Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my computer is a mess


  • Please log in to reply
11 replies to this topic

#1 alisonrae00

alisonrae00

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 20 April 2005 - 05:20 PM

Hi. I think that my computer may have a virus or something that i cannot find. It sometimes tells me that the system has crashed, I'm getting porn popups, my homepage is hijacked, the yahoo toolbar was deleted and I can't download again, ...

I have run spybot and avg virus scan.

Logfile of HijackThis v1.99.1
Scan saved at 4:17:41 PM, on 4/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\rpcss_pl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\perfcl.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuactl2.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe


Please help.

Also, something strange just happened -- my speakers emitted an airbrush tan commercial. I couldn't figure out where it came from because nothing was on the screen. What's going on?

BC AdBot (Login to Remove)

 


m

#2 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:04:01 AM

Posted 21 April 2005 - 09:54 AM

Hi and welcome to Bleeping. :thumbsup:

You have a nasty one here.


Click Start > Run and type cmd and then OK.
At the cmd prompt, type sc config rpcss depend= "" (note the space between depend= and "").
Press Enter.
Type exit to exit the cmd prompt.


Then reset the HTML About Pluggable Protocol so you can reset your home page.
To do this, please download restore.reg from here to your desktop.
Double-click on restore.reg and confirm you wish to add it's contents to the registry.


Download Killbox from here
* Double click on killbox.exe
* Select Tools > Delete Temp Files and click OK
* In Killbox - put a check next to "Delete on Reboot"
* Copy and paste the following bold filepaths below one at a time into the "Full Path of File To Delete" box.
* Then click the red button with the X after each.
* It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

C:\WINDOWS\System32\msasmsn7.dll
C:\WINDOWS\System32\wauctlxp4.exe
C:\WINDOWS\System32\perfcl.exe
C:\WINDOWS\System32\rpcss_pl.exe



When Kllbox has rebooted your machine, please post a fresh log in this thread by clicking on 'Add Reply' at the bottom of the page.

Edited by John_McKenna, 21 April 2005 - 09:56 AM.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#3 alisonrae00

alisonrae00
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 25 April 2005 - 03:59 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:58:57 PM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\system32\svcnut.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpl.dll/security.htm#subID=MPV;401
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpl.dll/asst.htm
O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut.exe home
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} - http://www.20x2p.com/ce616e22/enter.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe (file missing)

#4 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:04:01 AM

Posted 25 April 2005 - 04:31 PM

Please download and install the program Registrar Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under All Programs from your Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\RPCSS+ <--Make sure it has ss+ on the end !!

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section.

Right click on RPCSS+ and delete it.

Close Reg Lite.



Run HJT again and checkmark the boxes next to the following:-

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpl.dll/security.htm#subID=MPV;401
O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll (file missing)
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut.exe home
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} - http://www.20x2p.com/ce616e22/enter.cab
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe (file missing)

Close ALL OPEN WINDOWS/BROWSERS and click FIX CHECKED



* Double click on killbox.exe
* Select Tools > Delete Temp Files and click OK
* In Killbox - put a check next to "Delete on Reboot"
* Copy and paste the following filepaths into the "Full Path of File To Delete" box one at a time.

C:\WINDOWS\system32\svcnut.exe
C:\WINDOWS\system32\shdocpl.dll

* Then click the red button with the X after each.
* It will ask you if you want to reboot, click No until after the second has been entered at which time you should click YES and let Killbox restart your machine.


Then post a fresh HJT log please.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#5 alisonrae00

alisonrae00
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 25 April 2005 - 06:06 PM

I am in registrar lite and have cut, pasted and hit enter. However, I don't see anything that says RPCSS+ to delete.

#6 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:04:01 AM

Posted 25 April 2005 - 08:06 PM

Instead of pasting the the reg key into Reg Lite, please manually navigate to the key instead. I've found it falls short of it's designated target sometimes.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#7 alisonrae00

alisonrae00
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 26 April 2005 - 04:04 PM

Sorry, I'm not sure what you mean. What is the reg key and where do I find it? I'm not very knowledgeable about the inner workings of my computer.

#8 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:04:01 AM

Posted 26 April 2005 - 05:46 PM

Try this instead.

Click Start > Run and type cmd and then OK.
At the cmd prompt, type sc stop RPCSS+ and press Enter.
Then type sc delete RPCSS+ and press Enter.
Type exit to exit the cmd prompt.


Run HJT again and checkmark the boxes next to the following:-

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpl.dll/security.htm#subID=MPV;401
O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINDOWS\System32\msasmsn7.dll (file missing)
O4 - HKLM\..\Run: [SndPnpMix] C:\WINDOWS\System32\wauctlxp4.exe
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut.exe home
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} - http://www.20x2p.com/ce616e22/enter.cab
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINDOWS\System32\rpcss_pl.exe (file missing)

Close ALL OPEN WINDOWS/BROWSERS and click FIX CHECKED



* Double click on killbox.exe
* Select Tools > Delete Temp Files and click OK
* In Killbox - put a check next to "Delete on Reboot"
* Copy and paste the following filepaths into the "Full Path of File To Delete" box one at a time.

