Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log Check!


  • Please log in to reply
14 replies to this topic

#1 Cuti Hana

Cuti Hana

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 02 June 2005 - 02:47 PM

Hi! I'm Hannah, I'm new. I have been having problems with spyware the last few days, which is the first time in about a year. As you probably know, it has been very frustrating because I had HORRIBLE problems with spyware last year and to have to be dealing with it again after such a long time is suchh a painn! :thumbsup: . My computer is my life; I hardly let anyone touch it, even if I'm in the room! I'm frequently deleting files I dont think I need to keep my space free and my computer running fastly (I have 75% free space). Anyone, now that you know how crazy about my computer I am, Let me tell you whats going on.

A few days ago I had this system pop that said "iau.exe has encountered a problem and needs to close" I hit okay....it kept showing up. So I asked my friend online who is a computer expert, and he helped me download Adaware SE, Spybot S&D, Spybot Blaster, and CWShredder ((or something close to that)). He led me through a step-by-step process to get rid of the spyware, by going in to safe mode, running the applications 3 times, etc. And I did a hijackthis log and he told me to delete Issas.exe, iau.exe, svshost.exe, msqdevl.exe, mservice.exe, and I believe that is all. I killed them in HijackThis and I even went into safe mode and delted them by hand from the system folder. I scanned my system again and it was great, except for this "DSO Exploit" that won't go away.

ANYWAY, yesterday I encountered a similar, but more severe, problem with spyware. All of a sudden my desktop changed to "Warning! Your computer is infected! Click here, bla bla bla". And I saw that new applications had been downloaded because I saw their shortcuts on my desktop (I keep very few things on my desktop, so they were easy to spot) I delted the shortcuts in a panic, went to the control panel, and uninstalled AntiVirus Gold, Virus Maid, and to or three other "self-downloaded" pieces of bleep.

I looked under applications in the task manager, which my friend told me to do the other time I had problems, so I figured I would do the same here; there were A LOT more applications running this time than last time, so normally, I paniced. I remember what he told me about doing about running the computer in safe mode, so I did that again, ran Adaware and Spybot, and my other previous application, Spy Hunter. I delted everything from those reports, and decided to reboot in safe mode again. It probably was not the best idea, but it was after midnight, and I'm at boarding school, and after 12 the internet is cut off ((horrible, I know)). So I couldn't look online for step-by-step help, and I could NOT sleep knowing this bleep was infesting my poor computer :flowers: . SO, I took it upon myself to go into the Sytem32 folder and delete all the .exe programs I did not recognize, some of which were wtisa.dll, bsw.exe, popuper.exe, intmonp.exe, msole32.exe, intmon.exe, spoolsrv32.exe, wuauclt.exe (I dont think this was in the system folder), and crss.exe. There were a few others, but I don't rememeber them. The pop up's were gone, my Internet Expolrer returned to it's normal homepage, and everything felt fine except my background, but that would have to wait till morning.

The next day, which would be today ;), I looked up something close to "warning! your computer is infected..background" and I was redirected to one of your logs. As I was reading the instuctions, I freaked out because someone had a simliar problem as me, and one of the warnings on the instructions were "WARNING DO THESE ORDER". Some of the tasks were similar as to what I did, but I didn't do them in any order! Could I have hurt my computer? Anyway, I downloaded some program and restorbed my computer background, so everything appears fine, but I'm not entirely sure. I'm going to include a HijackThis Log report just to see if I'm clean. As you will notice, some files will say "file missing", which I think is because I must have accidentily deleated some important stuff :trumpet:. I don't really know what to do about that. Anyway, I wanted to give you the FULL background of my problem so you would know everything that I have done to help/hurt my computer, lol!

Logfile of HijackThis v1.99.1
Scan saved at 3:23:10 PM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesearches.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {3DC90A30-CE01-44AB-B415-DE2233DAB600} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3DC90A30-CE01-44AB-B415-DE2233DAB600} - (no file) (HKCU)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)

Any advice, I would love to know...thank you!

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 02 June 2005 - 06:24 PM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\System32\hookdump.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

#3 Cuti Hana

Cuti Hana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 02 June 2005 - 07:04 PM

Hi! And thank you so much. I submitted the file "cutihana.cab" to the malaware site. What does this do, though?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 02 June 2005 - 07:23 PM

I wanted a sample of that file so I can see what it does.


Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesearches.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O9 - Extra button: Microsoft AntiSpyware helper - {3DC90A30-CE01-44AB-B415-DE2233DAB600} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3DC90A30-CE01-44AB-B415-DE2233DAB600} - (no file) (HKCU)

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\System32\msmsgs.exe
C:\Program Files\Security iGuard\
C:\WINDOWS\System32\hookdump.exe

Reboot your computer to go back to normal mode and post a new log.

#5 Cuti Hana

Cuti Hana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 02 June 2005 - 07:46 PM

Hi! Thank you. Here is my new log

Logfile of HijackThis v1.99.1
Scan saved at 8:42:07 PM, on 6/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Hannah\Application Data\Mozilla\Profiles\default\25fxr1hq.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)


By the way, can I delete the cutihana.cab on my desktop? or move it? or do I need to keep it there?

Thanks again for your help! Greatly appriciated! :thumbsup:

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 02 June 2005 - 08:52 PM

Yes you can delete that file. Looks good to me...do you still have problems?

#7 Cuti Hana

Cuti Hana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 02 June 2005 - 08:55 PM

Nope, everything seems to be running smoothly...I just wanted to clean up some of the stuff I couldn't "see". One other thing though..spybot s&d keeps picking up "DSO Exploit" do you know what this is? Or is it potentially harmless? Again, thank you so much for your help, you were very speedy and very effiecient!

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 03 June 2005 - 09:14 AM

More info about DSO exploits can be found here:

http://www.bleepingcomputer.com/forums/DSO...oits-t1190.html

Your log is clean! Great job!

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

#9 Cuti Hana

Cuti Hana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 03 June 2005 - 10:14 AM

I'm scared to do the system restore because I don't want to lose any of my data!!! :thumbsup:

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 03 June 2005 - 10:21 AM

You should do it because there may be infected files stored there. If you do a restore from that point it may infect you again. Turning off and on wont erase any of your data. It will just clear the restore points which will start being made every day again, but this time from a clean system.

#11 Cuti Hana

Cuti Hana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 03 June 2005 - 10:26 AM

Ok....so i just uncheck system restore then recheck it right away?

#12 Cuti Hana

Cuti Hana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 03 June 2005 - 10:31 AM

another thing, i went to go uncheck system restore and it's not even on in the first place....what should i do?

#13 Cuti Hana

Cuti Hana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 03 June 2005 - 10:32 AM

NEVERMIND....it was haah sorry

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:43 PM

Posted 03 June 2005 - 10:37 AM

Just uncheck..press ok

Reboot check it .. press ok

Reboot again

#15 Cuti Hana

Cuti Hana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 03 June 2005 - 10:48 AM

Alritey...everything looks good! One thing though, there is one file in Temp that I cannot delete, so I went into safe mode, like you said, but the start bar is so big that Run doesn't show up! it stops at I think Control Panel, and start is about 3 or 4 icons down from that....any ideas?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users