Major spyware problem

Discussion in 'System Security & Infection Support' started by kayslice, Jul 28, 2004.

  1. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    Ok i got a few spyware that doesn't seem to go away no matter what i do.
    I've USED AD-AWARE AND SPYBOT. heres the story,everytime i log into my account in windows and i click IE the search always appears now,i mean the search as in the button next to Favorite in the tools bar above. this search side bar leads to the site http://www.searchxl.com/ie/. and when i try to go to a website the first thing that happens is the IE just freezes for a couple seconds and this other IE comes out of nowhere leading me to hardware stores...and other apliances. this only happens once prior to opening IE. And not only that, everynow and then this site with vitamins..other stuff pops up,but it takes up my screen like a computer game and sometimes i can not get rid of it through End Task, the site leads to Jetseeker.com or something like that. What i have not fixed on my find with spybot is a thing called "DSO Exploit" which is a microsoft company and i did not think it was harmful.

    also: i did have kazaa lite but uninstalled it, but a kazaa popup continues to popup every once in awhile and with my usage with spybot and ad-aware i do not think they've found anything on kazaa.
    Also i've used AVG to scan for viruses,lucky i've only found one or so i think. its called UPDATE12.JS or something likethat,but everytime i move that to the vault a warning window would always pop up everytime i log in. and do you guys know anything about a "key.exe" b/c it tends to popup once in awhile with a warning window stating that its not performing properly or what not. any suggestions? much appreciation!!
     
    Last edited: Jul 28, 2004
    kayslice, Jul 28, 2004
    #1
    1. Advertisements

  2. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    key.exe is an app that works with your keyboard. It sounds like you have a few things linguring around. First, I would go to our Handy Tools section and run Kazaa be gone. Then post your HijackThis log here as well.
     
    James, Jul 28, 2004
    #2
    1. Advertisements

  3. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    ok so i ran the kazaa begone and i got the HijackThis and heres the log


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\key.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchxl.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchxl.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [WorkFlo] E:\BrdJmp\WorkFlow.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [key] C:\WINDOWS\key.exe
    O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111133} - file://c:\windows\temp\ie.exe
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O18 - Protocol hijack: mhtml -
     
    kayslice, Jul 28, 2004
    #3
  4. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Remove all of these:

    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchxl.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchxl.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchxl.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file)
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O16 - DPF: {11111111-1111-1111-1111-111111111133} - file://c:\windows\temp\ie.exe
     
    James, Jul 29, 2004
    #4
  5. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    things are looking good,thanks a lot. my browsing seems to be faster now. although there is a minor problem,after restarting my computer to see if the spyware is gone,i open my IE, and everything seems fine ( the sidesearch doesn't appear anymore, don't see any kazaa popping up,no sign of that popup that takes up my whole screen) but when i come to this forum ( from my favorites ) my IE pauses for a second and another IE popups that leads me to Techbot.com, its been doing it for awhile,how do i get rid of this spyware? thanks again
     
    kayslice, Jul 29, 2004
    #5
  6. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Delete the bookmark and bookmark us while you're logged in. www.binarydreams.us

    Then post your new HJT log, maybe I missed something.
     
    James, Jul 29, 2004
    #6
  7. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    ok here it is:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\key.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijackthis\HijackThis.exe
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [WorkFlo] E:\BrdJmp\WorkFlow.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [key] C:\WINDOWS\key.exe
    O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O18 - Protocol hijack: mhtml -
     
    kayslice, Jul 29, 2004
    #7
  8. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
     
    James, Jul 29, 2004
    #8
  9. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    i just restarted my comp,heres the latest log without having opening IE yet. after the log the popup directed me to Petco.com and googlesyndication.com,ill delete the ones you just selected above,but are there any differences here?


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\key.exe
    C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\hijackthis\HijackThis.exe
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [WorkFlo] E:\BrdJmp\WorkFlow.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [key] C:\WINDOWS\key.exe
    O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
    O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O18 - Protocol hijack: mhtml -
     
    kayslice, Jul 29, 2004
    #9
  10. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Hmm. Do you have an ATI card or Nvidea?

    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.co...t/c381/chat.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/gam...nts/y/ct2_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...ts/y/potd_x.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared...76/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared...,16/mcgdmgr.cab
     
    James, Jul 29, 2004
    #10
  11. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    ATI card..Nvidea,i don't think im familiar with those
     
    kayslice, Jul 29, 2004
    #11
  12. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    ok so i fixed the latest ones you selected for me,and for the first time they do not appear anymore,hope this continues. thanks a whole bunch!

    edit: nvm,that techbot.com still appears,it comes up when i go to certain new sites =(
     
    Last edited: Jul 29, 2004
    kayslice, Jul 29, 2004
    #12
  13. kayslice

    Ruler1 Hi VIP Member

    Joined:
    Nov 28, 2003
    Messages:
    321
    Likes Received:
    4
    Location:
    USA
    James how do you know what to delete and what not to get rid of? where did you learn it?
     
    Ruler1, Jul 29, 2004
    #13
  14. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Go to our HT section and run the Nvidia Nasty file remover. And remove this:

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    You may have to remove these in Safe Mode... Run CWS just incase as well. It seems like your HOSTS file is infected. Do a search for it and delete it as well.

    Also, boot in Safe Mode with Networking, log on, type: del /s index.dat and reboot.

    Ruler: I am pretty familiar with most of the NT services / registry. Plus I do this a lot.
     
    James, Jul 29, 2004
    #14
  15. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    ok im not the best with windows XP,but how would i go about in starting up in Safe Mode?
     
    kayslice, Jul 29, 2004
    #15
  16. kayslice

    S Walch MAME 0.64 :) VIP Member

    Joined:
    Jun 2, 2003
    Messages:
    1,026
    Likes Received:
    14
    Location:
    Manchester
    Just after you get past the memory test screen (the first screen that shows when you boot up your PC) Press F8 several times (Just to make sure) and then a screen should come up asking which option you'd like to choose to open up Windows XP with.

    Safe mode is usually on that screen
     
    S Walch, Jul 29, 2004
    #16
  17. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    can someone help me on some insights of Nvidia,i searched the NFR and a lot of Nvidia files came up,they all seem important. should i like get rid of all of them?
     
    kayslice, Jul 31, 2004
    #17
  18. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Remove them if you do not have an Nvidia video card. You won't need them.
     
    James, Jul 31, 2004
    #18
  19. kayslice

    kayslice

    Joined:
    Nov 29, 2003
    Messages:
    32
    Likes Received:
    0
    Location:
    ma
    ok i can't seem to get rid of this file on hijack this,it keeps reappearing everytime,the file is:
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\SARORC~1\LOCALS~1\Temp\yek.dat

    also do i type the del index.dat in run?
     
    kayslice, Aug 6, 2004
    #19
  20. kayslice

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Boot in Safe mode with Command prompt and type this:

    del /s index.dat
    det /s yek.dat

    Something else could be recreating your yek.dat file.
     
    James, Aug 6, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.