Rad01.quadrophone; Hijack This results

Discussion in 'Malware Help (A Specialist Will Reply)' started by Conklin, Jun 19, 2004.

  1. Conklin

    Conklin Private First Class

    As noted in recent posts, I think I've been hijacked on a laptop that I bought used on eBay; I suspect some resident process. Adaware scans have shown 6 files of Rad01.quadrophone, 2 of which are labeled "High Risk." I have been unable to eradicate these, as Adaware freezes up, each time I try.
    I downloaded and ran Spybot, which found and removed other processes, but not these.

    The computer is running VERY slowly, and CPU usage varies rapidly from 3% to 100 % at times, and I don't know why.

    I am pasting the results of Hijack This. I took no action, since I don't really know what this info is.

    I sure hope there's some help out there for me! Please try to be fairly specific in recommendations, since I am a "Keeg" (opposite of "Geek!") ;~))

    Logfile of HijackThis v1.97.7
    Scan saved at 5:18:11 PM, on 6/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\documents and settings\default\local settings\temp\ddPTd.exe
    C:\WINDOWS\System32\tsmgr.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\ITWTAH9N\HijackThis[1].exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75c -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [ddPTd] C:\documents and settings\default\local settings\temp\ddPTd.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [57QYM#M5GWGF43] C:\WINDOWS\System32\VchsZQoq.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab
     
    Conklin, Jun 19, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run this first: http://www.memorywatcher.com/uninst.exe
    It's a Peper Trojan removal tool.
    Then run this online scan: http://housecall.trendmicro.com/housecall/start_corp.asp

    Now shutdown all applications especially browsers and run HijaakThis again. And have it fix the following:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [ddPTd] C:\documents and settings\default\local settings\temp\ddPTd.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [57QYM#M5GWGF43] C:\WINDOWS\System32\VchsZQoq.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe



    Recommendation: Uninstall SpyKiller it is considered spyware itself!
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup


    Make sure you are setup to view hidden files and folders (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
    Boot in safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
    and delete the following:

    C:\Program Files\SEP\sep.dll
    C:\Program Files\TV Media <-- the whole directory
    C:\WINDOWS\fash.exe
    C:\Program Files\Common files\WinTools <-- the whole directory
    C:\documents and settings\default\local settings\temp\ddPTd.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\WINDOWS\System32\VchsZQoq.exe
    C:\WINDOWS\System32\keyword.exe
    C:\Windows\System32\Keyhost.exe
    C:\Windows\System32\VERSION.exe


    Start Microsoft Internet Explorer.
    In Internet Explorer, click Tools -> Internet Options.
    Click the Programs tab -> Reset Web Settings.

    Now reboot in normal mode and set you home page to whatever you like.
     
    chaslang, Jun 19, 2004
    #2
  3. Conklin

    Conklin Private First Class

    Major,
    I began to implement your suggestions.
    When I ran Memory watcher, the box appeared and the progress line made it half way across the space; then the entire box and program just disappeared. Poof! I repeated it 2-3 more times with the same results. Thinking that might just be the way it works, I advanced to "Housecall." It detected 75 items!! Every single one was "non-cleanable" so I deleted them all. I can't reproduce all, but broadly they were:

    Troj Stilem.A
    Troj Small.IQ
    BKDR Sandbox.A (several places)
    Troj REVOP.B
    Adw Ruledor C
    Troj Agent BG

    Many but not all were in System32.

    Having deleted them, I then went to Hijack This, and checked and deleted the items you indicated. However, that didn't get rid of any of the ones with the prefix 04, except for the Spykiller one. I ran Hijack This several times
    checking the boxes each time and then "Fix." An immedieate rescan showed they were there again, and unchecked.

    I am deferring any of the further suggestions until I hear back from you.

    My guess is that Memory watcher didn't work properly and somehow those 04 prefixed items are really entrenched.

    FWIW, after the cleanup with Housecall, the computer still runs just as slow, and that's VERY slow indeed.

