Results 1 to 9 of 9
  1. #1
    Member
    Join Date
    Jun 2004
    Posts
    39
    Points
    0

    Default Garbage landing again and here is my HJT log again

    Well, thought I was doing good and here we go again. Not even using IE Browser and stuff leaking on my desktop again. Had my whole desktop covered. Wow, to bad dont have a video to show the mess. Ran my adaware program, virus program and housecall as back up to make sure. As I said , I am using Mozilla and working great. I put my IE Browser settings on high and secruity everything on high on it to see if that help from crap landing on desktop. My mozilla catching popups as has it with the browser. Working real good. Has script, using it. Ok, now Here is my hjt log and so see what can be removed. I do not have three on here anymore. 1... Hitware popware, I removed but guess still there.
    2.....Stopzilla, removed still must have files lingering still. And not clue to this one, never seen this one before.....3....NViewload hook whatever that is. Least the first two I dont, third like i said new and had something land on my desktop earlier today.
    Have questions on any of them , on program if I have or not, denote it and will tell if do or dont. lol

    Here we go:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:34:56 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\PROGRA~1\INSTAN~1\Presario\XPHNARS3EN\plugin\bin\pchbutton.exe
    C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    C:\Program Files\Paltalk\pnetaware.exe
    C:\Program Files\hijackthis\hijackthis\HijackThis.exe

    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [defscan_install-r.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\EACDownload\defscan_install-r.exe -k
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\INSTAN~1\Presario\XPHNARS3EN\plugin\bin\pchbutton.exe
    O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite\HitwarePKLite.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{22B0283A-BE34-44ED-B9FC-A21B10ED62BC}: NameServer = 65.38.224.6 64.63.192.17



    Sandy (

  2. #2
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    This is going to be up to you to do or not, as Steam's time is going to be limited with us for the next 2 months:

    01 - Host File, like you last log(s) remove them

    The 04 entries pertaining to the programs you want to remove, have HJT fix them.

    Fix all these will all browsers windows off, including this one. If these fixes do not hold, repeat with XP system restore off. After you are done remember to turn the restore back on.

    Again you are doing this at your own risk - I am not a expert with HJT

    Cheers

  3. #3
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    NViewload hook is legitimate ... leave it.

    uninstall Wintools from Add\Remove

    fix these entries in hijackthis ... then your good to go

    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun

    O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite\HitwarePKLite.exe


    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  4. #4
    Member
    Join Date
    Jun 2004
    Posts
    39
    Points
    0

    Default Hopefully fixed now ..lol

    Ok, here is a recheck again after the fix . So here is my log again. See if anything else showed up since. Hopefully not.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:36:43 PM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\PROGRA~1\INSTAN~1\Presario\XPHNARS3EN\plugin\bin\pchbutton.exe
    C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    C:\Program Files\hijackthis\hijackthis\HijackThis.exe

    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [defscan_install-r.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\EACDownload\defscan_install-r.exe -k
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\INSTAN~1\Presario\XPHNARS3EN\plugin\bin\pchbutton.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{22B0283A-BE34-44ED-B9FC-A21B10ED62BC}: NameServer = 65.38.224.6 64.63.192.17


    Also while here, I ran my avast 4 virus program came up with 46 items at the end so I did a remove on all thoses items. In it I notice vbouncer and some other weird stuff. I tried to highlight it and paste the info but could not copy, so I just hit delete to clear all out. Ran viirus program again and nothing showed. So maybe my problem is solved. I know it wont last long. I bet in a weeks time I'll be back here again. lol

    Sandy

  5. #5
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Did you fix these ?

    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch

    These are search hijackers....

    click the link in RED at the bottom of my post ... and maybe you wont be back for a long time.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  6. #6
    Member
    Join Date
    Jun 2004
    Posts
    39
    Points
    0

    Default Would not let me remove it

    Steamwiz, thoses three remaining would not go , would not let me remove it a message came up and said cant not be removed as part of program will not run proper. What it said. So there you go.
    I read that link in red about four times. So, if you guys here are not in mood to help people, then I go elsewhere.

    You seemed steamed steamwiz. lol

    I am using all the protection can be on puter, how much more do I need on it, so if junk lands again it happens and I come back for a check again.

    So well see how long before it all appears again. Least be nice if goes a month at least. haha

    So you can lock this , or keep it open for a few days or I can just do a new one. Leave it up to you guys. But for now it seems like it is ok again. That is what I said last time. Right!!!

    Anyways thank for your help once again.... Sandy

  7. #7
    Member Help2Go Moderator whoozhe's Avatar
    Join Date
    Dec 2000
    Location
    Wallaroo South Australia
    Posts
    8,567
    Points
    801

    Default

    C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

    Backweb can be axploited by flooding a system with ads. Ad removers tend to leave it alone. I suggest you remove it.
    I also recommend that apart form anti virus (except Norton and McAfee) and firewall prevent any auto updates.

    The easiest way to disable the program is to rename it, e.g. from backweb.exe to backweb.ex_ . Note that if the program is used for a legitimate or wanted purpose (such as automatic software updating or displaying news, etc.), these will no longer happen automatically.

    If you are sure you don't need it for anything, find and delete the BackWeb folder, normally in (your windows drive):\Program Files.

    * backweb removal step 1: Terminate DLGLI.EXE using Windows' End Task (CTRL-ALT-DEL) dialogue. It may show up as "Downloading Software..." or "Resuming Downloading of Software..."

    * backweb removal step 2: Use Find to locate DLGLI.EXE(WD Data Lifeline BackWeb Lite Installer) and delete it.

    * backweb removal step 3: Locate Iadhide3.dll and delete it.

    * backweb removal step 4: (Optional) Remove the entry from the StartUp folder.


    As for:
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch

    These need editing the registry.

    Go to:
    http://www.trendmicro.com/vinfo/viru...=TROJ_QHOSTS.A
    and follow the manual instructions.
    Take control of your life. Leave others to control their own.

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Quote....
    I read that link in red about four times. So, if you guys here are not in mood to help people, then I go elsewhere.

    You seemed steamed steamwiz. lol

    I am using all the protection can be on puter, how much more do I need on it, so if junk lands again it happens and I come back for a check again.

    ------
    I'd just like to point out that I spend up to 6 hours a day here...helping people like you for FREE

    I am often up untill 3am ...you may have read the link in RED 4 times ... but did any of it sink in ?

    Are you running spywareblaster ... NO

    Are you running spywareguard ... NO

    If you are not prepared to help yourself, then please feel free to go elsewhere.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  9. #9
    Administrator Help2Go Administrator Canuck's Avatar
    Join Date
    May 2003
    Location
    Edmonton, Alberta, Canada
    Posts
    9,817
    Points
    2034

    Default

    srb448, I think you get the message, if you're not willing to help yourself, please do not take up valuable time of our volunteers who are so dedicated. Perhaps if you would like to try another site and see what kind of assistance you get you may come to realize the kindness, generosity and knowledge of our members.

    I see no point in continuing this thread, it is now locked. Please think twice srb448 before you post again, if you do, and if you want help, you have also got to be willing to help yourself too ... we cannot, nor will we give you support unless you agree to this.