Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need help...Security IGuard/5 mins startup/DaoSearch/more


  • This topic is locked This topic is locked
17 replies to this topic

#1 Xanarki

Xanarki

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 29 March 2005 - 09:28 PM

Well, here are some probs...

-Takes almsot 5 mins to load up Windows. It shows my desktop background. All it shows is that picture (and the mouse arrow). After 5 mins, the icons and toolbar appear.

-Security IGuard won't go away. I tried the add/remove method, but it like a worm: it keeps coming back.

-DaoSearch.com is my Internet Explorer homepage and it won't change (although I use Netscape more)

-Certain words like "spyware", "computer", "free", "sports" that are in text-format are changed into a link that directs me to DaoSearch.com I even tried to enter BleepingComputer's chatroom and instead it gave me search results for chats on DaoSearch.com! This happens on both IE and Netscape...

So, here is my HiJack This log. I need detailed info on how to fix these problems. Do you think Security IGuard is assoicated with the slow system startup?

Logfile of HijackThis v1.99.1
Scan saved at 12:45:26 PM, on 3/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\Services\{260BF5D2-FCB3-4634-92FE-D1B922533AF8}\SVCHOST.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Netscape\Netscp.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=32994&said=261
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.excite.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\hightrt8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\hightrt8.slt\prefs.js)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\Owner\LOCALS~1\Temp\kabca.dat (file missing)
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Owner\LOCALS~1\Temp\snd3pm.dat (file missing)
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\Owner\LOCALS~1\Temp\kabca.dat (file missing)
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\Owner\LOCALS~1\Temp\dvdw.dat
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\System32\wer8274.dll
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\Owner\LOCALS~1\Temp\bacgmi.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\Owner\LOCALS~1\Temp\sodbil.dat (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [acbak] C:\WINDOWS\Microsoft.NET\acbak.exe
O4 - HKLM\..\Run: [*acbak] C:\WINDOWS\Microsoft.NET\acbak.exe
O4 - HKLM\..\Run: [*raslog] C:\WINDOWS\Driver Cache\raslog.exe
O4 - HKLM\..\Run: [*bakmsvc] C:\WINDOWS\system\bakmsvc.exe
O4 - HKLM\..\Run: [*avsrv] C:\WINDOWS\system32\mui\0009\avsrv.exe
O4 - HKLM\..\Run: [*drvvb] C:\WINDOWS\Web\printers\drvvb.exe
O4 - HKLM\..\Run: [*hardsrv] C:\WINDOWS\msagent\hardsrv.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Owner\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{260BF5D2-FCB3-4634-92FE-D1B922533AF8}\SVCHOST.EXE
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Zero Knowledge\Freedom\IndexCleanerR.exe"
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Zero Knowledge\Freedom\IndexCleanerR.exe"
O9 - Extra button: Microsoft AntiSpyware helper - {7B6C8E7C-FB67-41F4-A27F-E4B68B5FAEF0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7B6C8E7C-FB67-41F4-A27F-E4B68B5FAEF0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {7BE97B2D-8386-471E-A70B-0CA4CC01C958} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7BE97B2D-8386-471E-A70B-0CA4CC01C958} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {7D8BC892-62A8-4DAD-AF59-290FD5083FBB} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7D8BC892-62A8-4DAD-AF59-290FD5083FBB} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {82646D05-94C2-45CA-91FA-366BBE856E78} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82646D05-94C2-45CA-91FA-366BBE856E78} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {82DFE501-A790-4F38-9262-9E5E04C1FA66} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82DFE501-A790-4F38-9262-9E5E04C1FA66} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {8362C242-3720-4B58-A8AC-AF5F9D7095C0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8362C242-3720-4B58-A8AC-AF5F9D7095C0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {9FA90248-56B3-4D31-82F6-91A382C3F265} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9FA90248-56B3-4D31-82F6-91A382C3F265} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {A173E009-96E6-4508-94A7-1D7D8673A072} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A173E009-96E6-4508-94A7-1D7D8673A072} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {A87CBDB5-46E9-4C6A-879A-09F0F70D98E0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A87CBDB5-46E9-4C6A-879A-09F0F70D98E0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {B466BB20-C24D-43CA-A98B-FA6D82F22435} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B466BB20-C24D-43CA-A98B-FA6D82F22435} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {B542A77B-17C9-48C5-A423-E29BEEB8AB34} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B542A77B-17C9-48C5-A423-E29BEEB8AB34} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {B9E5A7EA-753A-43DD-AC42-3C5FD975C51F} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9E5A7EA-753A-43DD-AC42-3C5FD975C51F} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {C05493CC-37BD-406A-8D74-E3598A0D5C84} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C05493CC-37BD-406A-8D74-E3598A0D5C84} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {CE089A10-60A2-4F7B-8979-FEA86FC0EDDE} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CE089A10-60A2-4F7B-8979-FEA86FC0EDDE} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {EB7D04B5-3E34-426F-9EFC-3CD117406B81} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EB7D04B5-3E34-426F-9EFC-3CD117406B81} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {ED469228-43E3-42E9-BDFA-0E91E6358796} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ED469228-43E3-42E9-BDFA-0E91E6358796} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F255DE68-B5E7-4E43-9FDE-20984AE4F9B8} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F255DE68-B5E7-4E43-9FDE-20984AE4F9B8} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {037D15F8-84BA-4853-BE6A-96A2F4ABF6F7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {037D15F8-84BA-4853-BE6A-96A2F4ABF6F7} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {09F2F493-2876-4699-BCA6-A95F5356B37D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {09F2F493-2876-4699-BCA6-A95F5356B37D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {0FF57B6B-1C92-4163-B687-515965DA7623} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0FF57B6B-1C92-4163