    I appreciate your interest and help, and will wait expectantly for more from you.

    Best, and Happy Fathers Day...

    bill
     
    Conklin, Jun 20, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You needed to remove those items I indicated in safe mode after fixing with HijaakThis.
    Let's start over again. But this time disable system restore first. See this link on how to do that: http://www.majorgeeks.com/vb/showthread.php?t=31668

    Now reboot in normal mode. Run Ad-aware (UPDATE it again, they just changed today) scan and fix all that it finds. Do the same with SpyBot S&D. Now run Task Manager (CTRL-ALT-DEL), if you see running any of those files that I indicated the first time for deletion, shut them down with Task Manager. Now run HijaakThis and have it fix all the lines indicated the first time.

    Now do not run anything else. Reboot into safe mode. And try running the uninst.exe file (to remove the Peper Trojan) you should have downloaded it the first time so hopefully you still have it. Now run Ad-aware and SpyBot (yes again in safe mode) and clean what they find. Remember to make sure you are setup to view hidden files and folders as indicated in my first message. Now look for the list of files I gave you the first time and delete them.

    Reboot in normal mode and before running anything else run HijaakThis and post a new log.

    By the way, the name is Chas (Major Geek is just my title) but you can call me Major if you want. Just don't salute! :D
     
    chaslang, Jun 20, 2004
    #4
  5. Conklin

    Conklin Private First Class

    Bad day at Black Rock!

    I did as you said. First I disabled System Restore, then ran Ad-Aware.

    But as I have said in recent posts, something bad happens to that program. It detected 14 items, but when I tried to get rid of them by "checking all," then hitting "Next" and when faced with the choice of "Quarantine", Show Log File or "Next" I chose "next." As it has for many recent days the computer then froze. I thought maybe since it was running everything so slowly, maybe I needed to give it more time. I came back in about an hour, and the screen had gone dead. I was able to bring up part of the screen, but the AdAware screen remained blank. I tried ctrl-alt-delete ("The Three-fingered Salute!!) and when I did that I got a new toolbar at the bottom of the screen, plus an invitation for some kind of atomic time-clock, which I declined. It insrtalled anyhow, and asked if I wanted to always trust Gain!

    I had a HELL of a time getting out of all that crap. But I finally did, so I ran SpyBot, which showed about 40 new things, and got rid of most, but SpyBot said to reboot, which I did, and that cleaned that menu.


    Then, I had the thought that maybe somehow my copy of Ad-Aware had become corrupted, since it froze up every time, so I downloaded a new version. When I ran it, I got 24 Reg Keys, 3 Reg values, 75 Files and 14 Folders. Not only that, but the number of items scanned increased by about 5000. You can guess what happened when I tried to select all and remove: The sucker FROZE again! There it sits.

    Everything is unbelievably slow. It took over an hout to run SpyBot, and nearly an hour to run Ad-Aware.

    My wife thinks I've lost it because of the amount of time I've spent and the different things I've tried. I'm about tempted to just throw the damned thing away at this point.

    bill
     
    Conklin, Jun 21, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay since we keep having a problem with Ad-aware, lets do the following since I don't know how far you got with this in my last message. The first 4 steps are very important (I have told you how to do 2 thru 4 already):

    1) Download CrapCleaner from here: http://www.majorgeeks.com/download4191.html Install it and run it. When it comes make sure you have the Windows tab select, accept the default settings, and click Run Cleaner. When it's done exit.
    2) If not already disabled, disable system restore
    3) Boot in safe mode
    4) Make sure you are setup to view hidden files and folders
    5) delete the following if they still exist. If you have a problem deleting any of these, check with task manager (CTRL-ALT-DEL) to see if you can find any of them running and shut it down:

    C:\Program Files\SEP\sep.dll
    C:\Program Files\TV Media <-- the whole directory
    C:\WINDOWS\fash.exe
    C:\Program Files\Common files\WinTools <-- the whole directory
    C:\documents and settings\default\local settings\temp\ddPTd.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\WINDOWS\System32\VchsZQoq.exe
    C:\WINDOWS\System32\keyword.exe
    C:\Windows\System32\Keyhost.exe
    C:\Windows\System32\VERSION.exe

    6) Start Microsoft Internet Explorer.
    In Internet Explorer, click Tools -> Internet Options.
    Click the Programs tab -> Reset Web Settings.

