINNT\Belt.exe (ABetterInternet parasite)
C:\WINNT\System32\QlsPBA55.exe (Trojan downloader)

The following appears to be a virus, so before deleting it, let's identify it.
C:\WINNT\system32\nwscripnt.exe

These two could be LOP parasite or a virus:
C:\Documents and Settings\Administrator\Application Data\acco.exe
C:\Documents and Settings\Administrator\Application Data\naat.exe

Go here and run an online virus scan and post the results in a reply. (If the scan comes up clean, could you zip those 3 files and email them to me to analyze? Email them here: tbeck41@adelphia.net)


Also uninstall HelpExpress.
 
Upvote 0 Downvote
tb525

How do you come to these conclusions ?

C:\WINNT\System32\QlsPBA55.exe (Trojan downloader)

The following appears to be a virus, so before deleting it, let's identify it.
C:\WINNT\system32\nwscripnt.exe

These two could be LOP parasite or a virus:
C:\Documents and Settings\Administrator\Application Data\acco.exe
C:\Documents and Settings\Administrator\Application Data\naat.exe

To me they are all "baddies" - and a virus scan would be the next step.

Why do you say this is a trojan QlsPBA55.exe
Why is this not a trojan nwscripnt.exe

And where do you see the connection with LOP and these
C:\Documents and Settings\Administrator\Application Data\acco.exe
C:\Documents and Settings\Administrator\Application Data\naat.exe

Please don't think I'm questioning you in any way - You are obviously very experienced and knowledgeable in these matters - I am asking for my benefitso that I may understand these things better myself. The way I look at it, we are all learning all the time, and just as I enjoy helping other people, I appreciate any help or knowledge I can glean from other people.

thanks

steam
 
Upvote 0 Downvote
Hi Steam, This entry is trojan Peper.A. (TDS3) The identifier is the <random> 14 character string starting with a number.
O4 - HKLM\..\Run: [24Q8SQ65GRECP6] C:\WINNT\System32\QlsPBA55.exe

nwscripnt.exe may be a trojan...It's a 'virus' of some type...

As far as these:
C:\Documents and Settings\Administrator\Application Data\acco.exe
C:\Documents and Settings\Administrator\Application Data\naat.exe

Only two things load like this from the Application Data folder, LOP or a virus. These are likely viral seeing that there is no LOP BHO.


 
Upvote 0 Downvote
Hi tb525

Thanks for the heads up

with regards to the trojan Peper.A.

I read a post about it a few days ago - it's proving really difficult to get rid of because of its morphing capability

I should have seen these 2 entries in the running processes, which are part of it (ah well you can't remember everything you read) but I'll certainly spot this one if I see it again - but getting rid of it's another thing.

C:\WINNT\System32\Vyw4.exe
C:\WINNT\System32\YhfUtoO3.exe

You might find this thread interesting :-


steam
 
Upvote 0 Downvote
Thank you much I will send you the zipped files. By the way deleting these

C:\WINNT\System32\Vyw4.exe
C:\WINNT\System32\YhfUtoO3.exe

from Task Manager caused other 'random' images to appear or they restarted.

Keith
 
Upvote 0 Downvote
Here is the virus scan result (the random processes that kept recreating in this directory):

Scan started at 10/22/2003 7:45:58 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINNT\SYSTEM32\Ajcl.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\DgsIq4.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\Enx9T.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\Eqtz6w9.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\Erl6Z.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\Gdmhwa.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\GoqZ1mY.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\LesR.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\OvgRD.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\QlsPBA55.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\TafqX5mo.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\Tovs.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\Vyw4.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\Wwb73.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\Xlc2gJ.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\Xzgdq5.exe - TrojanDownloader:Win32/VB.Q -> Infected
C:\WINNT\SYSTEM32\YhfUtoO3.exe - TrojanDownloader:Win32/VB.Q -> Infected

Scanned
============================
Objects: 61459
Directories: 5415
Archives: 8018
Size(Kb): 1152248
Infected files: 17

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 495
 
Upvote 0 Downvote
hi everyone, i was wondering if someone could analyze a hjack log for me and give me a heads up on anything.
thanx