-B687-515965DA7623} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2322B8BC-31AD-4727-9B72-DC9CB753B47C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2322B8BC-31AD-4727-9B72-DC9CB753B47C} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {3191B91F-62FA-4037-ABF9-6AFAF8C8EE6D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3191B91F-62FA-4037-ABF9-6AFAF8C8EE6D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {31D4CCB5-EB7E-441F-B89F-4809EE4AD63A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31D4CCB5-EB7E-441F-B89F-4809EE4AD63A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {36A9ECF9-9960-4991-9412-48D3360330D8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {36A9ECF9-9960-4991-9412-48D3360330D8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {386186A1-CB7A-4AA1-BC4F-7B257BAAE776} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {386186A1-CB7A-4AA1-BC4F-7B257BAAE776} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {3A394459-DB1E-476F-BCA7-82A6E240DB16} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3A394459-DB1E-476F-BCA7-82A6E240DB16} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {3AFE4FFE-7EBE-4619-A6DB-89D98D620C83} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3AFE4FFE-7EBE-4619-A6DB-89D98D620C83} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4665C409-5F1C-4A3D-96BF-788C667513A2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4665C409-5F1C-4A3D-96BF-788C667513A2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {491822ED-89B7-4D53-A666-453F72ED78A6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {491822ED-89B7-4D53-A666-453F72ED78A6} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {49E0E351-E7AC-4C37-85AC-4657726FD762} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {49E0E351-E7AC-4C37-85AC-4657726FD762} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4C40DDC3-C547-463C-83F4-D0618CD5DA8B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4C40DDC3-C547-463C-83F4-D0618CD5DA8B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {51933024-3EE6-4585-B520-D3C5C373A237} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {51933024-3EE6-4585-B520-D3C5C373A237} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {5612EEDE-6E85-4C30-B7B1-DE7D683896D6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5612EEDE-6E85-4C30-B7B1-DE7D683896D6} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6AFF4E9D-206A-4D2E-ABBC-211B06E90A2D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6AFF4E9D-206A-4D2E-ABBC-211B06E90A2D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {71D830F8-A053-49E7-9A05-A738D7C85052} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {71D830F8-A053-49E7-9A05-A738D7C85052} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {75F68186-9023-471C-95FE-5DC28D36ED5D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {75F68186-9023-471C-95FE-5DC28D36ED5D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {76D3A05F-A3A3-4672-BBD9-D1E2075DD5B9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {76D3A05F-A3A3-4672-BBD9-D1E2075DD5B9} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7899BA12-F2C6-49E2-9E62-DF5D577DA2CF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7899BA12-F2C6-49E2-9E62-DF5D577DA2CF} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7B6C8E7C-FB67-41F4-A27F-E4B68B5FAEF0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7B6C8E7C-FB67-41F4-A27F-E4B68B5FAEF0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7BE97B2D-8386-471E-A70B-0CA4CC01C958} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7BE97B2D-8386-471E-A70B-0CA4CC01C958} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7D8BC892-62A8-4DAD-AF59-290FD5083FBB} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7D8BC892-62A8-4DAD-AF59-290FD5083FBB} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82646D05-94C2-45CA-91FA-366BBE856E78} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82646D05-94C2-45CA-91FA-366BBE856E78} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82DFE501-A790-4F38-9262-9E5E04C1FA66} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82DFE501-A790-4F38-9262-9E5E04C1FA66} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8362C242-3720-4B58-A8AC-AF5F9D7095C0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8362C242-3720-4B58-A8AC-AF5F9D7095C0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9FA90248-56B3-4D31-82F6-91A382C3F265} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9FA90248-56B3-4D31-82F6-91A382C3F265} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A173E009-96E6-4508-94A7-1D7D8673A072} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A173E009-96E6-4508-94A7-1D7D8673A072} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A87CBDB5-46E9-4C6A-879A-09F0F70D98E0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A87CBDB5-46E9-4C6A-879A-09F0F70D98E0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B466BB20-C24D-43CA-A98B-FA6D82F22435} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B466BB20-C24D-43CA-A98B-FA6D82F22435} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B542A77B-17C9-48C5-A423-E29BEEB8AB34} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B542A77B-17C9-48C5-A423-E29BEEB8AB34} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B9E5A7EA-753A-43DD-AC42-3C5FD975C51F} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9E5A7EA-753A-43DD-AC42-3C5FD975C51F} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C05493CC-37BD-406A-8D74-E3598A0D5C84} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C05493CC-37BD-406A-8D74-E3598A0D5C84} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CE089A10-60A2-4F7B-8979-FEA86FC0EDDE} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CE089A10-60A2-4F7B-8979-FEA86FC0EDDE} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {EB7D04B5-3E34-426F-9EFC-3CD117406B81} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EB7D04B5-3E34-426F-9EFC-3CD117406B81} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {ED469228-43E3-42E9-BDFA-0E91E6358796} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ED469228-43E3-42E9-BDFA-0E91E6358796} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F255DE68-B5E7-4E43-9FDE-20984AE4F9B8} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F255DE68-B5E7-4E43-9FDE-20984AE4F9B8} - C:\WINDOWS\System32\wldr.dll (HKCU)
O20 - Winlogon Notify: catjava - C:\DOCUME~1\Owner\LOCALS~1\Temp\avajtac.dat (file missing)
O20 - Winlogon Notify: crcab - C:\DOCUME~1\Owner\LOCALS~1\Temp\bacrc.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: wdvd - C:\DOCUME~1\Owner\LOCALS~1\Temp\dvdw.dat
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:01 PM