    7) Run HijaakThis and have it fix any lines remaing from the last list I gave you to fix!

    Reboot normal mode and let's see where we are now? If still having a problem, make sure all browsers are shut down and post a new HijaakThis log.
     
    chaslang, Jun 21, 2004
    #6
  7. zephod

    zephod Private E-2

    check out my post, see what you think. My computer runs 10 times faster now.
     
    zephod, Jun 21, 2004
    #7
  8. Conklin

    Conklin Private First Class

    Chas,

    I followed exactly, the directions 1-4.
    I'm not sure how you mean to "delete the following...". Where do I do that?
    I'm sure I seem dumber than a box of rocks, but I am trying to do this right.

    I did go ahead and go to task Mgr and none of those items were present there.

    I am going to stop at this point and await your reply, rather than go on to step 6 and beyond.

    Thanks for your help, Chas. I really appreciate it.
    There are moments when I picture driving a spike through the heart of this thing and throwing in the trash!!

    bill
     
    Conklin, Jun 21, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To delete those items you just use Windows Explorer and navigate to the correct place and select the item then right click on it and then select delete. Note: that steps 2, 3, & 4 are very important to do before trying to delete those ietms. Do you know how to do 2, 3, & 4.
     
    chaslang, Jun 21, 2004
    #9
  10. Conklin

    Conklin Private First Class

    Chas,
    I figured out what I needed to do before I heard from you and used my file manager, Power Desk and found and deleted \SEP\sep.dll and TV Media, though it looked like the latter folder was empty. I also deleted ddPTd.exe from docs and settings. None of the others were present.

    Yes, I found out how to perform the steps 1-4 and did them in order, and properly.

    I then performed Step 6, OK.

    I didn't have Hijack This on my desktop, so I had to come out of Safe mode, download it again, and go back into safe mode. Once there I ran the file manager again, and the things I deleted had not come back.

    I then ran Hijack this, and deleted the things on the earlier list you had sent.

    I then rebooted in normal mode.

    Things are better, in that it runs a little faster but still very slow (eg about 75 seconds to load Outlook Express and open it.)

    I ran Ad Aware again, feeling like if we were "cured" it ought to run OK. It found 104 items including all the Rads01 stuff, and of course, froze when I tried to remove them, just as before!

    I then ran Hijack this again, copied the log, and am attaching it below. I note the return of much of the stuff I had just deleted.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:39:27 AM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\atievxx.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\tsmgr.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    C:\Documents and Settings\default\Desktop\HijackThis.exe

    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75c -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [ddPTd] C:\documents and settings\default\local settings\temp\ddPTd.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [57QYM#M5GWGF43] C:\WINDOWS\System32\VchsZQoq.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab
     
    Conklin, Jun 21, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Some of the things I asked you to fix with HijaakThis and I also asked to delete the files are still there. Look at the log. You still have (a couple may have been missed by me too):

    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [ddPTd] C:\documents and settings\default\local settings\temp\ddPTd.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [57QYM#M5GWGF43] C:\WINDOWS\System32\VchsZQoq.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    You need to fix these and also delete the files and directories as indicated before.

    I really think that this SpyKiller program is part of the problem here. You need to uninstall this program and make sure the line below is gone and the files associated with it are not running.
    I wonder whether it is part of the problem with Ad-aware and it also may be the reason for some of these other items comming back.
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
     
    chaslang, Jun 21, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also one other very important note. Do not have HijaakThis running from your desktop. You need to put it in its own directory so it has a place to store backups. You can make a shortcut to it and put the shortcut on your desktop.

