Hijackthis Log [Please Help]

Discussion in 'Computer Support' started by dbru, Nov 9, 2004.

  1. dbru

    dbru Guest

    Hello, my PC got hit hard with some virus crap. There are several files that
    copied themselves to my desktop and I can't delete them, because it says
    they're read/write only. The files are...

    ploint.exe
    m00.exe.1
    winln.exe
    sipot.exe
    madopew.dll
    vcsystem.exe
    fierm.exe

    I've run the current Ad-Aware, Spybot, About Buster and CWShredder and some
    of those find tons of files, but non seem to take care of the problem, I've
    also run Hijackthis, but don't know which files to delete for sure, I took
    out the ones with the above file names, but some seem to reappear. Please
    help if you can... Here is my log file from Hijackthis... Thank you
    Logfile of HijackThis v1.98.0
    Scan saved at 5:29:56 PM, on 11/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\scagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\documents and settings\derek brubaker\desktop\vcsystem.exe
    C:\documents and settings\derek brubaker\desktop\winln.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\waqwqm.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    C:\MyTemp\Misc\HijackThis.exe

    O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} -
    C:\WINDOWS\localNRD.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
    C:\WINDOWS\systb.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
    C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
    C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program
    Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    O4 - HKLM\..\Run: [Disc Detector] C:\Program
    Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash
    Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Program
    Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
    Foundation\CFD.exe
    O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual
    IP InSight\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual
    Networks\Visual IP InSight\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge]
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
    Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [rmptrxs] C:\WINDOWS\System32\waqwqm.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKCU\..\Run: [Taskbar] C:\Program
    Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] 1
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self
    Support Tool\bin\matcli.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
    Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
    Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
    C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login -
    {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
    Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
    C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
    Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
    C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -
    C:\PROGRA~1\ICQ\ICQ.exe
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! MahJong Solitaire -
    http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
    http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
    http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} -
    C:\WINDOWS\httpfilter.dll
    dbru, Nov 9, 2004
    #1
    1. Advertising

  2. "dbru" <> wrote in message
    news:...
    > Hello, my PC got hit hard with some virus crap. There are several files

    that
    > copied themselves to my desktop and I can't delete them, because it says
    > they're read/write only. The files are...
    >
    > ploint.exe
    > m00.exe.1
    > winln.exe
    > sipot.exe
    > madopew.dll
    > vcsystem.exe
    > fierm.exe
    >
    > I've run the current Ad-Aware, Spybot, About Buster and CWShredder and

    some
    > of those find tons of files, but non seem to take care of the problem,

    I've
    > also run Hijackthis, but don't know which files to delete for sure, I took
    > out the ones with the above file names, but some seem to reappear. Please
    > help if you can... Here is my log file from Hijackthis... Thank you
    > Logfile of HijackThis v1.98.0
    > Scan saved at 5:29:56 PM, on 11/9/2004
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    > Running processes:
    > C:\WINDOWS\System32\smss.exe
    > C:\WINDOWS\system32\winlogon.exe
    > C:\WINDOWS\system32\services.exe
    > C:\WINDOWS\system32\lsass.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\Explorer.EXE
    > C:\WINDOWS\system32\spoolsv.exe
    > C:\WINDOWS\System32\CTsvcCDA.EXE
    > C:\WINDOWS\System32\nvsvc32.exe
    > C:\WINDOWS\system32\scagent.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\System32\MsPMSPSv.exe
    > C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    > C:\Program Files\Creative\ShareDLL\CtNotify.exe
    > C:\Program Files\BroadJump\Client Foundation\CFD.exe
    > C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    > C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    > C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    > C:\WINDOWS\System32\rundll32.exe
    > C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    > C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    > C:\documents and settings\derek brubaker\desktop\vcsystem.exe
    > C:\documents and settings\derek brubaker\desktop\winln.exe
    > C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    > C:\WINDOWS\System32\wuauclt.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\System32\waqwqm.exe
    > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    > C:\MyTemp\Misc\HijackThis.exe
    >
    > O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} -
    > C:\WINDOWS\localNRD.dll
    > O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
    > C:\WINDOWS\systb.dll
    > O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
    > C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    > O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
    > C:\WINDOWS\System32\msbe.dll
    > O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    > C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > C:\WINDOWS\System32\msdxm.ocx
    > O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no

    file)
    > O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    > C:\WINDOWS\System32\NvCpl.dll,NvStartup
    > O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > Files\Real\Update_OB\realsched.exe" -osboot
    > O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program
    > Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    > O4 - HKLM\..\Run: [Disc Detector] C:\Program
    > Files\Creative\ShareDLL\CtNotify.exe
    > O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash
    > Screen\CTEaxSpl.EXE /run
    > O4 - HKLM\..\Run: [Jet Detection] C:\Program
    > Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    > O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    > Files\QuickTime\qttask.exe" -atboottime
    > O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
    > Foundation\CFD.exe
    > O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual

    Networks\Visual
    > IP InSight\SBC\IPClient.exe" -l
    > O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual
    > Networks\Visual IP InSight\SBC\IPMon32.exe"
    > O4 - HKLM\..\Run: [Motive SmartBridge]
    > C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    > O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    > O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
    > Files\Sonic\Update Manager\sgtray.exe" /r
    > O4 - HKLM\..\Run: [rmptrxs] C:\WINDOWS\System32\waqwqm.exe
    > O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    > O4 - HKCU\..\Run: [Taskbar] C:\Program
    > Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    > O4 - HKCU\..\Run: [Yahoo! Pager] 1
    > O4 - Startup: PowerReg Scheduler V3.exe
    > O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    > Files\Adobe\Calibration\Adobe Gamma Loader.exe
    > O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self
    > Support Tool\bin\matcli.exe
    > O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
    > Files\Yahoo!\Common/ycdict.htm
    > O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
    > Files\Yahoo!\Common/ycsrch.htm
    > O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
    > C:\Program Files\Yahoo!\Common\ylogin.dll
    > O9 - Extra 'Tools' menuitem: Yahoo! Login -
    > {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
    > Files\Yahoo!\Common\ylogin.dll
    > O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
    > C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    > O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    > {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
    > Files\Yahoo!\Messenger\yhexbmes.dll
    > O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
    > C:\PROGRA~1\ICQ\ICQ.exe
    > O9 - Extra 'Tools' menuitem: ICQ -

    {6224f700-cba3-4071-b251-47cb894244cd} -
    > C:\PROGRA~1\ICQ\ICQ.exe
    > O12 - Plugin for .spop: C:\Program Files\Internet
    > Explorer\Plugins\NPDocBox.dll
    > O16 - DPF: Yahoo! MahJong Solitaire -
    > http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    > O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
    > http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    > O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
    > http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    > O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} -
    > C:\WINDOWS\httpfilter.dll
    >
    >
    >


    copy all the shit to a temp dir

    then go into dos and delete em

    use safe mode if you have to.


    --


    PhEaSaNt PLuCKeR
    PhEaSaNt PLuCKeR, Nov 10, 2004
    #2
    1. Advertising

  3. dbru

    mark mandel Guest

    "dbru" <> wrote in message
    news:...
    > Hello, my PC got hit hard with some virus crap. There are several files

    that
    > copied themselves to my desktop and I can't delete them, because it says
    > they're read/write only. The files are...
    >
    > ploint.exe
    > m00.exe.1
    > winln.exe
    > sipot.exe
    > madopew.dll
    > vcsystem.exe
    > fierm.exe
    >
    > I've run the current Ad-Aware, Spybot, About Buster and CWShredder and

    some
    > of those find tons of files, but non seem to take care of the problem,

    I've
    > also run Hijackthis, but don't know which files to delete for sure, I took
    > out the ones with the above file names, but some seem to reappear. Please
    > help if you can... Here is my log file from Hijackthis... Thank you
    > Logfile of HijackThis v1.98.0
    > Scan saved at 5:29:56 PM, on 11/9/2004
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    > Running processes:
    > C:\WINDOWS\System32\smss.exe
    > C:\WINDOWS\system32\winlogon.exe
    > C:\WINDOWS\system32\services.exe
    > C:\WINDOWS\system32\lsass.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\Explorer.EXE
    > C:\WINDOWS\system32\spoolsv.exe
    > C:\WINDOWS\System32\CTsvcCDA.EXE
    > C:\WINDOWS\System32\nvsvc32.exe
    > C:\WINDOWS\system32\scagent.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\System32\MsPMSPSv.exe
    > C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    > C:\Program Files\Creative\ShareDLL\CtNotify.exe
    > C:\Program Files\BroadJump\Client Foundation\CFD.exe
    > C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    > C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    > C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    > C:\WINDOWS\System32\rundll32.exe
    > C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    > C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    > C:\documents and settings\derek brubaker\desktop\vcsystem.exe
    > C:\documents and settings\derek brubaker\desktop\winln.exe
    > C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    > C:\WINDOWS\System32\wuauclt.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\System32\waqwqm.exe
    > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    > C:\MyTemp\Misc\HijackThis.exe
    >
    > O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} -
    > C:\WINDOWS\localNRD.dll
    > O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
    > C:\WINDOWS\systb.dll
    > O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
    > C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    > O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
    > C:\WINDOWS\System32\msbe.dll
    > O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    > C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > C:\WINDOWS\System32\msdxm.ocx
    > O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no

