Jump to content

Recommended Posts

When I opened my e-mail tonight, a trojan downloaded itself on my computer without me having done a single thing. AVG let me know about it, but it didn't stop it from downloading.


The ONLY thing I had in my e-mail that was new was a notification from TCH about a new PM I had. It was a spam PM from some idiot named pinkwaves968 or something that made no sense.


Now, I don't know how this happened, but right now all I care about is getting rid of this trojan. I ran AVG immediately which found it and quarantined it. I deleted it from the quarantined folder.


Then I ran Spybot and AdAware. However, things are still popping up on my desktop. I did some Google research and evidentally there are things I need to clean up in the registry but I'm not sure what. I downloaded Hijack This and was wondering if anyone here is knowledgeable enough to tell me what needs to be fixed? Here is my file:


Logfile of HijackThis v1.98.2

Scan saved at 9:07:48 PM, on 10/16/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:











C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe


C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe



C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe


C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE



C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe



C:\Documents and Settings\All Users\Desktop\Pictures\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.totalchoicehosting.com/forums/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

F3 - REG:win.ini: run=C:\WINDOWS\cross\RESET.EXE

O2 - BHO: Var1Helper Class - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe


O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe

O4 - HKLM\..\Run: [lwb] C:\WINDOWS\lwb.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [Computer Alarm Clock] C:\PROGRA~1\COMPUT~1\cac.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O4 - Global Startup: Picture Package Menu.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim95\aim.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: Win32 Classes -

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab


Any help you can provide is greatly appreciated. I'm more than a little upset at AVG for not stopping it before it downloaded, but I guess I need to tighten my settings in Outlook and just turn them off when someone needs to legitimately send me a file.


Thanks everyone!



Link to post
Share on other sites



I've been going over all of this info for the past hour. I did a search in my registry for that key and didn't find it, and I also didn't find the subfolders mentioned in the first link you sent. Is it possible that I got this cleaned up fast enough that it didn't create these?


I'm confused and concerned now. I can't seem to find other indications of infection, but I'm so paranoid now that I need to be SURE that my logs aren't being sent out.


It takes a special kind of inhuman slimeball to create things like this where someone can be prepared and still get hit. ;) I have many other things to say about those people, but this is a family forum.


I will probably do the restore from my windows disc just to be on the safe side. It says to back up my user files. Can you tell me please what those are exactly? Is that what is under Documents and Settings/all users?


Thanks for your help!!

Link to post
Share on other sites

One more thing - when I reboot, I am getting this program called Privacy Scanner that pops up and wants me to scan my system. Obviously I haven't, and there's nothing in Remove Programs to get rid of it. It says it's from w*w.privacychampion.com. Anyone know who these jerks are?


I can't even delete the programs it has installed. :/ Yeah, this is really how I wanted to spend my Sunday. ;)

Link to post
Share on other sites

You user files are going to be in My Documents, Desktop, or anyother files you created. Also don't forget any programs that might save data to the directory they are installed in(e.g. games, finance, web design software)


You might not find those specific subfolders on your machine. That was the closest description I could find using the information in your post. If you can give us the name of the file AVG found that would help.


Not sure about PrivacyChampion, I have never seen it before. I did a search and found it on Download.com.



Link to post
Share on other sites

OK, hubby finally got up and showed me the error I was making when looking for that key in my registry. :rolleyes: It WAS there, and we got it, the exe file, and the prefetch file deleted. The second link was the one that did the trick. This was my first foray into the registry. Hubby had always taken care of that before, but now I know. :)


Thank you so much, Dick - these things aggravate and anger me to no end because I feel so powerless to stop them.


Would it be your opinion that having deleted this registry entry and exe file means I'm probably safe now? I'm still paranoid to go into anything that requires a password to be entered.

Link to post
Share on other sites

Good Job Thumbs Up

Would it be your opinion that having deleted this registry entry and exe file means I'm probably safe now?  I'm still paranoid to go into anything that requires a password to be entered.

You should be OK. Just remember if you ever go back to a previous restore point you would be back where you started. I would just remove all old restore points.


Link to post
Share on other sites

I got Privacy Scanner too, and I *know* I didn't install it. The people at Privacy Champion have been very unhelpful. When asked how to uninstall it, they told me to delete the exe file and the shortcut on my desktop. I have never seen a legitimate program that didn't allow itself to be uninstalled, and I find it very unlikely that this program did not put anything in my registry. I asked them again about the registry, and they didn't reply. I have asked them a THIRD time, not so nicely. Tomorrow I start a public relations campaign from h*ll that will put them in a very bad light. Unless they tell me what they did to my computer and how to fix it.


If anyone else has ever encountered these guys, please let me know what your experience was. They seem to be fairly new, but I don't believe they're legitimate purveyors of useful software. I've never had Microsoft Office, for instance, install itself on my computer without my permission and refuse to uninstall.




Angie Dixon

Link to post
Share on other sites
I've never had Microsoft Office, for instance, install itself on my computer without my permission and refuse to uninstall.


Now THAT would at least be useful! heh


I agree - these guys are shady and I plan on posting at places like cnet and download.com.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...