C:\WINDOWS\system32\svcnut.exe
C:\WINDOWS\system32\shdocpl.dll

* Then click the red button with the X after each.
* It will ask you if you want to reboot, click No until after the second has been entered at which time you should click YES and let Killbox restart your machine.


Then post a fresh HJT log please.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#9 alisonrae00

alisonrae00
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 27 April 2005 - 03:54 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:53:07 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpl.dll/asst.htm
O2 - BHO: (no name) - {20D11DDC-D533-9EEB-1A37-AB38744DC295} - C:\WINDOWS\System32\kgxl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut.exe home
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#10 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:04:01 AM

Posted 27 April 2005 - 06:12 PM

Download CWShredder from here.
Close all windows & browsers
Open CWShredder
Click on 'Check for Updates' and download any new reference file.
Now click Fix
Let it fix everything it finds.



Run HJT again and checkmark the boxes next to the following:-

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpl.dll/asst.htm
O2 - BHO: (no name) - {20D11DDC-D533-9EEB-1A37-AB38744DC295} - C:\WINDOWS\System32\kgxl.dll
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut.exe home
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

Close ALL OPEN WINDOWS/BROWSERS and click FIX CHECKED



Double click on killbox.exe
Select Tools > Delete Temp Files and click OK
In Killbox - put a check next to "Delete on Reboot"
Copy and paste the following filepaths into the "Full Path of File To Delete" box one at a time.

C:\WINDOWS\system32\svcnut.exe
C:\WINDOWS\system32\shdocpl.dll
C:\WINDOWS\System32\kgxl.dll

Then click the red button with the X after each.
It will ask you if you want to reboot, click No until after the second has been entered at which time you should click YES and let Killbox restart your machine.


Then run an online virus scan at the following location:

http://www.kaspersky.com/beta?product=161744315 - Kasperskey

Let me know of anything it found but couldn't remove please.


Then on Internet Explorer, click on Internet Options->Programs->Reset Web Settings button to restore the default homepage and search settings to whatever you prefer.

Reboot and post a fresh log.

Edited by John_McKenna, 27 April 2005 - 06:22 PM.

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#11 alisonrae00

alisonrae00
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 04 May 2005 - 05:27 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:26:52 PM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {082A782A-EB95-F747-BF1E-CCEE8982E990} - C:\WINDOWS\System32\plhbwuwx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

#12 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:04:01 AM

Posted 04 May 2005 - 06:27 PM

Download and install Ad-aware SE from here.
Once installed, run the program and in the bottom right hand corner click 'Check For Updates'.
Update Ad-aware following the prompts and then close the program, we will use it later.

Copy these instructions to notepad and then reboot into Safe Mode.


Run HJT again and checkmark the boxes next to the following:-

O2 - BHO: (no name) - {082A782A-EB95-F747-BF1E-CCEE8982E990} - C:\WINDOWS\System32\plhbwuwx.dll

Close ALL OPEN WINDOWS/BROWSERS and click FIX CHECKED



Now open Ad-Aware SE and configure with the following settings:

1. Close ALL windows except Ad-Aware SE.

2. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window.

3. In the ‘GENERAL’ window make sure the following are selected in green:

*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)


-Under Definitions:
*Prompt to udate outdated definitions - set the number of days

4. Click on the ‘SCANNING’ button on the left and select in green :

-Under Driver, Folders & Files:
*Scan Within Archives

-Under Select drives & folders to scan:
*choose all hard drives

-Under Memory & Registry: (all green)
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file


5. Click on the ‘ADVANCED’ button on the left and select in green:

-Under Shell Integration:
*Move deleted files to recycle bin

-Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information


-Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT


6. Click the ‘TWEAK’ button and select in green:

-Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only


-Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot

-Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check and make Green: Include Module list in logfile


7. Click on ‘PROCEED’ to save the settings.

8. Click ‘Start’

*Choose: 'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

9. Click ‘Next’ and Ad-Aware SE will scan your hard drive with the options you have selected and clean automatically.

10. If Ad-Aware SE finds bad entries in the registry or bad files, you will receive a list of what it found in the window. Right click on any of the bad entries and click on 'select all'.

11. Click ‘NEXT’

12. Close Ad-Aware SE.


Then Killbox the following filepath using the same instructions as before. If the "unregister dll before deleting" box is available once you've entered the path, please checkmark it before hitting the delete file button.

C:\WINDOWS\System32\plhbwuwx.dll

Once Killbox has rebooted the machine, please post a fresh HJT log.
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users