Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

res://C:WINDOWS\system32


  • Please log in to reply
17 replies to this topic

#1 sllancaster31

sllancaster31

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 30 July 2005 - 01:29 AM

My home page keeps going to this url and im getting a million pop ups and cant do anything. Can you please help. This is the virus.

res://C:WINDOWS\System32\shdoclc.dll/navcancl.htm

Here is my hijack log. I would love anyone who could help with this sometime tonight. Thank u so much. PLZ Help me, my mom said she would get me a cell phone if i could fix it.


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\win32res.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Maria\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5DAD4A83-AA14-8CEC-4B3D-AD38073D92C2} - C:\WINDOWS\System32\jejt.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: (no name) - {9832A2FE-91D7-4CBB-880B-704A6CB40D3A} - C:\WINDOWS\System32\kfml.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {0EA140F1-3B6A-4127-9384-239B999D82DA} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0EA140F1-3B6A-4127-9384-239B999D82DA} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:\foo.mht!http://t058.com/e4922587/x.chm::/open.exe
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://ww2.ez-tracks.com/downloader/cab/in...itial/eztdl.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0015.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:23 PM

Posted 30 July 2005 - 03:33 PM

Hello sllancaster31 and welcome to the BC malware forum. It appears that we are missing some information form the log. We need a complete HijackThis (HJT) log file to be able to analyze what is happening on your computer. If you do not have a copy of HijackThis or do not have the latest version (1.99.1) then download it from here: HijackThis_sfx.exe
Double-click on the file you just downloaded and click on the UnZip button to install the program. It will be installed to the C:\Program Files\HijackThis\ folder by default.

Boot normally, start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 sllancaster31

sllancaster31
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 30 July 2005 - 03:58 PM

Thanks so much for getting back to me. Another that happens is it will start to block every webpage i go to starting with res:\\http.blockpage - something close to that. My desktop says this as well. A fatal error has occured. error was caused by trojan-spy.html.smithfraud.c

Thanks again.


Logfile of HijackThis v1.99.1
Scan saved at 1:53:41 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\update\update.exe
C:\WINDOWS\spgi_32.exe
C:\WINDOWS\win32res.exe
C:\Program Files\PC Doc Pro\pcdocpro.exe
C:\Program Files\PC Doc Pro\pcdocpro.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Rocky\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5DAD4A83-AA14-8CEC-4B3D-AD38073D92C2} - C:\WINDOWS\System32\jejt.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: (no name) - {9832A2FE-91D7-4CBB-880B-704A6CB40D3A} - C:\WINDOWS\System32\kfml.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm108YYUS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O13 - WWW. Prefix: http://
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:23 PM

Posted 30 July 2005 - 05:09 PM

Hi sllancaster31. Thanks for the new log. I see we have a couple of different infections going on here. Let's start out with this.

Please perform the following steps:
  • Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).
  • Download SpSeHjfix.zip and unzip it to it's own folder. Do not run it yet.
  • Download CleanUp! and install it. Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.
  • Start in Safe Mode Using the F8 method:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
  • Disconnect from the net and Close ALL OPEN PROGRAMS.
  • Run SpSeHjfix and click on Start Disinfection.
    When it's finished it will reboot your machine to finish the cleaning process.
    The tool creates a log of the fix which will appear in the folder that SpSeHjfix is located in.
  • Now run CWShredder and click on the Fix -> button.
  • Reboot and repeat the above process.
Now download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder), the log from SpSeHjfix and a new HijackThis log back here so I can review it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 sllancaster31

sllancaster31
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 30 July 2005 - 10:02 PM

Ok so i have done everything u asked me to do. The CWShredder found no problems. The spSeHjfix.zip said "not infected." The WinPFind.zip said this.



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

It wouldnt let me do anything else.