    Also, one more item I just noticed. Do you know what this program is for:
    C:\WINDOWS\System32\tsmgr.exe

    See if you can right click on it, select Properties, Version, and get info about the Manufacturer. If there is no Version tab I would be suspicious of this.
     
    chaslang, Jun 21, 2004
    #12
  13. Conklin

    Conklin Private First Class

    There is no such file as System32/tsmgr.exe that I can find.
    I HAVE been doing exactly as you said, and have skipped no steps.

    I went back to the beginning, ran maemory watcher, Housecall, CrapCleaner, made sure system restore was disabled, made sure could view hidden files, booted safe, ran task mgr, found none of those files you mentioned, ran Hijack this, reset web settings, and ran Hijack this.

    I am attaching TWO prints of Hijack this. The first was made right after I deleted the various items, and was still in Safe mode. The second was made after I rebooted in normal mode.

    Safe Hijack:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:57:25 PM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\default\Desktop\HijackThis.exe

    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75c -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\tsmgr.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/200Logfile of HijackThis v1.97.7
    Scan saved at 2:03:34 PM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\atievxx.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\tsmgr.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    C:\Documents and Settings\default\Desktop\HijackThis.exe

    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75c -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [ddPTd] C:\documents and settings\default\local settings\temp\ddPTd.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [57QYM#M5GWGF43] C:\WINDOWS\System32\VchsZQoq.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab

    4061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab

    The second, after rebooting normally:


    Logfile of HijackThis v1.97.7
    Scan saved at 2:03:34 PM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\atievxx.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\tsmgr.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    C:\Documents and Settings\default\Desktop\HijackThis.exe

    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75c -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [ddPTd] C:\documents and settings\default\local settings\temp\ddPTd.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [57QYM#M5GWGF43] C:\WINDOWS\System32\VchsZQoq.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab


    FWIW, I'm not so sure about Spykiller for this reason: I had it on my desktop (not affected by any of this, thsank God!) and it caused no trouble. I uninstalled it a few days ago without incident. It is on the "sick" computer because I put it there when all this began, since it had woirked pretty well on my desktop. Maybe it's a culprit; I don't know.

    Anyhow, there you have it. I did as you said, and I think the above will verify that.

    bill
     
    Conklin, Jun 21, 2004
    #13
  14. Conklin

    Conklin Private First Class

    That's odd. I think I sent you the wrong set for what I did in safe mode. I looked at it and saw all the stuff had been removed. Here it is:



    Logfile of HijackThis v1.97.7
    Scan saved at 1:57:25 PM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\default\Desktop\HijackThis.exe

    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75c -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\tsmgr.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab
     
    Conklin, Jun 21, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your getting me a little confused here Bill.

    Your posts keep showing different info. You show two different safe mode boots one does not show:
    O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\tsmgr.exe
    and one does show it.

    Also your normal boots do not show that line but do show the process running. (C:\WINDOWS\System32\tsmgr.exe )

    This does not make sense. Also, I don't understand how all that garbage keeps showing up when you boot normally. Do you have multiple logins on this computer?

    If you still have SpyKiller installed, un-install it. You can always put it back in later. By the way, is this a license version of SpyKiller. I want to see if it is related to you Ad-aware problems.

    Please run CrapCleaner again.

    I see you have Ad-watch.exe running. Does that mean you have a registered version of Ad-aware?
    Uninstall Ad-aware, reboot, and re-install and then UPDATE and give it another run.
     
    chaslang, Jun 21, 2004
    #15
  16. Conklin

    Conklin Private First Class

    I apologize for the confusion. Let's start that over. I did as you said, and ended up running Hijack this in Safe-boot mode. I then ran a copy off, while in safe mode, and saved it as safe hijack.txt, which is this one: (note time)
    Logfile of HijackThis v1.97.7
    Scan saved at 1:57:25 PM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\default\Desktop\HijackThis.exe

    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75c -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\tsmgr.exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab


    Note that all the crap is gone, because I just deleted it!

