Unwanted programs

TNC Discussion Board: Workarounds: Unwanted programs
  Subtopic Posts   Updated
SDPHOTOBAR  2   10/03 02:39pm
Tcpip.exe  1   04/20 06:36am


Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Monday, September 29, 2003 - 11:40 pm:

Hi,

I have a problem with my computer where I cannot get it anything to work, cannot even get anything to load, etc. I will hit cntl, alt, delete and all these programs will come up, (Rundl 32, Rundl 16, and others) that once I hit end task on them, everything works ok for a few, then it starts again. The thing is, I don't even know what many of these programs are, and cannot find them on the add/remove program list in order to get rid of them. Even some that are on there and I have removed, just keep coming back.

Any advice?

Thanks,
Tracy
http://www.greatestkidsbooks.com
Enter our drawing for $50 in FREE books.
Sign up for our Kidís Education First newsletter!
Get your holiday shopping done on line, not standing in line!

Top of pagePrevious messageNext messageBottom of pageLink to this message   By dreuby on Tuesday, September 30, 2003 - 12:42 pm:

Have you installed any new programs or hardware?

Do you get any error messages? rundll are part of Windows operating system. One cause may be that they've been corrupted by a virus. Do you have a virus checker, and is it updated?

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Tuesday, September 30, 2003 - 08:26 pm:

Yes, I have a virus checker, it says there is no virus, but I know there must be. I am at a loss.
Thanks,
Tracy
http://www.greatestkidsbooks.com
Enter our drawing for $50 in FREE books.
Sign up for our Kidís Education First newsletter!
Get your holiday shopping done on line, not standing in line!

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Thursday, October 02, 2003 - 12:07 am:

Can you get to the internet? (In other words, do you think that you can download programs?)

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Thursday, October 02, 2003 - 10:32 pm:

Yes, it takes awhile, but I can get to the internet and download something.
Tracy

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Friday, October 03, 2003 - 04:56 am:

Please go to the link below, download Spybot, search, then have it fix everything in red:

http://www.safer-networking.org/index.php?lang=en&page=download

Then, go to the link below, download HiJack This. Run a scan and then copy and paste the log right here and we'll have a look at it.

http://www.tomcoyote.org/hjt/

There are a large number of baddies out there right now that many of our AC programs are still missing (as they become more and more clever).

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:26 am:

Thank you!

Ok, it took forever, but here is the log: (I ahve to split it into sep messages per the board regs)

Logfile of HijackThis v1.97.2
Scan saved at 8:21:28 PM, on 10/3/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:27 am:

C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\CHECKIT.EXE
C:\WINDOWS\SYSTEM\NSSYS32.EXE
C:\PROGRAM FILES\MEDIA\MEDIA\UPDATESTATS.EXE
C:\WINDOWS\UPTODATE.EXE
C:\WINDOWS\CSRSS.EXE
C:\WINDOWS\SYSTEM32\SERVICE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\MY DOCUMENTS\WEBSITE TOOLS\SDPHOTOBAR.EXE
C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\TCPIP32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\KCT7C6S.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\CLRSCHP030.EXE
C:\PROGRAM FILES\POP\POPSRV205.EXE
C:\PROGRAM FILES\POP\SYSMONO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\AKTB238.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:30 am:

C:\WINDOWS\RUNDLL16.EXE
C:\PROGRAM FILES\ALSET\HELPEXPRESS\DAVE\HXIUL.EXE
C:\PROGRAM FILES\ALSET\HELPEXPRESS\DAVE\CLIENT\HELPEXP.EXE
C:\PROGRAM FILES\ALSET\HELPEXPRESS\DAVE\CLIENT\PRINTMONITOR.EXE
C:\WINDOWS\EMSW.EXE
C:\WINDOWS\WJVIEW.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COUPONSANDOFFERS\COUPONSANDOFFERS.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:31 am:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.companion.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:32 am:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
F1 - win.ini: run=hpfsched
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_1_0.DLL

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:34 am:

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
O2 - BHO: (no name) - {629F8500-D407-11D7-9ABA-000AE6299DB1} - C:\WINDOWS\SYSTEM\WEBCHECWK.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
O2 - BHO: (no name) - {90018660-E537-11D7-9ABA-000AE6299DB1} - C:\WINDOWS\SYSTEM\DCLUSALGO.DLL
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL (file missing)