    file)
    > O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    > C:\WINDOWS\System32\NvCpl.dll,NvStartup
    > O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > Files\Real\Update_OB\realsched.exe" -osboot
    > O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program
    > Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    > O4 - HKLM\..\Run: [Disc Detector] C:\Program
    > Files\Creative\ShareDLL\CtNotify.exe
    > O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash
    > Screen\CTEaxSpl.EXE /run
    > O4 - HKLM\..\Run: [Jet Detection] C:\Program
    > Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    > O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    > Files\QuickTime\qttask.exe" -atboottime
    > O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
    > Foundation\CFD.exe
    > O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual

    Networks\Visual
    > IP InSight\SBC\IPClient.exe" -l
    > O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual
    > Networks\Visual IP InSight\SBC\IPMon32.exe"
    > O4 - HKLM\..\Run: [Motive SmartBridge]
    > C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    > O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    > O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
    > Files\Sonic\Update Manager\sgtray.exe" /r
    > O4 - HKLM\..\Run: [rmptrxs] C:\WINDOWS\System32\waqwqm.exe
    > O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    > O4 - HKCU\..\Run: [Taskbar] C:\Program
    > Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    > O4 - HKCU\..\Run: [Yahoo! Pager] 1
    > O4 - Startup: PowerReg Scheduler V3.exe
    > O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    > Files\Adobe\Calibration\Adobe Gamma Loader.exe
    > O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self
    > Support Tool\bin\matcli.exe
    > O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
    > Files\Yahoo!\Common/ycdict.htm
    > O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
    > Files\Yahoo!\Common/ycsrch.htm
    > O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
    > C:\Program Files\Yahoo!\Common\ylogin.dll
    > O9 - Extra 'Tools' menuitem: Yahoo! Login -
    > {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
    > Files\Yahoo!\Common\ylogin.dll
    > O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
    > C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    > O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    > {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
    > Files\Yahoo!\Messenger\yhexbmes.dll
    > O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
    > C:\PROGRA~1\ICQ\ICQ.exe
    > O9 - Extra 'Tools' menuitem: ICQ -

    {6224f700-cba3-4071-b251-47cb894244cd} -
    > C:\PROGRA~1\ICQ\ICQ.exe
    > O12 - Plugin for .spop: C:\Program Files\Internet
    > Explorer\Plugins\NPDocBox.dll
    > O16 - DPF: Yahoo! MahJong Solitaire -
    > http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    > O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
    > http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    > O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
    > http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    > O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} -
    > C:\WINDOWS\httpfilter.dll
    >

    Copy this to a PERMANENT folder and then post it over at www.pcguide.com
    where one of the really informed geeks will give you a thorough checkup on
    it.
    >
    >
    >
    >
    >
    >
    mark mandel, Nov 10, 2004
    #3
  4. dbru

    dbru Guest

    Thanks for the suggestions, the only problem I worry about with deleting
    them, is that I have a feeling there are other files in my windows folders
    that need deleting also, but I'm unsure which ones. In the past I thought I
    took care of the problem, but it just kept coming back to haunt me, till I
    found the .exe file hidden deep in a folder and deleted it. Thanks for the
    help. I'm going to keep working...