    I then exited Safe mode, re-booted and ran Hijack again. Here's what I got (note time). The crap is back.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:03:34 PM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\atievxx.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\tsmgr.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    C:\Documents and Settings\default\Desktop\HijackThis.exe

    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75c -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [ddPTd] C:\documents and settings\default\local settings\temp\ddPTd.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [57QYM#M5GWGF43] C:\WINDOWS\System32\VchsZQoq.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab

    Yes that was a licensed version of Spykiller. I have uninstalled it days ago.
    I don't know for sure what is meant by multiple logins, but it's just me and my wife, and we're not doing anything fancy.

    I will uninstall the licensed version of AsAware reboot and re-install.

    Thanks for your help in this twisted mess!

    bill
     
    Conklin, Jun 21, 2004
    #16
  17. Conklin

    Conklin Private First Class

    The idea of deleting Adaware was good one. I did that and then downloaded and re-installed it. Bingo! It worked fine, and the computer is working a lot better.

    I'm not sure we're out of the woods yet, tho.

    I ran Hijack and erased the usual suspects.
    Let's see what happens next...

    Thanks Maje, You da' man!!

    bill
     
    Conklin, Jun 21, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You said, "Yes that was a licensed version of Spykiller. I have uninstalled it days ago. " But notice in your normal boot log you have:

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

    In normal mode, have HijaakThis fix the above line. The look for the C:\Program Files\SpyKiller directory and delete the whole directory.

    One other important item and I'm repeating this from a previous message to you:

    Also one other very important note. Do not have HijaakThis running from your desktop. You need to put it in its own directory so it has a place to store backups. You can make a shortcut to it and put the shortcut on your desktop.

    Let's retry the Peper Trojan cleaner tool: http://www.memorywatcher.com/uninst.exe

    Now let's try the rest again but in normal boot mode as above. Run HijaakThis again and fix:
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
    O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
    O4 - HKLM\..\Run: [ddPTd] C:\documents and settings\default\local settings\temp\ddPTd.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [57QYM#M5GWGF43] C:\WINDOWS\System32\VchsZQoq.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Then delete the following:

    C:\Program Files\TV Media <--- The whole directory
    C:\WINDOWS\System32\keyword.exe
    C:\WINDOWS\fash.exe
    C:\documents and settings\default\local settings\temp <--- the whole directory but make sure you do not have anything else you need in this directory. I would assume a temp directory is not required though.
    C:\WINDOWS\System32\dp-him.exe
    C:\Program Files\Common files\WinTools <--- the whole directory
    C:\WINDOWS\System32\VchsZQoq.exe

    I would still like to know what this next file really is:
    C:\WINDOWS\System32\tsmgr.exe

    Earlier I ask you to "See if you can right click on it, select Properties, Version, and get info about the Manufacturer. If there is no Version tab I would be suspicious of this." I need this info.

    For now though I would like you to just rename tsmgr.exe to tsmgrexe.old. I don't understand why it only shows as an O4 entry in safe mode.

    Now reboot and let me know what happens and send another HijaakThis log.
     
    chaslang, Jun 21, 2004
    #18
  19. Conklin

    Conklin Private First Class

    Note your comment on not having Hijack this on desktop, which is where it now is. When I run it, the backups also go to desktop.

    I don't know what to do or how to put it in it's own directory. I guess I could delete the version in desktop, and download it into a folder. Should I do it that way?

    As I told you, I couldn't find C:\WINDOWS\Systen32\tsmgr.
    I looked thru all files under System32, and also ran a file-finder, and couldn't find it. What should I do about this?

    I have no idea why Spykiller is still around. But I'll do as you say and try again to delete it. I have deleted it 3-4 times since I uninstalled it and it keeps coming back, like a bad penny!