Posted 29 March 2005 - 11:27 PM

Hi Xanarki. Let's start here and see if we can knock some of these problems down. Then we'll finish up with the really bad ones. Please start Notepad and copy/paste these directions into the new document. Save the document to your desktop and then proceed with the steps below in order.

Step #1

Download the Pocket Killbox.

Now physically disconnect your computer from the internet. Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Paste this file into the top Full Path of File to Delete field.
    • C:\DOCUME~1\Owner\LOCALS~1\Temp\kabca.dat
  • Click the Delete File button which looks like a stop sign.
  • Click No at the Pending Operations prompt.
Repeat the above steps for each of the following files. The only difference is that you will be substituting the file listed in the first step with each of the files below. C:\DOCUME~1\Owner\LOCALS~1\Temp\snd3pm.dat
C:\DOCUME~1\Owner\LOCALS~1\Temp\dvdw.dat
C:\WINDOWS\System32\spm1316.dll
C:\WINDOWS\System32\wer8274.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\bacgmi.dat
C:\DOCUME~1\Owner\LOCALS~1\Temp\sodbil.dat
C:\WINDOWS\Microsoft.NET\acbak.exe
C:\WINDOWS\Microsoft.NET\acbak.exe
C:\WINDOWS\Driver Cache\raslog.exe
C:\WINDOWS\system\bakmsvc.exe
C:\WINDOWS\system32\mui\0009\avsrv.exe
C:\WINDOWS\Web\printers\drvvb.exe
C:\WINDOWS\msagent\hardsrv.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\keep.exe
C:\WINDOWS\System32\srvc32.exe
C:\WINDOWS\System32\wldr.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\avajtac.dat (file missing)
C:\DOCUME~1\Owner\LOCALS~1\Temp\bacrc.dat
C:\WINDOWS\System32\Services\SVCHOST.EXE

After you add the last file and it prompts to reboot, you should press the Yes button to allow it to do so. REBOOT INTO SAFE MODE (SEE DIRECTRIONS BELOW). If the system does not reboot automatically then manually reboot.