Logfile of HijackThis v1.97.3
Scan saved at 12:46:45 AM, on 10/23/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WPSPSW.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\DOWNLOAD\HIJACKTHIS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = F1 - win.ini: load=WPSLOAD.EXE
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\FreshDownload\fdcatch.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InCD] D:\InCD\InCD.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [TimeCalendar] &quot;D:\TIMECALENDAR\TC.EXE&quot; auto
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = D:\office\Office10\OSA.EXE
O4 - Startup: InterAct Profile Activator.lnk = D:\Gaming Devices\JoyAct.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: Yahoo! Gin - O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) -
 
Upvote 0 Downvote
Hi kipsjag,

Close Internet Explorer and any remaining pop-up windows, then click Start > Run > type regedit and click OK.
Click the + next to the following keys:

HKEY_LOCAL_MACHINE
Software

You will see a group of sub folders. There will be a sub folder right at the beginning, with <random> 14 characters starting with a number. Right click on it and choose delete.
*Note: If there is a second sub folder with 14<random>chars next to it, delete as well.

Scroll down through the sub folders under Software and click the + next to Microsoft, continue and click the + next to:

Windows
CurrentVersion

Scroll down and left click once on the Run folder. In the right hand window right click on and delete the entry that looks something like this: (It will have 14 <random> characters and a <random> .exe)

24Q8SQ65GRECP6 = C:\WINNT\System32\QlsPBA55.exe

Collapse the registry tree and reboot. Delete all the files listed in the Rav report.
Reboot again and run HT and post a new log.
 
Upvote 0 Downvote
Here is my hijackthis log. Hope that you can analyze it. Thanks.

Logfile of HijackThis v1.97.3
Scan saved at 03:07:11, on 24-10-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\WINABI~1\FOLDER~1\FGKEY.EXE
C:\WINDOWS\System32\TpScrLk.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\blss\blss.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\1XConfig.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Compaq S200 Scanner\S200Btns.exe
C:\WINDOWS\System32\Suspend.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\FlashGet\flashget.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [VSOCheckTask] &quot;c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe&quot; /checktask
O4 - HKLM\..\Run: [VirusScan Online] &quot;c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe&quot;
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [MessengerPlus2] &quot;C:\Program Files\Messenger Plus! 2\MsgPlus.exe&quot;
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] &quot;C:\Program Files\Common Files\Real\Update_OB\realsched.exe&quot; -osboot
O4 - HKLM\..\Run: [ButtonMonitor] S200
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [ftpqueue] &quot;C:\Program Files\WS_FTP Pro\ftpqueue.exe&quot; -tray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus2] &quot;C:\Program Files\Messenger Plus! 2\MsgPlus.exe&quot; /WinStart
O4 - HKCU\..\Run: [msnmsgr] &quot;C:\Program Files\MSN Messenger\MsnMsgr.Exe&quot; /background
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq S200 Button Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip\..\{FE0F1DE1-89F5-4679-AAD0-EE97D481E31C}: NameServer = 203.148.129.2
 
Upvote 0 Downvote
069923400
Close all browser windows - run hijackthis and tick to fix :-


O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll

O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe

O4 - HKLM\..\Run: [TkBellExe] &quot;C:\Program Files\Common Files\Real\Update_OB\realsched.exe&quot; -osboot


blss.exe

BoClean calls this one CBlaster (trojan/dialer/downloader)

blss.exe is installed with overnet and edonkey, if you look in your add remove programs there is a program called &quot;shield&quot; uninstall this and it will remove blss.exe.

or, alternatively

find blss folder in program files and use uninstall in there, it seems to remove it comepletly.

If you have any further problems please start a new thread - this thread is becoming confusing.

PLEASE NO MORE HIJACKTHIS LOGS IN THIS THREAD

We are waiting to see if kipsjaghas got rid of his trojan

steam
 
Upvote 0 Downvote
Here is the latest log you requested:

Logfile of HijackThis v1.97.3
Scan saved at 12:17:45 AM, on 10/28/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plab.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\ltmsg.exe
C:\WINNT\System32\Atiptaxx.exe
C:\Program Files\Compaq\HotKey Software\hkss.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\mdm.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\HotKey Software\hkss.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: LPR Utility.lnk = C:\DIGILPR\DIGILPR.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.gordon.nu
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} - O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
 
Upvote 0 Downvote
Hi kipsjag,
Thanks for the files. I see you have already removed them, that's good, all are malware.