SpSeHjfix log:



(7/30/05 7:31:47 PM) SPSeHjFix started v1.1.2
(7/30/05 7:31:47 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/30/05 7:31:47 PM) Language: english
(7/30/05 7:31:47 PM) Win-Path: C:\WINDOWS
(7/30/05 7:31:47 PM) System-Path: C:\WINDOWS\System32
(7/30/05 7:31:47 PM) Temp-Path: C:\DOCUME~1\Maria\LOCALS~1\Temp\
(7/30/05 7:31:48 PM) Disinfection started
(7/30/05 7:31:48 PM) Bad-Dll(IEP): (not found)
(7/30/05 7:31:48 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 7:31:48 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:31:49 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:31:49 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, SearchAssistant:
(7/30/05 7:31:49 PM) Stealth-String not found
(7/30/05 7:31:49 PM) Not infected->END


(7/30/05 7:32:12 PM) SPSeHjFix started v1.1.2
(7/30/05 7:32:12 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/30/05 7:32:12 PM) Language: english
(7/30/05 7:32:12 PM) Win-Path: C:\WINDOWS
(7/30/05 7:32:12 PM) System-Path: C:\WINDOWS\System32
(7/30/05 7:32:12 PM) Temp-Path: C:\DOCUME~1\Maria\LOCALS~1\Temp\
(7/30/05 7:32:17 PM) Disinfection started
(7/30/05 7:32:17 PM) Bad-Dll(IEP): (not found)
(7/30/05 7:32:17 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 7:32:17 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:32:17 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:32:17 PM) Bad IE-pages: (none)
(7/30/05 7:32:17 PM) Stealth-String not found
(7/30/05 7:32:17 PM) Not infected->END


(7/30/05 7:32:28 PM) SPSeHjFix started v1.1.2
(7/30/05 7:32:28 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/30/05 7:32:28 PM) Language: english
(7/30/05 7:32:28 PM) Win-Path: C:\WINDOWS
(7/30/05 7:32:28 PM) System-Path: C:\WINDOWS\System32
(7/30/05 7:32:28 PM) Temp-Path: C:\DOCUME~1\Maria\LOCALS~1\Temp\
(7/30/05 7:32:28 PM) Disinfection started
(7/30/05 7:32:28 PM) Bad-Dll(IEP): (not found)
(7/30/05 7:32:28 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 7:32:28 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:32:28 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:32:28 PM) Bad IE-pages: (none)
(7/30/05 7:32:28 PM) Stealth-String not found
(7/30/05 7:32:28 PM) Not infected->END


(7/30/05 7:43:22 PM) SPSeHjFix started v1.1.2
(7/30/05 7:43:22 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/30/05 7:43:22 PM) Language: english
(7/30/05 7:43:22 PM) Win-Path: C:\WINDOWS
(7/30/05 7:43:22 PM) System-Path: C:\WINDOWS\System32
(7/30/05 7:43:22 PM) Temp-Path: C:\DOCUME~1\Maria\LOCALS~1\Temp\
(7/30/05 7:43:23 PM) Disinfection started
(7/30/05 7:43:23 PM) Bad-Dll(IEP): (not found)
(7/30/05 7:43:23 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 7:43:23 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:43:23 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:43:23 PM) Bad IE-pages: (none)
(7/30/05 7:43:23 PM) Stealth-String not found
(7/30/05 7:43:23 PM) Not infected->END


(7/30/05 7:49:04 PM) SPSeHjFix started v1.1.2
(7/30/05 7:49:04 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/30/05 7:49:04 PM) Language: english
(7/30/05 7:49:04 PM) Win-Path: C:\WINDOWS
(7/30/05 7:49:04 PM) System-Path: C:\WINDOWS\System32
(7/30/05 7:49:04 PM) Temp-Path: C:\DOCUME~1\Maria\LOCALS~1\Temp\
(7/30/05 7:49:05 PM) Disinfection started
(7/30/05 7:49:05 PM) Bad-Dll(IEP): (not found)
(7/30/05 7:49:05 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 7:49:05 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:49:05 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:49:05 PM) Bad IE-pages: (none)
(7/30/05 7:49:05 PM) Stealth-String not found
(7/30/05 7:49:05 PM) Not infected->END