    For now, I'll run Hijacka nd fix the line, plus delete the list you sent. I'll run memorywatcher again, as well. When I ran it earlier it seemd to run part way and then disappear. I don't know if that's normal for it or not. There was no report or anything like that; it just showed the progress bar going abouty half way across the screen and then it was gone.

    And I'll delete the files you want me to.

    It's late here; later there. I'll do these things and check again in the morning.

    Thanks again, buddy.

    bc
     
    Conklin, Jun 22, 2004
    #19
  20. Conklin

    Conklin Private First Class

    Just afew minutes later...
    I ran Hijack, looking for Spykiller and the other things you wanted me to delete.

    Here's a copy of the log, and none of them, including Spykiller are there.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:01:50 PM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atievxx.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\WINDOWS\System32\tsmgr.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    C:\PROGRA~1\SYMANTEC\LIVEUP~1\LUCOMS~1.EXE
    C:\Documents and Settings\default\Desktop\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p IP_192.168.1.75c -pn "hp LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab

    I ran memorywatcher again, with the same odd result: the progress bar goes half way and then the whole thing disappears. I don't know what to make of this and don't know what to expect when I run it.

    I used Explorer, and was unable to find any of the files you said to delete. The doc and settings temp file was there, and contained 3 objects, none of which I was allowed to delete:
    GLB1A2B
    ladHide4.dll
    Jar_cache50458.tmp.

    I have no idea what any of those are. I tried to delete all, and then each, but was not allowed to do so.

    Again I couldn't find anything resembling System32\tsmgr.exe. Where have you seen it? I even opened each folder under System32 looking for it, to no avail.

    The computer is now running at normal speed, and a run of AdAware showed one tracking cookie, which I deleted. It seems like repairing AdAware had a very good effect.

    I will await further insstructions after you see this copy of the Hijack log.

    bill
     
    Conklin, Jun 22, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Bill, Run Windows Explorer. And select your C:\ directory. Then click on File, New, and then Folder. Change the New Folder name to something like HijaakThis. Now use your mouse and right click on the HijaakThis that is on your desktop and while holding down the mouse button drag it into the explorer window and over the new HijaakThis folder you created. When the folder is highlighted it is selected. Let go of the mouse and select Move. The program is now in its own directory. You can just double click on the folder to open it and then double click again on Hijaakthis.exe to run it. If you want to make it easy to run, you can righ click on the program in its new folder, and while holding down the mouse button, drag it to your desktop and let go of the button. Select Create Shortcuts Here. Now you can quickly run it but it is not located on your desktop. You can drag all you backups into the new folder too (get them off your desktop, too much clutter).

    Try one more thing to locate that tsmgr.exe file but first a question. Are you setup to see file extensions. In other words, can you see any file extensions of .EXE. Check by going into your c:\windows directory. When you searched did you try this: Click Start, Search, All FIles and Folders, More Advanced Options, make sure Search System Folders, Search Hidden files and folders, and Search subfolders are checked. Now enter the file name like this tsmgr.* This means find anything having tsmgr with and . Extension.
     
    chaslang, Jun 22, 2004
    #21
  22. Conklin

    Conklin Private First Class

    Chas,

    This AM, I ran Adaware and found one cookie, but it's one of the the same cookies I've deleted every day for at least 3 days:

    C:\documents and settings\default\cookies\default.atdmt[2].txt

    I don't know what it is, and in a moment you will see why I'm a little concerned.
    I then ran SpyBot and found and removed:

    DSO Exploit 5 entries
    Avenue A,Inc 1 entry
    Mediaplex 1 entry

    I ran Hijack and found none of the things we had worried about and nothing I felt I needed to remove.

    But...

    It got me to thinking about my desktop computer which sits about 4 feet from the laptop we've been working on. I had been saving the Hijack reports and eMailing them as attachments, to my desktop computer, and then cutting and pasting them into the messages on the Spyware page. I did this because the laptop was so painfully slow, plus often just wasn't doing what was asked.

    This may have been a *really dumb* idea, if I might have infected my desktop with those attachments.