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:36 am:

O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6-D5FEBB655D10} - C:\WINDOWS\SYSTEM\IEMSG.DLL
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\RUNDLL16.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\PROGRAM FILES\NAVEXCEL\NAVHELPER\V2.0.4\NHELPER.DLL
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:37 am:

O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\PROGRAM FILES\POP\POP205.DLL
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\BS3.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_1_0.DLL
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
O3 - Toolbar: (no name) - {6805F740-D407-11D7-9ABA-000AE6299DB1} - (no file)
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSWMDA.DLL

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:37 am:

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &POP - {645FD3BC-C314-4F7A-9D2E-64D62A0FDD78} - C:\PROGRAM FILES\POP\POP205.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Checkit] C:\WINDOWS\checkit.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [nsdriver] C:\WINDOWS\SYSTEM\nssys32.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:39 am:

O4 - HKLM\..\Run: [5HXXK#225S6G9Y] C:\WINDOWS\SYSTEM\Rat192cR.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [CharityBuy IE Plugin] C:\WINDOWS\CHARITYBUY
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [CSRSS] C:\WINDOWS\CSRSS.EXE
O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\system32\service.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [SpeedUpMyPC] C:\PROGRAM FILES\LIUTILITIES\SPEEDUPMYPC\SPEEDUPMYPC.EXE traybar
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\BS3.DLL,DllRun
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:40 am:

O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [POP] C:\PROGRAM FILES\POP\POPSRV205.EXE
O4 - HKLM\..\Run: [AutoUpdater] c:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SDPhotoBar.exe] C:\MYDOCU~1\WEBSIT~1\SDPhotoBar.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:41 am:

O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\dave\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\dave\Client\HelpExp.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\SYSTEM\Tools\LostRun.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Reboot.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:42 am:

O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL/201
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Sidesearch (HKLM)

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:43 am:

O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://site.chatspace.com:8088/Java/cs4ms090.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:43 am:

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw14fd.law14.hotmail.msn.com/activex/HMAtchmt.ocx

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:44 am:

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1050316770360
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipping.net/fvlite/fvliteY.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://di.imgag.com/imgag/cp/install/AxCtp.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:45 am:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://63.236.66.10/em/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 04, 2003 - 12:46 am:

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19119/flash.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install008.exe

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 06:56 pm:

I almost gave up, but I think that it is important for all newbies to know that the big bad boys are out there, and security, while it can be quite simple, may not be as simple as everyone thinks.

Your computer is LOADED with Trojans, dialer programs, browser helper objects that can be used to take over your computer, etc, etc.

I am going to post the things I found, which can be checked on the HJT log and HJT told to fix them.

There are three running processes that I cannot find anything about. If you recognize them, leave them. If not, have HJT fix them, as well.

After I have posted the entries that need repair, I am also going to post some links providing information on a few things that I found. I will then post links to some important, and easy to use tools that will help keep your computers from being invaded like this.

Here we go!

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 06:59 pm:

C:\WINDOWS\UPTODATE.EXE ("Browser Aid")
C:\WINDOWS\SYSTEM32\SERVICE.EXE
C:\WINDOWS\SYSTEM\KCT7C6S.EXE (do you recognize this?)
C:\CLRSCHP030.EXE (do you recognize this?)
C:\WINDOWS\SYSTEM\AKTB238.EXE (do you recognize this?)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.companion.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
F1 - win.ini: run=hpfsched

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 07:02 pm:

1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_1_0.DLL

O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL (Another "Browser Aid")

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL (bad spayware)

O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL (bad spayware)

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 07:03 pm:

O2 - BHO: (no name) - {90018660-E537-11D7-9ABA-000AE6299DB1} - C:\WINDOWS\SYSTEM\DCLUSALGO.DLL

O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL (file missing)

O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6-D5FEBB655D10} - C:\WINDOWS\SYSTEM\IEMSG.DLL

O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\RUNDLL16.DLL

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL

O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\PROGRAM FILES\POP\POP205.DLL

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 07:04 pm:

O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL

O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\BS3.DLL

O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL

O3 - Toolbar: (no name) - {6805F740-D407-11D7-9ABA-000AE6299DB1} - (no file)

O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSWMDA.DLL

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL

O3 - Toolbar: &POP - {645FD3BC-C314-4F7A-9D2E-64D62A0FDD78} - C:\PROGRAM FILES\POP\POP205.DLL

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 07:05 pm:

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe

O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\system32\service.exe

O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q

O4 - HKLM\..\RunOnce: [Execute]

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 07:08 pm:

I am not guaranteeing that I got everything...I got pretty tired there.