Start in Safe Mode Using the F8 method:* Restart the computer.
* As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press Enter.
Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=32994&said=261
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\Owner\LOCALS~1\Temp\kabca.dat (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: CATLEvents Object - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\Owner\LOCALS~1\Temp\snd3pm.dat (file missing)
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\Owner\LOCALS~1\Temp\kabca.dat (file missing)
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\Owner\LOCALS~1\Temp\dvdw.dat
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\System32\wer8274.dll
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\Owner\LOCALS~1\Temp\bacgmi.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\Owner\LOCALS~1\Temp\sodbil.dat (file missing)
O4 - HKLM\..\Run: [acbak] C:\WINDOWS\Microsoft.NET\acbak.exe
O4 - HKLM\..\Run: [*acbak] C:\WINDOWS\Microsoft.NET\acbak.exe
O4 - HKLM\..\Run: [*raslog] C:\WINDOWS\Driver Cache\raslog.exe
O4 - HKLM\..\Run: [*bakmsvc] C:\WINDOWS\system\bakmsvc.exe
O4 - HKLM\..\Run: [*avsrv] C:\WINDOWS\system32\mui\0009\avsrv.exe
O4 - HKLM\..\Run: [*drvvb] C:\WINDOWS\Web\printers\drvvb.exe
O4 - HKLM\..\Run: [*hardsrv] C:\WINDOWS\msagent\hardsrv.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\Owner\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{260BF5D2-FCB3-4634-92FE-D1B922533AF8}\SVCHOST.EXE
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O9 - Extra button: Microsoft AntiSpyware helper - {7B6C8E7C-FB67-41F4-A27F-E4B68B5FAEF0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7B6C8E7C-FB67-41F4-A27F-E4B68B5FAEF0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {7BE97B2D-8386-471E-A70B-0CA4CC01C958} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7BE97B2D-8386-471E-A70B-0CA4CC01C958} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {7D8BC892-62A8-4DAD-AF59-290FD5083FBB} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7D8BC892-62A8-4DAD-AF59-290FD5083FBB} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {82646D05-94C2-45CA-91FA-366BBE856E78} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82646D05-94C2-45CA-91FA-366BBE856E78} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {82DFE501-A790-4F38-9262-9E5E04C1FA66} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82DFE501-A790-4F38-9262-9E5E04C1FA66} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {8362C242-3720-4B58-A8AC-AF5F9D7095C0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8362C242-3720-4B58-A8AC-AF5F9D7095C0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {9FA90248-56B3-4D31-82F6-91A382C3F265} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9FA90248-56B3-4D31-82F6-91A382C3F265} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {A173E009-96E6-4508-94A7-1D7D8673A072} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A173E009-96E6-4508-94A7-1D7D8673A072} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {A87CBDB5-46E9-4C6A-879A-09F0F70D98E0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A87CBDB5-46E9-4C6A-879A-09F0F70D98E0} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {B466BB20-C24D-43CA-A98B-FA6D82F22435} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B466BB20-C24D-43CA-A98B-FA6D82F22435} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {B542A77B-17C9-48C5-A423-E29BEEB8AB34} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B542A77B-17C9-48C5-A423-E29BEEB8AB34} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {B9E5A7EA-753A-43DD-AC42-3C5FD975C51F} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9E5A7EA-753A-43DD-AC42-3C5FD975C51F} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {C05493CC-37BD-406A-8D74-E3598A0D5C84} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C05493CC-37BD-406A-8D74-E3598A0D5C84} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {CE089A10-60A2-4F7B-8979-FEA86FC0EDDE} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CE089A10-60A2-4F7B-8979-FEA86FC0EDDE} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {EB7D04B5-3E34-426F-9EFC-3CD117406B81} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EB7D04B5-3E34-426F-9EFC-3CD117406B81} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {ED469228-43E3-42E9-BDFA-0E91E6358796} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ED469228-43E3-42E9-BDFA-0E91E6358796} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F255DE68-B5E7-4E43-9FDE-20984AE4F9B8} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F255DE68-B5E7-4E43-9FDE-20984AE4F9B8} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {037D15F8-84BA-4853-BE6A-96A2F4ABF6F7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {037D15F8-84BA-4853-BE6A-96A2F4ABF6F7} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {09F2F493-2876-4699-BCA6-A95F5356B37D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {09F2F493-2876-4699-BCA6-A95F5356B37D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {0FF57B6B-1C92-4163-B687-515965DA7623} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0FF57B6B-1C92-4163-B687-515965DA7623} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2322B8BC-31AD-4727-9B72-DC9CB753B47C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2322B8BC-31AD-4727-9B72-DC9CB753B47C} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {3191B91F-62FA-4037-ABF9-6AFAF8C8EE6D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3191B91F-62FA-4037-ABF9-6AFAF8C8EE6D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {31D4CCB5-EB7E-441F-B89F-4809EE4AD63A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31D4CCB5-EB7E-441F-B89F-4809EE4AD63A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {36A9ECF9-9960-4991-9412-48D3360330D8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {36A9ECF9-9960-4991-9412-48D3360330