(7/30/05 7:59:13 PM) SPSeHjFix started v1.1.2
(7/30/05 7:59:13 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/30/05 7:59:13 PM) Language: english
(7/30/05 7:59:13 PM) Win-Path: C:\WINDOWS
(7/30/05 7:59:13 PM) System-Path: C:\WINDOWS\System32
(7/30/05 7:59:13 PM) Temp-Path: C:\DOCUME~1\Maria\LOCALS~1\Temp\
(7/30/05 7:59:14 PM) Disinfection started
(7/30/05 7:59:14 PM) Bad-Dll(IEP): (not found)
(7/30/05 7:59:14 PM) Bad-Dll(IEP) in BHO: (not found)
(7/30/05 7:59:14 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:59:14 PM) UBF: 7 - UBB: 5 - UBR: 3
(7/30/05 7:59:14 PM) Bad IE-pages: (none)
(7/30/05 7:59:14 PM) Stealth-String not found
(7/30/05 7:59:14 PM) Not infected->END



Here is the new hijack log. Thanks again OT. U RULE for helping me.


Logfile of HijackThis v1.99.1
Scan saved at 8:00:12 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Maria\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5DAD4A83-AA14-8CEC-4B3D-AD38073D92C2} - C:\WINDOWS\System32\jejt.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: (no name) - {9832A2FE-91D7-4CBB-880B-704A6CB40D3A} - C:\WINDOWS\System32\kfml.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O13 - WWW. Prefix: http://
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:23 PM

Posted 31 July 2005 - 01:06 AM

Hi sllancaster31. Are there multiple user accounts on this machine? The original post was under an account named Rocky and the latest is under an account named Maria. The original post showed the infection that the spSeHjfix would have taken care of.

If that is the case then logon under the Rocky account and rerun the fix above and only use that account until we have it cleaned up. Then we will deal with the other account.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 sllancaster31

sllancaster31
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 31 July 2005 - 05:43 PM

Hey oldtimer, if i got rid of my different accounts would it make things easier for me, and if so how do i do that. Im not really a noob, it would just be easier if you told me. Here is my new hijack log. I tried once again to run spsehjfix on rocky account and it once again said not infected. I have paypal if u can help me get thru this by monday night i will hook you up pretty fat. one more question is the hijack this different on each account? Thanks OT


Logfile of HijackThis v1.99.1
Scan saved at 3:41:01 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Maria\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O2 - BHO: (no name) - {5DAD4A83-AA14-8CEC-4B3D-AD38073D92C2} - C:\WINDOWS\System32\jejt.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: (no name) - {9832A2FE-91D7-4CBB-880B-704A6CB40D3A} - C:\WINDOWS\System32\kfml.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

#8 sllancaster31

sllancaster31
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 31 July 2005 - 06:41 PM

OK, i deleted all other accounts and files on my comp. The only account left is Rocky. I know where making progress cuz i can know change my desktop background and do a few other things. Im still getting pops-ups sayin your comp is still infected. And they are like mean pop-ups like its still happy and laughing that its still in my comp. Im hoping know things will be easier to manage now that i have only one account. Here is my newest hijack log. Every time i restart it goes back to the trojan-virus homepage still.

--------->res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm

-Im still also getting an 16 bit MS-DOS Subsystem error, it says

"C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC>NT . The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application." <------ Very annoying.