    I have been running Adaware on my desktop every day or two, and I'd have zero or maybe one cookie. Today I had 8 of them, and one was the atdmt.txt one that was also on the laptop. The other 7 had different names but were all in documents and settings\owner\cookies. I removed them.

    I ran Spybot on my desktop computer and got the same 7 entries as I mentioned on my wife's computer (DSO was 5 of them) and in addition:

    DoubleClick 1 entry
    BFast 1 entry
    Coolwwwsearch 1 entry
    Hitbox 1 entry.

    I removed them, and then rebooted.
    DSO, Avenue A and Mediaplex had all returned after I rebooted. I removed them again.

    You have been generous with your time, energy and patience, and I hope we're nearly done. But I'd like to have both computers CLEAN!! and have them stay that way.

    Suggestions?

    Should we open a new topic? This one is getting pretty long and really doesn't pertain much to the title.

    Thanks again.
    bill
     
    Conklin, Jun 22, 2004
    #22
  23. Conklin

    Conklin Private First Class

    Chas,

    Where are you??
    It would be a shame, after all that swimming, to die in sight of the beach!
    As I have said, repeatedly, I truly thank you for all your help.

    If you can pull me out of this last part, I'll be more than grateful!

    bill :)
     
    Conklin, Jun 22, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Bill, I'm back. Today was graduation day for my son. So we had a load of work to do today for a family party afterwards. I just got everyone out of the house now. So now it's back to my nightly ritual of spy killing! :D

    First lets talk about the DSO Exploit issue. Is you WinXP system up to date with all of Microsoft's Updates? If not, go to support.microsoft.com and get your system scanned and put in all of the critical updates. Then you will not have to worry about the DSO Exploit problem the SpyBot keeps identifying incorrectly. (This is a bug.)
    See this information:
    http://forums.net-integration.net/index.php?showtopic=15308
    You can also setup SpyBot to ignore DSO Exploit. Set the Mode to Advanced and under Settings goto Ignore Products. Select the Security tab and put a check in the DSO Exploit box. It will be ignored from now on. But as I said above, only do this if your XP software is up to date.

    Note some cookies will almost always be found after doing any amount of surfing. Not a big deal. atdmt is a common one and is related to Avenue A. See this information. doubleclick and hitbox are also very common.

    Are your SpyBot and Ad-ware up to date. SpyBot last detection update was 6/16/2004 and Ad-aware reflist was updated today to 01R324 22.06.2004 ?

    Try scanning with both in safe mode.

    Chas
     
    chaslang, Jun 22, 2004
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    And your right, if we need to work on this stuff, let's start a new thread with a related subject line.
     
    chaslang, Jun 22, 2004
    #25
  26. hpjbus

    hpjbus Private E-2

    ladhide4.dll is a library file of HP's Backweb program. You have to remove Backweb from SAFE MODE, from the add/remove program in the control panel.
    If it returns you have other problems also (like adware/spyware/malware or a virus)
    HP will not give a decent explanation of the backweb program and its functions. But without getting too techanical, it runs when windows starts up, monitors your entire session, access' the web in search of hp updates for anything hp attached to your computer and notifies you if any updates exist, and downloads/installs them.
    It "DOES" S-L-O-W down even the fastest CPU, no matter what ammount of RAM is installed. (Yep, HP is dumber than a box of wet rocks)
    They also install some adware, although it differs and is not recognized by most adware removal programs because it in itself it is not malware.
     
    hpjbus, Feb 13, 2005
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    And the purpose of adding this message to a thread that has been dead for 7 months is what?

    The topic of the thread wasRad01.quadrophone. Yes there was a backweb program running but it in this case it was related to Logictech not HP. There are many companies using this generic tool. You can go to their website and even see the logos for companies who use it (http://www.backweb.com/).

    There are many processes around related to backweb and also many DLLs. See: http://www.iamnotageek.com/a/359-p1.php
     
    chaslang, Feb 13, 2005
    #27

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds