Logfile of HijackThis v1.97.7
Scan saved at 3:45:52 PM, on 2/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\WarpSpeeder\BSTrayicon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\michael\Desktop\desktop files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ecmh.com/searchbar.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: lhssooloaou - {857738b4-3b44-408c-a2ec-32dbcdcf7a33} - C:\DOCUME~1\michael\APPLIC~1\ezievqoutr.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rqouz] C:\DOCUME~1\michael\APPLIC~1\crgrfhsr.exe -QuieT
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - HKLM\..\RunServices: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: raid_tool.exe.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: WarpSpeeder Tray Icon.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19374379534fa9318903/netzip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

i should tell you that i did away with the smartsearch stuff already,with no problems to me pc that i know of. but i still cant seem to get some of the security pages.thanks for your time.

First thing: Please do not start a new thread for the same problem. I remember your other thread, but otherwise I wouldn't have a clue what you were referring to.

Then, did you run the tool I posted for you in the other thread?? If you did, it should have made it possible for you to access other security programs. We will try to clean it up as is, but please run that tool if you haven't already.

Next, close all open windows and your browser, run HJT and mark these items to be fixed:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ecmh.com/searchbar.html
O3 - Toolbar: lhssooloaou - {857738b4-3b44-408c-a2ec-32dbcdcf7a33} - C:\DOCUME~1\michael\APPLIC~1\ezievqoutr.dll
O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\Run: [rqouz] C:\DOCUME~1\michael\APPLIC~1\crgrfhsr.exe -QuieT
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [UserSystem] C:\Windows\iexplorer.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - HKLM\..\RunServices: [UserSystem] C:\Windows\iexplorer.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19374379534fa9...ip/RdxIE601.cab

You have installed Spykiller. This program is useless at best and may even be harmful. I recommend fixing this and then uninstalling the program:

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

Then reboot into Safe Mode and find/delete these. On the second one, you will probably need to delete the whole folder:

C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE

Now reboot again, run HJT, open your browser and post the new log here so we can see if there is any more to clean up...

Budfred:

Just to let you know, I just ran a search for Spykiller on google, the first 10 pages of results turned up a zillion download pages claiming it to be the #1 spyware app on the net, (so why haven't I heard of it before and why isn't it constantly recommended here on the forums??? HMMM???) and two links to another forum both related to problems with it eating system resources, causing instability and "phoning home".

So, I'm assuming you're correct in suspecting it to be bogus, if it was legit I would think it would be well known to the folks here and consistently recommended same as Adaware, Spybot and HJT.

The only times I've seen it mentioned were on a couple of threads here, and I think it was you who suspected it to be bogus in the other thread(s). I can't prove it so far, but I think you're correct. I think it's a bogus so-called spyware detector designed to do the exact opposite...in other words it's spyware itself, or I think it is.

And where is the other thread relating to this problem? A link would be nice... :D

@Paleo Pete, There are no real reasons to use paid software like spykiller, when much more efficient freeware like spybot s&d and free version of adaware are available. Some of those programs will give false postitives just to get a user to buy them.Makes people pay to delete the things the free version finds, and not much good also.These are not malware, just crapware.This particular software is not alone,

SpywareNuker
BPS Spyware Remover
SpyGone
Online PC-Fix SpyFerret....

All above have stolen some part of Spybot s & d in one way or another....

Info at http://www.safer-networking.org/index.php?page=news&detail=2003-08-05
http://www.safer-networking.org/index.php?page=news&detail=2003-07-19

Some more suspicious spyware remover software
TZ Spyware-Adware Remover (Removed by AdAware as a target now)
SpyBan
SpyBlast
SpyHunter

Hehe...

Just went to the homepage for spykiller. Here's a snippet from how they describe spyware:
SpyWare is installed "piggy backed" along with popular programs such as KaZaA, GrokSter, iMesh, Opera and others.

Opera installs spyware?? :eek:

The name of the company producing this soft*crap*ware is called, get this : SwankSoft. :p :rolleyes:

Opera does not install spyware,but it has a free version that displays adverts and a paid for version that doesn't. Opera is very upfront about this, however much advertising supported software isn't. You need to be aware of exactly what is being installed and what it will do.It's better to read the license agreement and privacy statement for any adware carefully before installing.

This is what opera has to say,

"The webmasters of some spyware sites appear to have changed the definition of spyware to include adware, but adware does not necessarily spy on the user.The Opera browser does not monitor your surfing habits, and it does not gather information about you or your system. You can voluntarily use Opera's ad preferences to receive targeted ads, but you have to enter this information manually in Opera's Preferences. This information cannot be traced back to you."

Is Opera spyware? (http://www.opera.com/support/search/supsearch.dml?index=453)

Spyware or Adware, I personally use Firebird :)

These are not malware, just crapware

Sorry, but I must disagree on this one. I've seen mention of Spykiller only two or three times, each time in relation to problems caused by it. Each time it is suspected to be the root of the problem, "phoning home", causing instability...That adds up to malware in my book.

If it were simply a rip-off of Spybot or Adaware, and would function properly without causing trouble, that might be a different story, but as is, it seems to belong in the same category as CoolWebSearch, Xupiter Toolbar, Gator...

To repeat my original comments, this hasn't been proven, I only suspect it. I haven't found anything definite yet, and haven't/won't have time to dig for info this morning...But I do strongly suspect Spykiller is not only bogus, but the source of a number of problems. We'll see...

My investigation of "'Killer" crawled to a dead end when it wouldn't install for me...so I don't have any packet traces of what is sends.

But it looks, walks and sounds like a duck....

Back to the original log...

This also needs to be removed.

O4 - HKLM\..\RunServices: [UserSystem] C:\Windows\iexplorer.exe =the correct path for IE is NOT the Windows folder, it belongs in Program Files. You have a trojan.

thanks folks for the help,the only thing is that i still cant seem to go to some of the links that budfred sent(security pages for various spyware removal).i realized that the spykiller program was bull the second i got a hold of it.i got rid of it soon after.

Okay, this is your original thread:

http://www.pcguide.com/vb/showthread.php?s=&threadid=27640

Did you run the SmartSearch program I linked to?? Here is the link again in case you didn't:

http://www.safer-networking.org/files/delcwssk.zip

Please be VERY clear about what you have or haven't done from the suggestions given....

thanks for all the help folks, everything seems to be in good order now. ill be sure to bother some more if i need to.

Glad to hear that it is working well, but it would really be helpful to find out how you got there. It may help someone else with a similar problem if you can say how you fixed it....

Logfile of HijackThis v1.97.7
Scan saved at 12:46:24 AM, on 2/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\michael\Desktop\desktop files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

sorry, i forget to give the new log, see what should be done from here. but the little bot is gone as far as i know

It looks like you only have one more little bit of garbage there. Close all open windows and your browser, open HJT and mark this to fix, then fix it:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

I couldn't find much detail about this, but it appears to be legit. If it isn't familiar, you may want to fix it:

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

You could also safely remove the Realplayer junk and your system would probably run a little better, but it isn't considered malware....

How did you get it cleaned up to this point since your earlier post said you were stuck???

i used the link you gave me to get the shredder, and i ran that along with the hjt scan,did as you said about the things to delete from the hjt log.as for some of the other links, those still show up as unavaliable, so i guess i didnt fix that one. however, my web browser is mine again and there are no more inturruptions from that bot or whatever it was that i had.anything that you can help about the unavailiable pages though would be of help, so i KNOW for sure that im 100% thanks.

I am not seeing anything else in your log that would cause a problem if you cleaned up those last things. Now that you can access security programs again, you may want to run one of the online virus scans to see if they pick anything up. You could also use HJT to run a Startup List and post that here, but I am not familiar enough with that to be much help, so others will probably need to chime in if there is anything bad there....

C:\WINDOWS\System32\RunDll32.exe
this file you said to delete, im now having some trouble with my desktop properties and i cannot access my screensaver and stuff like it.please help me out on this, i needed that file.

If you haven't cleared your Recycle Bin, you can simply go there, Right click the file and choose to Restore it.

If you have cleared your Bin, you can run a Repair Install (http://www.michaelstevenstech.com/XPrepairinstall.htm) to fix it. I am not convinced that this is the file you need, so a Repair Install may be the better way to go to fix any issues you have left over.

BTW, what was the story on this file? I have seen it on another HJT log today and I would like to know if it is really legit:

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
as far as this file is concerned, i have no idea what it was.i do know that when i got rid of it that no ill effects took place. as for the rundll32 file, i reinstalled my xp to get it back, i am guessing it was a file that was needed for the xp.

i have check my pc for the file vttimer.exe, and it seems to be part of the graphics set for my pc. the company name is s3 graphics inc.i will look into this some more and post it here.

Did you do a Repair Install or a complete reinstall?? They are similar, but the complete reinstall seems a bit more drastic...

That VTTimer sounds legit. Thanks for checking...:)

i did the complete reinstall because i didnt get your reply last night,(i went offline before i read any new posts) i guess it was a bit of a panic, that is why i went all out on that one, but ill keep the repair install in mind next time. thanks for the reply.