Im going to re-download the files u told me to run CWShredder, and SPSeHjfix and cleanup and WinPFind.zip. Ok thanks again






Logfile of HijackThis v1.99.1
Scan saved at 4:32:17 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\win32res.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rocky\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O2 - BHO: (no name) - {5DAD4A83-AA14-8CEC-4B3D-AD38073D92C2} - C:\WINDOWS\System32\jejt.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: (no name) - {9832A2FE-91D7-4CBB-880B-704A6CB40D3A} - C:\WINDOWS\System32\kfml.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

#9 sllancaster31

sllancaster31
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 31 July 2005 - 08:58 PM

Here is my other txt files...




(7/31/05 4:52:56 PM) SPSeHjFix started v1.1.2
(7/31/05 4:52:56 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/31/05 4:52:56 PM) Language: english
(7/31/05 4:52:56 PM) Win-Path: C:\WINDOWS
(7/31/05 4:52:56 PM) System-Path: C:\WINDOWS\System32
(7/31/05 4:52:56 PM) Temp-Path: C:\DOCUME~1\Rocky\LOCALS~1\Temp\
(7/31/05 4:52:57 PM) Disinfection started
(7/31/05 4:52:57 PM) Bad-Dll(IEP): (not found)
(7/31/05 4:52:57 PM) Bad-Dll(IEP) in BHO: (not found)
(7/31/05 4:53:06 PM) UBF: 7 - UBB: 3 - UBR: 5
(7/31/05 4:53:16 PM) UBF: 7 - UBB: 3 - UBR: 5
(7/31/05 4:53:16 PM) Bad IE-pages: (none)
(7/31/05 4:53:16 PM) Stealth-String not found
(7/31/05 4:53:16 PM) Not infected->END


(7/31/05 4:53:21 PM) SPSeHjFix started v1.1.2
(7/31/05 4:53:21 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/31/05 4:53:21 PM) Language: english
(7/31/05 4:53:21 PM) Win-Path: C:\WINDOWS
(7/31/05 4:53:21 PM) System-Path: C:\WINDOWS\System32
(7/31/05 4:53:21 PM) Temp-Path: C:\DOCUME~1\Rocky\LOCALS~1\Temp\
(7/31/05 4:53:22 PM) Disinfection started
(7/31/05 4:53:22 PM) Bad-Dll(IEP): (not found)
(7/31/05 4:53:22 PM) Bad-Dll(IEP) in BHO: (not found)
(7/31/05 4:53:31 PM) UBF: 7 - UBB: 3 - UBR: 5
(7/31/05 4:53:41 PM) UBF: 7 - UBB: 3 - UBR: 5
(7/31/05 4:53:41 PM) Bad IE-pages: (none)
(7/31/05 4:53:41 PM) Stealth-String not found
(7/31/05 4:53:41 PM) Not infected->END


(7/31/05 4:57:52 PM) SPSeHjFix started v1.1.2
(7/31/05 4:57:52 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/31/05 4:57:52 PM) Language: english
(7/31/05 4:57:52 PM) Win-Path: C:\WINDOWS
(7/31/05 4:57:52 PM) System-Path: C:\WINDOWS\System32
(7/31/05 4:57:52 PM) Temp-Path: C:\DOCUME~1\Rocky\LOCALS~1\Temp\
(7/31/05 4:57:53 PM) Disinfection started
(7/31/05 4:57:53 PM) Bad-Dll(IEP): (not found)
(7/31/05 4:57:53 PM) Bad-Dll(IEP) in BHO: (not found)
(7/31/05 4:58:02 PM) UBF: 7 - UBB: 3 - UBR: 5
(7/31/05 4:58:12 PM) UBF: 7 - UBB: 3 - UBR: 5
(7/31/05 4:58:12 PM) Bad IE-pages: (none)
(7/31/05 4:58:12 PM) Stealth-String not found
(7/31/05 4:58:12 PM) Not infected->END





Sophos Anti-Virus
Version 3.93.0 [Win32/Intel]
Virus data version 3.93, May 2005
Includes detection for 103269 viruses, trojans and worms
Copyright © 1989-2005 Sophos Plc, www.sophos.com

System time 11:11:41, System date 05 May 2005
Command line qualifiers are: -remove

Quick Scanning

Password protected file C:\Documents and Settings\Maria\Application Data\Adobe\Acrobat\6.0\Messages\ENU\read0600win_ENUadbe0040.pdf
Password protected file C:\Documents and Settings\Maria\Application Data\Adobe\Acrobat\6.0\Messages\ENU\read0600win_ENUyhoo0010.pdf
>>> Virus 'Troj/SecondT-AA' found in file C:\Documents and Settings\Maria\Local Settings\Temp\HLInstaller3.exe
Proceed with removal of C:\Documents and Settings\Maria\Local Settings\Temp\HLInstaller3.exe ([Y]es/[N]o/[A]ll) ? All
Removal successful
>>> Virus 'Troj/BettInet-A' found in file C:\Documents and Settings\Rocky\Local Settings\Temp\DrTemp\bho_prob.exe
Removal successful
>>> Virus 'Troj/StartPa-FN' found in file C:\Documents and Settings\Rocky\Local Settings\Temp\se.dll
Removal successful
>>> Virus 'Troj/Sandbox-A' found in file C:\MemoryWatcher_b.exe
Removal successful
Password protected file C:\Program Files\Adobe\Acrobat 6.0\Reader\Messages\ENU\RdrMsgENU.pdf
>>> Virus 'Troj/BettInet-A' found in file C:\Program Files\EZ-Tracks\thin.exe
Removal successful
>>> Virus 'Dial/Conc-A' found in file C:\RECYCLER\NPROTECT\02445652.exe
Removal successful
>>> Virus 'Troj/StartPa-FK' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP453\A0177595.exe
Removal successful
>>> Virus 'Troj/StartPa-FK' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP453\A0177643.exe
Removal successful
>>> Virus 'Troj/Dloader-KL' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP453\A0181121.exe
Removal successful
>>> Virus 'Troj/Dloader-DN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP455\A0184076.exe
Removal successful
>>> Virus 'Troj/Dloader-DN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP455\A0185075.exe
Removal successful
>>> Virus 'Troj/Dloader-KM' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP455\A0185083.exe
Removal successful
>>> Virus 'Troj/Dloader-DN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP456\A0185122.exe
Removal successful
>>> Virus 'Troj/Dloader-DN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP456\A0186104.exe
Removal successful
>>> Virus 'Troj/Dloader-KM' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP457\A0190108.exe
Removal successful
>>> Virus 'Troj/Dloader-DN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195179.exe
Removal successful
>>> Virus 'Troj/MemWatch-B' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195194.exe
Removal successful
>>> Virus 'Troj/MemWatch-B' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195196.exe
Removal successful
>>> Virus 'Troj/MemWatch-B' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195197.exe
Removal successful
>>> Virus 'Troj/MemWatch-B' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195210.exe
Removal successful
>>> Virus 'Troj/MemWatch-B' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195211.exe
Removal successful
>>> Virus 'Troj/MemWatch-B' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195215.exe
Removal successful
>>> Virus 'Troj/Dloader-KM' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195220.exe
Removal successful
>>> Virus 'Troj/MemWatch-B' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195221.exe
Removal successful
>>> Virus 'Troj/MemWatch-B' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195223.exe
Removal successful
>>> Virus 'Troj/MemWatch-B' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0195225.exe
Removal successful
>>> Virus 'Troj/CWS-C' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP460\A0196147.dll
Removal successful
>>> Virus 'Troj/CWS-C' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP462\A0199143.dll
Removal successful
>>> Virus 'Troj/CWS-C' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP464\A0202243.dll
Removal successful
>>> Virus 'Troj/CWS-C' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP466\A0204367.dll
Removal successful
>>> Virus 'Troj/CWS-C' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP468\A0206412.dll
Removal successful
>>> Virus 'Troj/CWS-C' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP471\A0209416.dll
Removal successful
>>> Virus 'Troj/CWS-C' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP475\A0213462.dll
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0215497.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0216497.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0217497.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0217540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0218540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0219540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0220540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0221540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0222540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0223540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0224540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0225540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0226540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0227540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0228540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0229540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0230540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0231540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0232540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0233540.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP476\A0233544.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP477\A0233552.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP477\A0234552.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP477\A0235552.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP477\A0235555.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP477\A0235556.sys
Removal successful
>>> Virus 'Troj/Sandbox-A' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP477\A0235558.exe
Removal successful
>>> Virus 'Troj/BettInet-A' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP477\A0235559.exe
Removal successful
>>> Virus 'Dial/Conc-A' found in file C:\System Volume Information\_restore{29C10393-C5D7-442F-9F1C-3550A4BB3650}\RP477\A0235560.exe
Removal successful
>>> Virus 'Troj/CWS-C' found in file C:\WINDOWS\bhoass.dll
Removal successful
>>> Virus 'Troj/CWS-C' found in file C:\WINDOWS\bhoassw.dll
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\WINDOWS\ms2.exe
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\WINDOWS\system32\cz.dll
Removal successful
Could not check C:\WINDOWS\system32\drct16.dll (virus scan failed)
>>> Virus 'Troj/Haxdoor-CN' found in file C:\WINDOWS\system32\hz.sys
Removal successful
>>> Virus 'Troj/StartPa-FN' found in file C:\WINDOWS\system32\kfml.dll
Removal successful
Could not check C:\WINDOWS\system32\mszx23.exe (virus scan failed)
>>> Virus 'Troj/Haxdoor-CN' found in file C:\WINDOWS\system32\vdmt16.sys
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\WINDOWS\system32\winlow.sys
Removal successful
>>> Virus 'Troj/Haxdoor-CN' found in file C:\WINDOWS\system32\wz.sys
Removal successful