    "PhEaSaNt PLuCKeR" <> wrote in message
    news:cmrmoo$9fo$...
    >
    > "dbru" <> wrote in message
    > news:...
    > > Hello, my PC got hit hard with some virus crap. There are several files

    > that
    > > copied themselves to my desktop and I can't delete them, because it says
    > > they're read/write only. The files are...
    > >
    > > ploint.exe
    > > m00.exe.1
    > > winln.exe
    > > sipot.exe
    > > madopew.dll
    > > vcsystem.exe
    > > fierm.exe
    > >
    > > I've run the current Ad-Aware, Spybot, About Buster and CWShredder and

    > some
    > > of those find tons of files, but non seem to take care of the problem,

    > I've
    > > also run Hijackthis, but don't know which files to delete for sure, I

    took
    > > out the ones with the above file names, but some seem to reappear.

    Please
    > > help if you can... Here is my log file from Hijackthis... Thank you
    > > Logfile of HijackThis v1.98.0
    > > Scan saved at 5:29:56 PM, on 11/9/2004
    > > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    > >
    > > Running processes:
    > > C:\WINDOWS\System32\smss.exe
    > > C:\WINDOWS\system32\winlogon.exe
    > > C:\WINDOWS\system32\services.exe
    > > C:\WINDOWS\system32\lsass.exe
    > > C:\WINDOWS\system32\svchost.exe
    > > C:\WINDOWS\Explorer.EXE
    > > C:\WINDOWS\system32\spoolsv.exe
    > > C:\WINDOWS\System32\CTsvcCDA.EXE
    > > C:\WINDOWS\System32\nvsvc32.exe
    > > C:\WINDOWS\system32\scagent.exe
    > > C:\WINDOWS\System32\svchost.exe
    > > C:\WINDOWS\System32\MsPMSPSv.exe
    > > C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    > > C:\Program Files\Creative\ShareDLL\CtNotify.exe
    > > C:\Program Files\BroadJump\Client Foundation\CFD.exe
    > > C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    > > C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    > > C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    > > C:\WINDOWS\System32\rundll32.exe
    > > C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    > > C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    > > C:\documents and settings\derek brubaker\desktop\vcsystem.exe
    > > C:\documents and settings\derek brubaker\desktop\winln.exe
    > > C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    > > C:\WINDOWS\System32\wuauclt.exe
    > > C:\WINDOWS\System32\svchost.exe
    > > C:\WINDOWS\System32\waqwqm.exe
    > > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    > > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    > > C:\MyTemp\Misc\HijackThis.exe
    > >
    > > O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} -
    > > C:\WINDOWS\localNRD.dll
    > > O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
    > > C:\WINDOWS\systb.dll
    > > O2 - BHO: Yahoo! Companion BHO -

    {02478D38-C3F9-4efb-9B51-7695ECA05670} -
    > > C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    > > O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > > O2 - BHO: ADP UrlCatcher Class -

    {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
    > > C:\WINDOWS\System32\msbe.dll
    > > O3 - Toolbar: &Yahoo! Companion -

    {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    > > C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    > > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > > C:\WINDOWS\System32\msdxm.ocx
    > > O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no

    > file)
    > > O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    > > C:\WINDOWS\System32\NvCpl.dll,NvStartup
    > > O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    > > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > > Files\Real\Update_OB\realsched.exe" -osboot
    > > O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program
    > > Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    > > O4 - HKLM\..\Run: [Disc Detector] C:\Program
    > > Files\Creative\ShareDLL\CtNotify.exe
    > > O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash
    > > Screen\CTEaxSpl.EXE /run
    > > O4 - HKLM\..\Run: [Jet Detection] C:\Program
    > > Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    > > O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    > > Files\QuickTime\qttask.exe" -atboottime
    > > O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
    > > Foundation\CFD.exe
    > > O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual

    > Networks\Visual
    > > IP InSight\SBC\IPClient.exe" -l
    > > O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual
    > > Networks\Visual IP InSight\SBC\IPMon32.exe"
    > > O4 - HKLM\..\Run: [Motive SmartBridge]
    > > C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    > > O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    > > O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
    > > Files\Sonic\Update Manager\sgtray.exe" /r
    > > O4 - HKLM\..\Run: [rmptrxs] C:\WINDOWS\System32\waqwqm.exe
    > > O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    > > O4 - HKCU\..\Run: [Taskbar] C:\Program
    > > Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    > > O4 - HKCU\..\Run: [Yahoo! Pager] 1
    > > O4 - Startup: PowerReg Scheduler V3.exe
    > > O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    > > Files\Adobe\Calibration\Adobe Gamma Loader.exe
    > > O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC

    Self
    > > Support Tool\bin\matcli.exe
    > > O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
    > > Files\Yahoo!\Common/ycdict.htm
    > > O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
    > > Files\Yahoo!\Common/ycsrch.htm
    > > O9 - Extra button: Yahoo! Login -

    {2499216C-4BA5-11D5-BD9C-000103C116D5} -
    > > C:\Program Files\Yahoo!\Common\ylogin.dll
    > > O9 - Extra 'Tools' menuitem: Yahoo! Login -
    > > {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
    > > Files\Yahoo!\Common\ylogin.dll
    > > O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
    > > C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    > > O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    > > {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
    > > Files\Yahoo!\Messenger\yhexbmes.dll
    > > O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
    > > C:\PROGRA~1\ICQ\ICQ.exe
    > > O9 - Extra 'Tools' menuitem: ICQ -

    > {6224f700-cba3-4071-b251-47cb894244cd} -
    > > C:\PROGRA~1\ICQ\ICQ.exe
    > > O12 - Plugin for .spop: C:\Program Files\Internet
    > > Explorer\Plugins\NPDocBox.dll
    > > O16 - DPF: Yahoo! MahJong Solitaire -
    > > http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    > > O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
    > > http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    > > O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
    > > http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    > > O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} -
    > > C:\WINDOWS\httpfilter.dll
    > >
    > >
    > >

    >
    > copy all the shit to a temp dir
    >
    > then go into dos and delete em
    >
    > use safe mode if you have to.
    >
    >
    > --
    >
    >
    > PhEaSaNt PLuCKeR
    >
    >
    >
    >
    >
    >
    >
    dbru, Nov 10, 2004
    #4
  5. dbru

    dbru Guest

    Ok, I think I fixed it... Had to boot in Safe Mode to delete the files, then
    run my virus programs to fix it. Seems ok now though. Thanks for the help...


    "dbru" <> wrote in message
    news:...
    > Thanks for the suggestions, the only problem I worry about with deleting
    > them, is that I have a feeling there are other files in my windows folders
    > that need deleting also, but I'm unsure which ones. In the past I thought

    I
    > took care of the problem, but it just kept coming back to haunt me, till I
    > found the .exe file hidden deep in a folder and deleted it. Thanks for the
    > help. I'm going to keep working...
    >
    >
    > "PhEaSaNt PLuCKeR" <> wrote in message
    > news:cmrmoo$9fo$...
    > >
    > > "dbru" <> wrote in message
    > > news:...
    > > > Hello, my PC got hit hard with some virus crap. There are several

    files
    > > that
    > > > copied themselves to my desktop and I can't delete them, because it

    says
    > > > they're read/write only. The files are...
    > > >
    > > > ploint.exe
    > > > m00.exe.1
    > > > winln.exe
    > > > sipot.exe
    > > > madopew.dll
    > > > vcsystem.exe
    > > > fierm.exe
    > > >
    > > > I've run the current Ad-Aware, Spybot, About Buster and CWShredder and

    > > some
    > > > of those find tons of files, but non seem to take care of the problem,

    > > I've
    > > > also run Hijackthis, but don't know which files to delete for sure, I

    > took
    > > > out the ones with the above file names, but some seem to reappear.

    > Please
    > > > help if you can... Here is my log file from Hijackthis... Thank you
    > > > Logfile of HijackThis v1.98.0
    > > > Scan saved at 5:29:56 PM, on 11/9/2004
    > > > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > > > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    > > >
    > > > Running processes:
    > > > C:\WINDOWS\System32\smss.exe
    > > > C:\WINDOWS\system32\winlogon.exe
    > > > C:\WINDOWS\system32\services.exe
    > > > C:\WINDOWS\system32\lsass.exe
    > > > C:\WINDOWS\system32\svchost.exe
    > > > C:\WINDOWS\Explorer.EXE
    > > > C:\WINDOWS\system32\spoolsv.exe
    > > > C:\WINDOWS\System32\CTsvcCDA.EXE
    > > > C:\WINDOWS\System32\nvsvc32.exe
    > > > C:\WINDOWS\system32\scagent.exe
    > > > C:\WINDOWS\System32\svchost.exe
    > > > C:\WINDOWS\System32\MsPMSPSv.exe
    > > > C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    > > > C:\Program Files\Creative\ShareDLL\CtNotify.exe
    > > > C:\Program Files\BroadJump\Client Foundation\CFD.exe
    > > > C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    > > > C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    > > > C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    > > > C:\WINDOWS\System32\rundll32.exe
    > > > C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    > > > C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    > > > C:\documents and settings\derek brubaker\desktop\vcsystem.exe
    > > > C:\documents and settings\derek brubaker\desktop\winln.exe
    > > > C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    > > > C:\WINDOWS\System32\wuauclt.exe
    > > > C:\WINDOWS\System32\svchost.exe
    > > > C:\WINDOWS\System32\waqwqm.exe
    > > > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    > > > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    > > > C:\MyTemp\Misc\HijackThis.exe
    > > >
    > > > O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} -
    > > > C:\WINDOWS\localNRD.dll
    > > > O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
    > > > C:\WINDOWS\systb.dll
    > > > O2 - BHO: Yahoo! Companion BHO -

    > {02478D38-C3F9-4efb-9B51-7695ECA05670} -
    > > > C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    > > > O2 - BHO: AcroIEHlprObj Class -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > > > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > > > O2 - BHO: ADP UrlCatcher Class -

    > {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
    > > > C:\WINDOWS\System32\msbe.dll
    > > > O3 - Toolbar: &Yahoo! Companion -

    > {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    > > > C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    > > > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > > > C:\WINDOWS\System32\msdxm.ocx
    > > > O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no

    > > file)
    > > > O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    > > > C:\WINDOWS\System32\NvCpl.dll,NvStartup
    > > > O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    > > > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > > > Files\Real\Update_OB\realsched.exe" -osboot
    > > > O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program
    > > > Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    > > > O4 - HKLM\..\Run: [Disc Detector] C:\Program
    > > > Files\Creative\ShareDLL\CtNotify.exe
    > > > O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash
    > > > Screen\CTEaxSpl.EXE /run
    > > > O4 - HKLM\..\Run: [Jet Detection] C:\Program
    > > > Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    > > > O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    > > > Files\QuickTime\qttask.exe" -atboottime
    > > > O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
    > > > Foundation\CFD.exe
    > > > O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual

    > > Networks\Visual
    > > > IP InSight\SBC\IPClient.exe" -l
    > > > O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual
    > > > Networks\Visual IP InSight\SBC\IPMon32.exe"
    > > > O4 - HKLM\..\Run: [Motive SmartBridge]
    > > > C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    > > > O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    > > > O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
    > > > Files\Sonic\Update Manager\sgtray.exe" /r
    > > > O4 - HKLM\..\Run: [rmptrxs] C:\WINDOWS\System32\waqwqm.exe
    > > > O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    > > > O4 - HKCU\..\Run: [Taskbar] C:\Program
    > > > Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    > > > O4 - HKCU\..\Run: [Yahoo! Pager] 1
    > > > O4 - Startup: PowerReg Scheduler V3.exe
    > > > O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    > > > Files\Adobe\Calibration\Adobe Gamma Loader.exe
    > > > O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC

    > Self
    > > > Support Tool\bin\matcli.exe
    > > > O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
    > > > Files\Yahoo!\Common/ycdict.htm
    > > > O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
    > > > Files\Yahoo!\Common/ycsrch.htm
    > > > O9 - Extra button: Yahoo! Login -

    > {2499216C-4BA5-11D5-BD9C-000103C116D5} -
    > > > C:\Program Files\Yahoo!\Common\ylogin.dll
    > > > O9 - Extra 'Tools' menuitem: Yahoo! Login -
    > > > {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
    > > > Files\Yahoo!\Common\ylogin.dll
    > > > O9 - Extra button: Messenger -

    {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
    > > > C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    > > > O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    > > > {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
    > > > Files\Yahoo!\Messenger\yhexbmes.dll
    > > > O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
    > > > C:\PROGRA~1\ICQ\ICQ.exe
    > > > O9 - Extra 'Tools' menuitem: ICQ -

    > > {6224f700-cba3-4071-b251-47cb894244cd} -
    > > > C:\PROGRA~1\ICQ\ICQ.exe
    > > > O12 - Plugin for .spop: C:\Program Files\Internet
    > > > Explorer\Plugins\NPDocBox.dll
    > > > O16 - DPF: Yahoo! MahJong Solitaire -
    > > > http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    > > > O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter

    Class) -
    > > > http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    > > > O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
    > > > http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    > > > O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} -
    > > > C:\WINDOWS\httpfilter.dll
    > > >
    > > >
    > > >

    > >
    > > copy all the shit to a temp dir
    > >
    > > then go into dos and delete em
    > >
    > > use safe mode if you have to.
    > >
    > >
    > > --
    > >
    > >
    > > PhEaSaNt PLuCKeR
    > >
    > >
    > >
    > >
    > >
    > >
    > >

    >
    >
    dbru, Nov 10, 2004
    #5
  6. Howdy!

    "dbru" <> wrote in message
    news:...
    > Hello, my PC got hit hard with some virus crap. There are several files

    that
    > copied themselves to my desktop and I can't delete them, because it says
    > they're read/write only. The files are...


    <snip of some of text>

    > Running processes:


    > C:\documents and settings\derek brubaker\desktop\vcsystem.exe
    > C:\documents and settings\derek brubaker\desktop\winln.exe


    Stop these two.

    Then delete the files.

    General rule: If it's in "DOcuments and Settings" ANYTHING whack it
    out.

    > C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    > C:\WINDOWS\System32\wuauclt.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\System32\waqwqm.exe
    > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe


    Uninstall EbatesMoeMoneyMaker from Add/Remove Programs, then run
    CWShredder in "Safe" mode, followed by Ad-Aware in "Safe" mode followed by
    Spybot in "Safe" mode, followed by HiJackThis and create a new log file, all
    in safe mode.

    <snip others>

    > O4 - HKLM\..\Run: [rmptrxs] C:\WINDOWS\System32\waqwqm.exe
    > O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe


    Again, from Safe mode, kill these from within HiJackThis then delete
    the files themselves.

    The others? I'd google for - there's a metric buttload that I just
    don't recognize.

    RwP
    Ralph Wade Phillips, Nov 10, 2004
    #6
  7. dbru

    Bill P Guest

    You could copy and paste the log here:-

    http://hijackthis.de/index.php?langselect=english

    and follow the instructions.
    Regards
    Bill

    "dbru" <> wrote in message
    news:...
    > Hello, my PC got hit hard with some virus crap. There are several

    files that
    > copied themselves to my desktop and I can't delete them, because it

    says
    > they're read/write only. The files are...
    >
    > ploint.exe
    > m00.exe.1
    > winln.exe
    > sipot.exe
    > madopew.dll
    > vcsystem.exe
    > fierm.exe
    >
    > I've run the current Ad-Aware, Spybot, About Buster and CWShredder and

    some
    > of those find tons of files, but non seem to take care of the problem,

    I've
    > also run Hijackthis, but don't know which files to delete for sure, I

    took
    > out the ones with the above file names, but some seem to reappear.

    Please
    > help if you can... Here is my log file from Hijackthis... Thank you
    > Logfile of HijackThis v1.98.0
    > Scan saved at 5:29:56 PM, on 11/9/2004
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    > Running processes:
    > C:\WINDOWS\System32\smss.exe
    > C:\WINDOWS\system32\winlogon.exe
    > C:\WINDOWS\system32\services.exe
    > C:\WINDOWS\system32\lsass.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\Explorer.EXE
    > C:\WINDOWS\system32\spoolsv.exe
    > C:\WINDOWS\System32\CTsvcCDA.EXE
    > C:\WINDOWS\System32\nvsvc32.exe
    > C:\WINDOWS\system32\scagent.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\System32\MsPMSPSv.exe
    > C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    > C:\Program Files\Creative\ShareDLL\CtNotify.exe
    > C:\Program Files\BroadJump\Client Foundation\CFD.exe
    > C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    > C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    > C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    > C:\WINDOWS\System32\rundll32.exe
    > C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    > C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    > C:\documents and settings\derek brubaker\desktop\vcsystem.exe
    > C:\documents and settings\derek brubaker\desktop\winln.exe
    > C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    > C:\WINDOWS\System32\wuauclt.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\System32\waqwqm.exe
    > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    > C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    > C:\MyTemp\Misc\HijackThis.exe
    >
    > O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} -
    > C:\WINDOWS\localNRD.dll
    > O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} -
    > C:\WINDOWS\systb.dll
    > O2 - BHO: Yahoo! Companion BHO -