Nwscripnt.exe is a random AdGoblin/AdsInContext executable.

C:\Documents and Settings\Administrator\Application Data\acco.exe
C:\Documents and Settings\Administrator\Application Data\naat.exe

Are PurityScan.100 Trojan.
 
Upvote 0 Downvote
Hi,
I found this thread via a google search on belt.exe. My Norton Personal Firewall gave me a message that &quot;Belt.exe&quot; was trying to access the internet, and therefore my search lead me to this post. I thought I was covered with Norton Personal Firewall and Norton Antivirus! I have deleted Belt.exe from my Windows XP registry and have the following HijackThis log to share in case anyone can comment. I am not sure where to start with it!

Logfile of HijackThis v1.97.3
Scan saved at 3:54:01 PM, on 11/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\New\Programs\Norton Personal Firewall\NISUM.EXE
C:\WINNT\System32\Atievxx.exe
C:\New\Programs\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Intuit\QAgent\QAGENT.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\WINNT\System32\mrtMngr.EXE
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\New\Programs\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\New\Programs\Intuit\QuickBooks\Components\QBAgent\qbdagent2002.exe
C:\New\Programs\Intuit\QUICKENW\QWDLLS.EXE
C:\Program Files\SAP\FrontEnd\sapgui\saplogon.exe
C:\New\Programs\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\regedit.exe
C:\New\Programs\pfe\PFE32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\New\Programs\Microsoft Office\Office10\OUTLOOK.EXE
C:\new\Programs\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Media Player\setup_wm.exe
C:\Documents and Settings\John\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.1:8080
O1 - Hosts: 169.254.224.94 Computer
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\New\Programs\Adobe\Acrobat_reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\New\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [ccApp] &quot;C:\Program Files\Common Files\Symantec Shared\ccApp.exe&quot;
O4 - HKLM\..\Run: [ccRegVfy] &quot;C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe&quot;
O4 - HKLM\..\Run: [TkBellExe] &quot;C:\Program Files\Common Files\Real\Update_OB\realsched.exe&quot; -osboot
O4 - HKCU\..\Run: [H/PC Connection Agent] &quot;C:\New\Programs\Microsoft ActiveSync\WCESCOMM.EXE&quot;
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\New\Programs\IM\Yahoo\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] &quot;C:\Program Files\MSN Messenger\MsnMsgr.Exe&quot; /background
O4 - HKCU\..\Run: [Messenger] C:\New\Programs\LYCOSM~1\Messenger.exe
O4 - Global Startup: Billminder.lnk = C:\New\Programs\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\New\Programs\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\New\Programs\Intuit\QuickBooks\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Quicken Startup.lnk = C:\New\Programs\Intuit\QUICKENW\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\new\Programs\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: ANTIVIRUS (HKLM)
O9 - Extra button: ENTERTAINMENT (HKLM)
O9 - Extra button: SECURITY (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - O17 - HKLM\System\CCS\Services\Tcpip\..\{09970621-E640-4740-B24F-D654A8B8F08A}: NameServer = 192.168.11.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B5FE58C-D9C3-4F36-B3F8-2004ECCC944E}: NameServer = 192.168.10.7,63.245.1.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{D64091ED-B615-463D-BC7F-169A34392C8B}: NameServer = 192.168.10.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{09970621-E640-4740-B24F-D654A8B8F08A}: NameServer = 192.168.11.201
 
Upvote 0 Downvote
I am somewhat new to this but after following this thread I was wondering if someone could answer a few questions and take a look at my hijack this log.
I have seen some things running in my &quot;process&quot; panel on the task manager that look new, and I wanted to know anyone knows what they are? Sorry to waste your time if the questions seem simple, but I goota start somewhere.
devldr32.exe
msmgs.exe
wjview.exe
HelpExp.exe
nopdb.exe
wanmpsvc.exe
emsw.exe
NMain.exe
emsw.exe
RfieFL.exe
Cry3Fzn2.exe
HelpExp.exe
Akes3.exe
Xfo26uwl.exe
CCAPP.exe
MSMSGS.exe
CSRSS.exe
Uth9525X.exe
The following appear on my startup menu(when I run msconfig) I've not sen them before NyjxWc1
dw.exe
CTHELPER
ADGJDet
qttask
Swim suit net (yes ,I already figured this one was garbage)
I ran a trojan program and found nothing, I have adaware, and these remain after running it. I also have spykiller, and I have run that twice.
When going thru folders I have seen these filed, and they seem suspicious, install-tag001
ss_IGN7_setup.
Sorry to be taing up so much space here.
This is my hijack log. Any help would be greatly appreciated.