D8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {386186A1-CB7A-4AA1-BC4F-7B257BAAE776} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {386186A1-CB7A-4AA1-BC4F-7B257BAAE776} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {3A394459-DB1E-476F-BCA7-82A6E240DB16} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3A394459-DB1E-476F-BCA7-82A6E240DB16} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {3AFE4FFE-7EBE-4619-A6DB-89D98D620C83} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3AFE4FFE-7EBE-4619-A6DB-89D98D620C83} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4665C409-5F1C-4A3D-96BF-788C667513A2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4665C409-5F1C-4A3D-96BF-788C667513A2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {491822ED-89B7-4D53-A666-453F72ED78A6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {491822ED-89B7-4D53-A666-453F72ED78A6} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {49E0E351-E7AC-4C37-85AC-4657726FD762} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {49E0E351-E7AC-4C37-85AC-4657726FD762} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4C40DDC3-C547-463C-83F4-D0618CD5DA8B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4C40DDC3-C547-463C-83F4-D0618CD5DA8B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {51933024-3EE6-4585-B520-D3C5C373A237} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {51933024-3EE6-4585-B520-D3C5C373A237} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {5612EEDE-6E85-4C30-B7B1-DE7D683896D6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5612EEDE-6E85-4C30-B7B1-DE7D683896D6} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {6AFF4E9D-206A-4D2E-ABBC-211B06E90A2D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6AFF4E9D-206A-4D2E-ABBC-211B06E90A2D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {71D830F8-A053-49E7-9A05-A738D7C85052} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {71D830F8-A053-49E7-9A05-A738D7C85052} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {75F68186-9023-471C-95FE-5DC28D36ED5D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {75F68186-9023-471C-95FE-5DC28D36ED5D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {76D3A05F-A3A3-4672-BBD9-D1E2075DD5B9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {76D3A05F-A3A3-4672-BBD9-D1E2075DD5B9} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7899BA12-F2C6-49E2-9E62-DF5D577DA2CF} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7899BA12-F2C6-49E2-9E62-DF5D577DA2CF} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7B6C8E7C-FB67-41F4-A27F-E4B68B5FAEF0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7B6C8E7C-FB67-41F4-A27F-E4B68B5FAEF0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7BE97B2D-8386-471E-A70B-0CA4CC01C958} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7BE97B2D-8386-471E-A70B-0CA4CC01C958} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {7D8BC892-62A8-4DAD-AF59-290FD5083FBB} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {7D8BC892-62A8-4DAD-AF59-290FD5083FBB} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82646D05-94C2-45CA-91FA-366BBE856E78} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82646D05-94C2-45CA-91FA-366BBE856E78} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {82DFE501-A790-4F38-9262-9E5E04C1FA66} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82DFE501-A790-4F38-9262-9E5E04C1FA66} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8362C242-3720-4B58-A8AC-AF5F9D7095C0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8362C242-3720-4B58-A8AC-AF5F9D7095C0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9FA90248-56B3-4D31-82F6-91A382C3F265} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9FA90248-56B3-4D31-82F6-91A382C3F265} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A173E009-96E6-4508-94A7-1D7D8673A072} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A173E009-96E6-4508-94A7-1D7D8673A072} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A87CBDB5-46E9-4C6A-879A-09F0F70D98E0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A87CBDB5-46E9-4C6A-879A-09F0F70D98E0} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B466BB20-C24D-43CA-A98B-FA6D82F22435} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B466BB20-C24D-43CA-A98B-FA6D82F22435} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B542A77B-17C9-48C5-A423-E29BEEB8AB34} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B542A77B-17C9-48C5-A423-E29BEEB8AB34} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B9E5A7EA-753A-43DD-AC42-3C5FD975C51F} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9E5A7EA-753A-43DD-AC42-3C5FD975C51F} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C05493CC-37BD-406A-8D74-E3598A0D5C84} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C05493CC-37BD-406A-8D74-E3598A0D5C84} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CE089A10-60A2-4F7B-8979-FEA86FC0EDDE} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CE089A10-60A2-4F7B-8979-FEA86FC0EDDE} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {EB7D04B5-3E34-426F-9EFC-3CD117406B81} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {EB7D04B5-3E34-426F-9EFC-3CD117406B81} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {ED469228-43E3-42E9-BDFA-0E91E6358796} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ED469228-43E3-42E9-BDFA-0E91E6358796} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F255DE68-B5E7-4E43-9FDE-20984AE4F9B8} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F255DE68-B5E7-4E43-9FDE-20984AE4F9B8} - C:\WINDOWS\System32\wldr.dll (HKCU)
O20 - Winlogon Notify: catjava - C:\DOCUME~1\Owner\LOCALS~1\Temp\avajtac.dat (file missing)
O20 - Winlogon Notify: crcab - C:\DOCUME~1\Owner\LOCALS~1\Temp\bacrc.dat
O20 - Winlogon Notify: wdvd - C:\DOCUME~1\Owner\LOCALS~1\Temp\dvdw.dat

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

These files should be gone but go to the directories and verify that they are no longer there. If you find them delete them::\DOCUME~1\Owner\LOCALS~1\Temp\kabca.dat
C:\DOCUME~1\Owner\LOCALS~1\Temp\snd3pm.dat
C:\DOCUME~1\Owner\LOCALS~1\Temp\dvdw.dat
C:\WINDOWS\System32\spm1316.dll
C:\WINDOWS\System32\wer8274.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\bacgmi.dat
C:\DOCUME~1\Owner\LOCALS~1\Temp\sodbil.dat
C:\WINDOWS\Microsoft.NET\acbak.exe
C:\WINDOWS\Microsoft.NET\acbak.exe
C:\WINDOWS\Driver Cache\raslog.exe
C:\WINDOWS\system\bakmsvc.exe
C:\WINDOWS\system32\mui\0009\avsrv.exe
C:\WINDOWS\Web\printers\drvvb.exe
C:\WINDOWS\msagent\hardsrv.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\keep.exe
C:\WINDOWS\System32\srvc32.exe
C:\WINDOWS\System32\wldr.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\avajtac.dat (file missing)
C:\DOCUME~1\Owner\LOCALS~1\Temp\bacrc.dat
C:\WINDOWS\System32\Services\SVCHOST.EXE

Next, let's clean up the temporary folders:
  • Click Start
  • Point to Programs
  • Point to Accessories
  • Point to System Tools
  • Click Disk Cleanup
  • Select the following items and then click the OK button.
  • Temp Setup Files
  • Downloaded Program Files
  • Temp Internet Files
  • Debug Dump Files
  • Office Setup Files
  • Old chkdsk files
  • Recycle Bin
  • Temp Remote Desktop Files
  • Setup Log Files
  • Temp Files
  • WebClient temp files
OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in. This is only the first step in this process. We probably are not going to fix everything but we will definitely put a hurt on it.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Xanarki

Xanarki
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 30 March 2005 - 01:54 AM

Well, here it is...
Logfile of HijackThis v1.99.1
Scan saved at 1:52:37 AM, on 3/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\igfxtray.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.excite.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\hightrt8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\hightrt8.slt\prefs.js)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O20 - Winlogon Notify: crcab - C:\DOCUME~1\Owner\LOCALS~1\Temp\bacrc.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: wdvd - C:\DOCUME~1\Owner\LOCALS~1\Temp\dvdw.dat
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

Much shorter lol.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:01 PM

Posted 30 March 2005 - 02:20 AM

Hi Xanarki. Looking better now. Now I want you to download FindIt_Nt-2k-XP.zip. Unzip the contents of Find It NT-2K-XP.zip to a folder, for example c:\findit.

Navigate to the c:\findit folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files. Let it finish. It could take 5 - 10 minutes.

Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Xanarki

Xanarki
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 30 March 2005 - 02:35 AM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 40F0-7A83

Directory of C:\WINDOWS\System32

03/27/2005 06:24 PM <DIR> dllcache
03/20/2005 03:22 PM 24,576 Thumbs.db
01/03/2004 01:49 AM 56 D4E40697D4.sys
08/23/2003 08:18 AM <DIR> Microsoft
2 File(s) 24,632 bytes
2 Dir(s) 22,915,727,360 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 40F0-7A83

Directory of C:\WINDOWS\System32

03/27/2005 06:24 PM <DIR> dllcache
03/20/2005 03:22 PM 24,576 Thumbs.db
01/03/2004 01:49 AM 56 D4E40697D4.sys
08/23/2003 07:52 AM 488 logonui.exe.manifest
08/23/2003 07:52 AM 488 WindowsLogon.manifest
08/23/2003 07:52 AM 749 sapi.cpl.manifest
08/23/2003 07:52 AM 749 nwc.cpl.manifest
08/23/2003 07:52 AM 749 ncpa.cpl.manifest
08/23/2003 07:52 AM 749 cdplayer.exe.manifest
08/23/2003 07:52 AM 749 wuaucpl.cpl.manifest
9 File(s) 29,353 bytes
1 Dir(s) 22,915,723,264 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is HP_PAVILION
Volume Serial Number is 40F0-7A83

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C is HP_PAVILION
Volume Serial Number is 40F0-7A83

Directory of C:\WINDOWS\System32

03/29/2005 03:14 AM 2,213 wer8274.tmp
03/28/2005 12:24 PM 27 qylLFKH.tmp
03/27/2005 08:30 PM 27 qylGIHL.tmp
03/20/2005 11:17 AM 27 qylEGEJ.tmp
03/20/2005 12:52 AM 27 mjgEGEJ.tmp
5 File(s) 2,321 bytes
0 Dir(s) 22,915,723,264 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crcab]
"Asynchronous"=dword:00000001
"DllName"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\bacrc.dat"
"Impersonate"=dword:00000000
"Logon"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OPXPGina]
"STARTUP"="OPWlxStartup"
"RECONNECT"="OPWlxReconnect"
"UNLOCK"="OPWlxUnlock"
"ASYNCHRONOUS"=dword:00000000
"DLLNAME"="C:\\Program Files\\Softex\\OmniPass\\opxpgina.dll"
"STOPSCREENSAVER"="OPWlxStopScreenSaver"
"STARTSCREENSAVER"="OPWlxStartScreenSaver"
"LOCK"="OPWlxLock"
"LOGOFF"="OPWlxLogoff"
"SHUTDOWN"="OPWlxShutdown"
"STARTSHELL"="OPWlxStartShell"
"IMPERSONATE"=dword:00000000
"LOGON"="OPWlxLogon"
"DISCONNECT"="OPWlxDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wdvd]
"Asynchronous"=dword:00000001
"DllName"="C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\dvdw.dat"
"Impersonate"=dword:00000000
"Logon"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
thumbs.db Sun Mar 20 2005 3:22:18p A.SH. 24,576 24.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 24,576 bytes 24.00 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"HPHUPD05"="c:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:01 PM

Posted 30 March 2005 - 03:00 AM

Ok. Let's try the easy route first. Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O20 - Winlogon Notify: crcab - C:\DOCUME~1\Owner\LOCALS~1\Temp\bacrc.dat
O20 - Winlogon Notify: wdvd - C:\DOCUME~1\Owner\LOCALS~1\Temp\dvdw.dat

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Find the following files/folders and delete them (don't worry if they are already gone):C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\bacrc.dat
C:\DOCUMENTS AND SETTINGS\Owner\LOCAL SETTINGS\Temp\dvdw.dat

Next, let's clean up the temporary folders:
  • Click Start
  • Point to Programs
  • Point to Accessories
  • Point to System Tools
  • Click Disk Cleanup
  • Select the following items and then click the OK button.
  • Temp Setup Files
  • Downloaded Program Files
  • Temp Internet Files
  • Debug Dump Files
  • Office Setup Files
  • Old chkdsk files
  • Recycle Bin
  • Temp Remote Desktop Files
  • Setup Log Files
  • Temp Files
  • WebClient temp files
OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Xanarki

Xanarki
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 30 March 2005 - 03:11 AM

Can't scene to delete crcab and wdvd. Gives me that "Acess Is Denied" error msg.

Security IGuard is still here as well. :-/

Logfile of HijackThis v1.99.1
Scan saved at 3:09:20 AM, on 3/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.excite.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\hightrt8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\hightrt8.slt\prefs.js)
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Zero Knowledge\Freedom\IndexCleanerR.exe"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Zero Knowledge\Freedom\IndexCleanerR.exe"
O20 - Winlogon Notify: crcab - C:\DOCUME~1\Owner\LOCALS~1\Temp\bacrc.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: wdvd - C:\DOCUME~1\Owner\LOCALS~1\Temp\dvdw.dat
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:01 PM

Posted 30 March 2005 - 11:45 AM

Hi Xanarki. Well, this is a persistent little bugger isn't it? Let's go at this from a different direction. Please follow the proceeding steps in order.

Step #1

Download CCleaner and install it. Do not run it yet.

Step #2

Start Notepad and copy/paste the text from the quotebox below into the new document:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crcab]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wdvd]


Save the file as fixnotify.reg to you desktop. Close Notepad.

Step #3

Alright, let's begin the fix.
  • Run CCleaner
  • Now right-click on fixnotify.reg and select Merge. Select Yes or Ok to any prompts when asked if you want to merge the file into the registry.
  • Start Killbox and do the following:
    • Paste this file into the top Full Path of File to Delete field.C:\DOCUME~1\Owner\LOCALS~1\Temp\bacrc.dat
  • Click on Replace on reboot and click in the checkbox in front of Use Dummy to select it.
  • Click the Delete File button which looks like a stop sign.
  • Click No at the Pending Operations prompt.
  • Repeat the above steps for each of the following files. The only difference is that you will be substituting the file listed in the first step with each of the files below. C:\DOCUME~1\Owner\LOCALS~1\Temp\dvdw.dat
  • After you add the last file and it prompts to reboot, you should press the Yes button to allow it to do so. If your computer does not reboot automatically then close Killbox and reboot manually.
Step #4

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT

Edited by OldTimer, 30 March 2005 - 11:54 AM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Xanarki

Xanarki
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 30 March 2005 - 12:37 PM

Hmm. I can't do Step #3. "Now right-click on fixnotify.reg and select Merge.".

It gives me an error msg. saying

"Cannot import c:\Docume~`\owner\desktop\fixnotify.reg: The specified file is not a registry script. You can only import binary registery files from withen the registry editor."

I had to use wordpad and not notepad, since I don't have it on my comp. I also did read the other steps before that carefully, and this problem still occurs.

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:01 PM

Posted 30 March 2005 - 01:00 PM

Hi Xan. If you are usind Wordpad then you MUST specify that the file is saved in Text format.

Repeat the copy/paste into a new document and save it by:
  • Click File
  • Click Save As
  • In the Save as type dropdown box select Text Document
  • In the File name box type fixnotify.reg
  • Save the file to your desktop (delete your previous file(s) before saving this one)
Now start from the beginning with the previous fix and complete all of the steps.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 Xanarki

Xanarki
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 30 March 2005 - 01:12 PM

Hmm. I got same results.

What is it you mean by "Run CCleaner"? All I did was double click on the exe.

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:01 PM

Posted 30 March 2005 - 01:36 PM

What do you mean you got the same results? Same results with what?

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 Xanarki

Xanarki
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 30 March 2005 - 01:44 PM

Same exact HiJack This log...files wern't deleted.

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:01 PM

Posted 30 March 2005 - 03:06 PM

Hi Xan. Ok, let's use the Recovery Console to delete the files. Print these directions off and then proceed with the following steps.

Step #1

Insert the XP Setup compact disc (CD) and restart the computer. If prompted, select any options required to boot from the CD. When the text-based part of Setup begins, follow the prompts; choose the repair or recover option by pressing R. When prompted, type the Administrator password (if you have not set one then it will be blank so just press the Enter key).

Step #2

When you are at the command prompt type cd C:\DOCUME~1\Owner\LOCALS~1\Temp\ and press the Enter key. Look at the prompt and verify that you are in the correct folder.

Now type these commands in order:attrib -h -s -r bacrc.dat
del bacrc.dat
attrib -h -s -r dvdw.dat
del dvdw.dat

Ok, remove the cd from the drive and type Exit and press the Enter key to reboot your machine. Start HijackThis and perform a new scan. Post your new log file back here using the Add Reply button and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 Xanarki

Xanarki
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 30 March 2005 - 03:27 PM

1 problem...my dad lost the XP Setup Disc. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users