    {02478D38-C3F9-4efb-9B51-7695ECA05670} -
    > C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    > O2 - BHO: AcroIEHlprObj Class -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > O2 - BHO: ADP UrlCatcher Class -

    {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
    > C:\WINDOWS\System32\msbe.dll
    > O3 - Toolbar: &Yahoo! Companion -

    {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    > C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > C:\WINDOWS\System32\msdxm.ocx
    > O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no

    file)
    > O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    > C:\WINDOWS\System32\NvCpl.dll,NvStartup
    > O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > Files\Real\Update_OB\realsched.exe" -osboot
    > O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program
    > Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
    > O4 - HKLM\..\Run: [Disc Detector] C:\Program
    > Files\Creative\ShareDLL\CtNotify.exe
    > O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash
    > Screen\CTEaxSpl.EXE /run
    > O4 - HKLM\..\Run: [Jet Detection] C:\Program
    > Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    > O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    > Files\QuickTime\qttask.exe" -atboottime
    > O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
    > Foundation\CFD.exe
    > O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual

    Networks\Visual
    > IP InSight\SBC\IPClient.exe" -l
    > O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual
    > Networks\Visual IP InSight\SBC\IPMon32.exe"
    > O4 - HKLM\..\Run: [Motive SmartBridge]
    > C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    > O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    > O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
    > Files\Sonic\Update Manager\sgtray.exe" /r
    > O4 - HKLM\..\Run: [rmptrxs] C:\WINDOWS\System32\waqwqm.exe
    > O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    > O4 - HKCU\..\Run: [Taskbar] C:\Program
    > Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    > O4 - HKCU\..\Run: [Yahoo! Pager] 1
    > O4 - Startup: PowerReg Scheduler V3.exe
    > O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    > Files\Adobe\Calibration\Adobe Gamma Loader.exe
    > O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC

    Self
    > Support Tool\bin\matcli.exe
    > O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program
    > Files\Yahoo!\Common/ycdict.htm
    > O8 - Extra context menu item: Yahoo! Search - file:///C:\Program
    > Files\Yahoo!\Common/ycsrch.htm
    > O9 - Extra button: Yahoo! Login -

    {2499216C-4BA5-11D5-BD9C-000103C116D5} -
    > C:\Program Files\Yahoo!\Common\ylogin.dll
    > O9 - Extra 'Tools' menuitem: Yahoo! Login -
    > {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
    > Files\Yahoo!\Common\ylogin.dll
    > O9 - Extra button: Messenger -

    {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
    > C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    > O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    > {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
    > Files\Yahoo!\Messenger\yhexbmes.dll
    > O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
    > C:\PROGRA~1\ICQ\ICQ.exe
    > O9 - Extra 'Tools' menuitem: ICQ -

    {6224f700-cba3-4071-b251-47cb894244cd} -
    > C:\PROGRA~1\ICQ\ICQ.exe
    > O12 - Plugin for .spop: C:\Program Files\Internet
    > Explorer\Plugins\NPDocBox.dll
    > O16 - DPF: Yahoo! MahJong Solitaire -
    > http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    > O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter

    Class) -
    > http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
    > O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
    > http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    > O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} -
    > C:\WINDOWS\httpfilter.dll
    >
    >
    >
    >
    >
    >
    >
    Bill P, Nov 10, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mocha

    A Little Help With My Hijackthis Log please

    Mocha, Jun 10, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    485
    °Mike°
    Jun 11, 2004
  2. KB from WNS

    Please Help with HIJACKTHIS log

    KB from WNS, Sep 8, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    1,636
    °Mike°
    Sep 8, 2004
  3. Chris
    Replies:
    5
    Views:
    405
    pcbutts1
    Apr 12, 2006
  4. J

    Please Help: Hijackthis log

    J, Aug 16, 2006, in forum: Computer Support
    Replies:
    6
    Views:
    487
    pcbutts1
    Aug 17, 2006
  5. Nate

    Please help analyze my HiJackThis log...

    Nate, Oct 25, 2006, in forum: Computer Support
    Replies:
    7
    Views:
    546
    Leythos
    Oct 26, 2006
Loading...

Share This Page