How did you get all this stuff? Well, you very innocently went to web sites that you thought would be helpful, and you were tricked! You know, that could happen to me, or Joe Robson, or anybody else. (In fact, I boldly go to some of these sites to research them when I help other folks, so I have got to be pretty sure that I'm "buttoned up", or I'll get all the junk).

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 07:16 pm:

To prevent a lot of this, you must have a good firewall. I use Zone Alarm (free), available here:

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

You need an antivirus program; a good free one is available here:

http://www.nod32.com/home/home.htm

Please, remember to patch! If all else fails, a patched computer is more resistent to infection.

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 07:19 pm:

I have been running "spyware killers" for quite some time. Awhile back, I heard about SpywareBlaster from a good source, and started using it. Now, when I have my "killers" search for spyware, I usually come up with nothing! All it takes to use this program is to remember to look for updates every week or so, and tell it to immunize against the new files. You can get it here:

http://www.javacoolsoftware.com/spywareblaster.html

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 07:24 pm:

I still recommend (and use) both of the most popular spyware killers, Adaware http://www.lavasoftusa.com/
and Spybot S&D http://www.safer-networking.org/index.php?lang=en&page=download.

If you run an HJT scan and see a million 04's, the first thing thast you should do is run BHODemon http://www.spywareinfo.com/downloads/bhod/ .

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 07:29 pm:

mattcmom, you can run HJT, carefully check everything listed and tell HJT to fix it. Please make sure all browser windows are closed before you do this. Reboot.

Some of these things may reinstall after rebootong, and going after the program files can be daunting.

You already have Spybot, but I encourage you to run Adaware, as well. After you download it, run the update function before you scan, then scan and fix everything found.

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 07:32 pm:

Please feel free to post another HJT log, and I'll see if we got everything.

If anyone else reading this is thinking about posting a HJT log, please download and run Spybot, Adaware and BHODemon before creating and posting a log. My eyes are not what they used to be, so letting the technology do alot of the cleanup would be very helpful.

Good hunting!

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Sunday, October 05, 2003 - 08:44 pm:

One more thing. I forgot to post a couple of links describing some of the stuff I found. In this case, 4 of the entries were all about this family of adware:

http://www.doxdesk.com/parasite/BrowserAid.html

I, unfortunately, failed to save several other sites, but I hope that this gives you the idea.

Top of pagePrevious messageNext messageBottom of pageLink to this message   By mattcmom on Saturday, October 11, 2003 - 04:03 pm:

Wow! Thank you so much! I am really sorry, I didn't realize how much work this would be for you. I don't even know what any of that is, so I didn't realize it would be so difficult. I cannot thank you enough! You are very thoughtful for doing all this.
Thanks again,
Tracy

Top of pagePrevious messageNext messageBottom of pageLink to this message   By jgvernonco on Saturday, October 11, 2003 - 10:52 pm:

It was my pleasure :-)

Top of pagePrevious messageNext messageBottom of pageLink to this message   By Anonymous on Tuesday, January 04, 2005 - 12:22 am:

The guy above is right, You definitely need a firewall, anymore there are alot of pc's that are sending this crap directly to yours, and if you have no firewall, your pc automatically accepts. After you install a firewall, just look at your logs and you will see what I mean.

Top of pagePrevious messageNext messageBottom of pageLink to this message   By Robert on Saturday, September 10, 2005 - 09:57 pm:

How do you get rid of nkvd.us?

Top of pagePrevious messageNext messageBottom of pageLink to this message   By dreuby on Tuesday, September 13, 2005 - 09:57 pm:

You could try CWShredder:
http://www.intermute.com/spysubtract/cwshredder_download.html

Or take a look at
http://www.spywareinfo.com/downloads.php?cat=sp#det


Add a Message


This is a public posting area. If you do not have an account, enter your full name into the "Username" box and leave the "Password" box empty. Your e-mail address is optional.
Username:  
Password:
E-mail:
Post as "Anonymous"

Administrator's Control Panel -- Board Moderators Only
Administer Page