Could anybody help me out with HijackThis?

[deeseetoo]

Lately i've had a whole lot of pop-ups and unknown shortcuts on my desktop. I've found a file in Program Files keeps rebooting itslef whenver I restart windows, but I can't delete it because when i right click or push delete windows explorer crashes. Here's the log

Logfile of HijackThis v1.97.7
Scan saved at 10:10:08 AM, on 4/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\64CORN~1\DataDateRect.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Diego Velez\Desktop\Random Progs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <!-- m --><a class="postlink" href="http://www.honda-tech.com/">http://www.honda-tech.com/</a><!-- m -->
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVComS.exe
O4 - HKLM\..\Run: [Remote defy] C:\PROGRA~1\64CORN~1\DataDateRect.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - <!-- m --><a class="postlink" href="http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab">http://download.macromedia.com/pub/shoc ... tor/sw.cab</a><!-- m -->
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - <!-- m --><a class="postlink" href="http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.4894328704">http://v4.windowsupdate.microsoft.com/C ... 4894328704</a><!-- m -->
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - <!-- m --><a class="postlink" href="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">http://download.macromedia.com/pub/shoc ... wflash.cab</a><!-- m -->


help a brotha out...

***a fcking pop up opened up while I was writing this!

[.RJ]

Adaware? Spybot?

[mrbaggio]

yes run adaware or spybot and then go to Start >run >type "msconfig" >startup tab >unclick all the crap you dont want running. Make sure you run a scan first tho

-Justin

[Evan]

format c:

[JackoliciousLegs]

Spybot S&D

[ViPER1313]

Other than:

C:\PROGRA~1\64CORN~1\DataDateRect.exe

and

O4 - HKLM\..\Run: [Remote defy] C:\PROGRA~1\64CORN~1\DataDateRect.exe

everything seems fine. I don't know what that program is though - it could be legit.

[ViPER1313]

Also, if you're gay and still use Internet Explorer :roll: - <!-- m --><a class="postlink" href="http://www.javacoolsoftware.com/">http://www.javacoolsoftware.com/</a><!-- m --> - should help you out in the future.

[deeseetoo]

I love IE. DataDateRect is the problem, I don't know how to get rid of it. I ran Symantec, nothing, i ran spyboot, fixed some cookies, I ran hijack this, deleted it, ran msconfig, told it not to boot up. Reboot comp, still there and now i have this minitab bar at the bottom of IE....

time to throw away the computer

[ViPER1313]

In Spybot, go to the tools tab, click BHOs and toggle off all the objects except NavShExt.dll (if you have it). You can toggle them off by selecting the object and clicking toggle (it will make the object a light grey.) Also, go to the ActiveX tab on the left, click export, save the log to you desktop, then post it here.

[ViPER1313]

I love IE.

This doesn't make it any less gay. Try Mozilla Firefox - you wont ever go back to IE.

[deeseetoo]

Here is the Active X summary from S&D
No BHO's in spybot

Spybot-S&D ActiveX report, 4/30/2004 2:03:46 PM

DirectAnimation Java Classes
Download location: <!-- m --><a class="postlink" href="file://C">file://C</a><!-- m -->:\WINDOWS\Java\classes\dajava.cab
Name: DirectAnimation Java Classes
Version: 5,1,15,1014

Microsoft XML Parser for Java
Download location: <!-- m --><a class="postlink" href="file://C">file://C</a><!-- m -->:\WINDOWS\Java\classes\xmldso.cab
Name: Microsoft XML Parser for Java
Version: 1,0,9,2

{8AD9C840-044E-11D1-B3E9-00805F499D93}
Class file: npjpi142_01.dll
Attributes: archive
Date: 8/19/2003 5:23:34 PM
MD5: 0B668A48CB4845F9D9D335D99C82504C
Path: C:\Program Files\Java\j2re1.4.2_01\bin\
Short name: NPJPI1~1.DLL
Size: 65642 bytes
Version: 0.1.0.4
Class name: Java Plug-in 1.4.2_01
CLSID database: legitimate software
Description: Sun Java
Filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
Download location: <!-- m --><a class="postlink" href="http://java.sun.com/update/1.4.2/jinstall-1_4_2_01-windows-i586.cab">http://java.sun.com/update/1.4.2/jinsta ... s-i586.cab</a><!-- m -->
Last modified: Fri, 29 Aug 2003 21:37:08 GMT
Name: Java Runtime Environment 1.4.2
Version: 1,4,2,10

{9F1C11AA-197B-4942-BA54-47A8489BB47F}
Class file: iuctl.dll
Attributes: archive
Date: 8/25/2003 6:06:50 PM
MD5: 8757E24D6B002FD7E9EF3A6DF697BA57
Path: C:\WINDOWS\System32\
Short name:
Size: 115808 bytes
Version: 0.5.0.4
Class name: Update Class
CLSID database: legitimate software
Description: Windows Update
Filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
Contains file: iuctl.dll
Attributes: archive
Date: 8/25/2003 6:06:50 PM
MD5: 8757E24D6B002FD7E9EF3A6DF697BA57
Path: C:\WINDOWS\System32\
Short name:
Size: 115808 bytes
Version: 0.5.0.4
Contains file: iuengine.dll
Attributes: archive
Date: 8/25/2003 3:06:50 PM
MD5: 6B43E283AF93D9823D7B69D9766AB4E9
Path: C:\WINDOWS\System32\
Short name:
Size: 182880 bytes
Version: 0.5.0.4
Download location: <!-- m --><a class="postlink" href="http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.4894328704">http://v4.windowsupdate.microsoft.com/C ... 4894328704</a><!-- m -->
Last modified: Tue, 26 Aug 2003 01:19:52 GMT
Version: 5,4,3790,14

{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}
Class file: npjpi142_01.dll
Attributes: archive
Date: 8/19/2003 5:23:34 PM
MD5: 0B668A48CB4845F9D9D335D99C82504C
Path: C:\Program Files\Java\j2re1.4.2_01\bin\
Short name: NPJPI1~1.DLL
Size: 65642 bytes
Version: 0.1.0.4
Class name: Java Plug-in 1.4.2_01
Download location: <!-- m --><a class="postlink" href="http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab">http://java.sun.com/products/plugin/aut ... s-i586.cab</a><!-- m -->
Name: Java Runtime Environment 1.4.2
Version: 1,4,2,1

{D27CDB6E-AE6D-11CF-96B8-444553540000}
Class file: Flash.ocx
Attributes: archive
Date: 12/8/2003 3:01:58 PM
MD5: F7E435D02F7A48120B746E33254A70BC
Path: C:\WINDOWS\System32\macromed\flash\
Short name:
Size: 933888 bytes
Version: 0.7.0.0
Class name: Shockwave Flash Object
CLSID database: legitimate software
Description: Macromedia Shockwave Flash Player
Download location: <!-- m --><a class="postlink" href="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">http://download.macromedia.com/pub/shoc ... wflash.cab</a><!-- m -->
Last modified: Wed, 26 Feb 2003 19:22:35 GMT
Version: 6,0,79,0

thanks for the help

[ViPER1313]

I really don't know where your popups are coming from. It doesn't look like you have any active processes that are giving the popups, and there are no BHOs or ActiveX objects that could be causing your problems. Maybe you should get a firewall program such as ZoneAlarm or Kerio to see what programs are accessing the internet. I'm really stumped.

If you havenÔÇÖt done so, dl AdAware from http://download.com.com/3000-2144-100459...tag=button , update it and run it on your system. Many times it catches programs that Spybot misses.

[deeseetoo]

yep, this datadaterect.exe file fucked my comp over. I'll try the adware thing, maybe it will work.

[Evan]

adaware finds a lot of crap that spybot misses, but I dont think this kind of malware are really classified as spyware, so neither of them may pick it up.

my moronic roomate got all these stupid viruses (178 to be exact --in less than 2 months)

[deeseetoo]

yea, adware isnt picking it up either. Anybody know a practical way I could save 15gigs of MP3s and folders before I reformat this bitch?

[ViPER1313]

Heres what you do - turn off WindowsXP file backup that is turned on by default. You can do this by going to Control Panel / System (in classic view) / Auto Restore tab. Hit ctrl-alt-del and kill the datadaterect.exe in the task manager. Go to the C:\Program Files\64CORN~1\ and delete the datadaterect.exe file. Create a new blank text file, name it datadaterect.exe (make sure it is named datadaterect.exe and not datadaterect.exe.txt - you might have to turn off the "Hide File Extentions of Known File Types" option in Explorer by going to Tools\Folder Options\View tab.) Then, right click on the blank datadaterect.exe file and make it read only. Restart the computer. Should work.

[deeseetoo]

Heres what you do - turn off WindowsXP file backup that is turned on by default. You can do this by going to Control Panel / System (in classic view) / Auto Restore tab. Hit ctrl-alt-del and kill the datadaterect.exe in the task manager. Go to the C:\Program Files\64CORN~1\ and delete the datadaterect.exe file. Create a new blank text file, name it datadaterect.exe (make sure it is named datadaterect.exe and not datadaterect.exe.txt - you might have to turn off the "Hide File Extentions of Known File Types" option in Explorer by going to Tools\Folder Options\View tab.) Then, right click on the blank datadaterect.exe file and make it read only. Restart the computer. Should work.

did it, ran the spybot check and now the file is completely gone after i deleted it. Looks like its gone.

Now i'm too sick of my computer to look at the screen. . thanks for the help