Regards CF
Logfile of HijackThis v1.97.3
Scan saved at 9:37:53 AM, on 11/02/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DownloadWare\dw.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\Cry3Fzn2.exe
C:\WINDOWS\System32\RfieFl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PopupKillerTracksEraser\PopupKillerTray.exe
C:\PROGRA~1\NETWOR~1\v11\NE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Default\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R3 - URLSearchHook: OESearchHook Class - {341FB59F-3507-443b-8147-423B4E3B2B15} - C:\Program Files\Common Files\OE\search.dll
O1 - Hosts: 66.40.16.227 O1 - Hosts: 216.65.115.190 search.msn.com
O1 - Hosts: 216.65.3.76 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll
O2 - BHO: (no name) - {874A8533-000C-4117-BA6D-6797DED7C987} - C:\WINDOWS\System32\ieakumi.dll
O2 - BHO: (no name) - {A09790E7-DD00-4A83-B632-5B563423CFBB} - C:\Program Files\PopupKillerTracksEraser\PopupKillerIEDLL.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\Program Files\Common Files\OE\redirector.dll
O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Network Essentials\v11\NE.DLL
O2 - BHO: (no name) - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~2\Toolbar\pwrswmda.dll (file missing)
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] &quot;C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe&quot;
O4 - HKLM\..\Run: [ccApp] &quot;C:\Program Files\Common Files\Symantec Shared\ccApp.exe&quot;
O4 - HKLM\..\Run: [ccRegVfy] &quot;C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe&quot;
O4 - HKLM\..\Run: [QuickTime Task] &quot;C:\Program Files\QuickTime\qttask.exe&quot; -atboottime
O4 - HKLM\..\Run: [5A9EM4@2AX4#6S] C:\WINDOWS\System32\Nyjx1Wc1.exe
O4 - HKLM\..\Run: [SwimSuitNetwork] &quot;C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe&quot; /H
O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
O4 - HKLM\..\Run: [DownloadWare] &quot;C:\Program Files\DownloadWare\dw.exe&quot; /H
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .com/ProdContent/Dispatcher?REQUEST=ITEMID&itemid=49800741: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {00000000-663f-49e8-bdf6-f26db51c7dd5} -
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - O16 - DPF: {01112800-3E00-11D2-8470-0060089874ED} (Support.com Probe Class) - O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - O16 - DPF: {11111111-1111-1111-1111-111111111111} - O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - O16 - DPF: {1FA643B0-F90E-11D3-BA0B-00C04F384A92} (HomeTsrCtrl Class) - O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) -
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} (Loader Class) - O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} (HDPluginCtrl Class) - O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} -
 
Upvote 0 Downvote
Thank you steamwiz for the feedback.

I ran CWShredder.zip and it reported >> CWS affiliate: Madfinnder Removed, Removed from your system - 9 infected IE Registry Values <<.

CW shredder told me that ByteVerifier was not found on my system, although according to Microsoft Bulletin MS03-011, I had an up to date version of the Microsoft VM. I say this because I ran from the cmd prompt jview and determined I had version 5.00.3810. I decided to follow directions at to uninstall the Microsoft Java Virtual Machine from Windows XP and install Sun's newer JVM for Windows. Hopefully I executed that all properly.

I have just rerun HijackThis. I noticed right away the references to that were in my previous HijackThis.log are missing. Here is the new log. Thanks again.

Logfile of HijackThis v1.97.3
Scan saved at 11:00:35 AM, on 11/2/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\New\Programs\Norton Personal Firewall\NISUM.EXE
C:\WINNT\System32\Atievxx.exe
C:\New\Programs\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Intuit\QAgent\QAGENT.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\WINNT\System32\mrtMngr.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\New\Programs\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\New\Programs\Intuit\QUICKENW\QWDLLS.EXE
C:\WINNT\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\New\Data\downloads\j2re-1_4_2_01-windows-i586-iftw.exe
C:\DOCUME~1\John\LOCALS~1\Temp\Jav66.tmp.exe
C:\WINNT\System32\MSIEXEC.EXE
C:\WINNT\System32\msiexec.exe
C:\WINNT\System32\MsiExec.exe
C:\Documents and Settings\John\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.1:8080
O1 - Hosts: 169.254.224.94 Computer
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\New\Programs\Adobe\Acrobat_reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\New\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [ccApp] &quot;C:\Program Files\Common Files\Symantec Shared\ccApp.exe&quot;
O4 - HKLM\..\Run: [ccRegVfy] &quot;C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe&quot;
O4 - HKLM\..\Run: [TkBellExe] &quot;C:\Program Files\Common Files\Real\Update_OB\realsched.exe&quot; -osboot
O4 - HKCU\..\Run: [H/PC Connection Agent] &quot;C:\New\Programs\Microsoft ActiveSync\WCESCOMM.EXE&quot;
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\New\Programs\IM\Yahoo\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] &quot;C:\Program Files\MSN Messenger\MsnMsgr.Exe&quot; /background
O4 - HKCU\..\Run: [Messenger] C:\New\Programs\LYCOSM~1\Messenger.exe
O4 - Global Startup: Billminder.lnk = C:\New\Programs\Intuit\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\New\Programs\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\New\Programs\Intuit\QuickBooks\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Quicken Startup.lnk = C:\New\Programs\Intuit\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\new\Programs\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: ANTIVIRUS (HKLM)
O9 - Extra button: ENTERTAINMENT (HKLM)
O9 - Extra button: SECURITY (HKLM)
O9 - Extra button: SEARCH (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - O17 - HKLM\System\CCS\Services\Tcpip\..\{09970621-E640-4740-B24F-D654A8B8F08A}: NameServer = 192.168.11.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B5FE58C-D9C3-4F36-B3F8-2004ECCC944E}: NameServer = 192.168.10.7,63.245.1.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{D64091ED-B615-463D-BC7F-169A34392C8B}: NameServer = 192.168.10.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{09970621-E640-4740-B24F-D654A8B8F08A}: NameServer = 192.168.11.201
 
Upvote 0 Downvote
jcport67

1. Are you connecting through a proxy server ?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.1:8080

2. Did you put this in your hosts file

O1 - Hosts: 169.254.224.94 Computer

3. Do you recognise these as being from your ISP ?

O17 - HKLM\System\CCS\Services\Tcpip\..\{09970621-E640-4740-B24F-D654A8B8F08A}: NameServer = 192.168.11.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B5FE58C-D9C3-4F36-B3F8-2004ECCC944E}: NameServer = 192.168.10.7,63.245.1.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{D64091ED-B615-463D-BC7F-169A34392C8B}: NameServer = 192.168.10.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{09970621-E640-4740-B24F-D654A8B8F08A}: NameServer = 192.168.11.201

I cannot do a trace route on any of these ip addresses - they appear to be pointing to a private address - this is what I get :-

You are trying to traceroute to a private address, as defined
in RFC 1918 (among others). Those addresses are not available

Now to hijackthis

Close all browser windows - run hijackthis and tick to fix :-


O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon not required resource hog

O4 - HKLM\..\Run: [TkBellExe] &quot;C:\Program Files\Common Files\Real\Update_OB\realsched.exe&quot; -osboot not required


O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} -
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} -

Reboot and delete

C:\WINNT\bi.dll file

steam
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pjw001
  • Locked
  • Question
Programs not loading on Windows 11 Version 22H2.
Replies
9
Views
438
pjw001
pjw001
LOKIDOG
  • Locked
  • Question
Create New User to Troubleshoot Failing Software Program with Minimal Background Programs
Replies
4
Views
113
Unscruffed
Unscruffed
jfelis
  • Locked
  • Question
I need to find an easy way to copy the text from the programs list in Task Manager to a text file 5
2
Replies
28
Views
306
jfelis
jfelis
bsquared18
  • Locked
  • Question
Problem Installing Old Adobe Programs on Win 8 1
2
Replies
21
Views
178
audiopro
audiopro
robroy6
  • Locked
  • Question
No programs listing
Replies
6
Views
106
robroy6
robroy6

Part and Inventory Search

Sponsor

Back
Top