1 boot sector swept.
18130 files swept in 24 minutes and 45 seconds.
5 errors were encountered.
71 viruses were discovered.
71 files out of 18130 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
3 encrypted files were not checked.
Ending Sophos Anti-Virus.

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:23 PM

Posted 31 July 2005 - 09:25 PM

Hi sllancaster31. yes, the logs were different between the 2 logons. The se infection appears to be gone now from this account so let's see if we can't clean up some of the rest of the stuff here. Also, the navcancl.htm is Ok. It's the page that Norton displays when a webpage cannot be found.

Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O2 - BHO: (no name) - {5DAD4A83-AA14-8CEC-4B3D-AD38073D92C2} - C:\WINDOWS\System32\jejt.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: (no name) - {9832A2FE-91D7-4CBB-880B-704A6CB40D3A} - C:\WINDOWS\System32\kfml.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\bhoass.dll
C:\WINDOWS\stlbd.dll
C:\WINDOWS\win32res.exe
C:\WINDOWS\System32\jejt.dll
c:\windows\system\BHOmod.dll
C:\WINDOWS\System32\kfml.dll
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\SYSTEM32\drct16.dll
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ <--folder
C:\PROGRAM FILES\Web Offer\ <--folder
C:\Program Files\Ebates_MoeMoneyMaker\ <--folder

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE v1.06:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 sllancaster31

sllancaster31
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 01 August 2005 - 01:24 AM

Dude your are the man. Everything seems to be working properly. I had no problems running the programs and the comp is running good. Im still just having one problem and that is with the 16 bit ms-dos error i am continously getting. I thought it was gone but it came back about 10 mins ago. Here is the new hijack log it looks good to me, but im not an expert like yourself. I would be disappointed if most people didnt offer some donations for all the valuable help you offer for free. I want to thank you very much for the help you gave me, i will recommend this site to my colleagues and peers if they ever have any probs with their comps. I truly and greatly appreciate your help.

:thumbsup:

:flowers:




Logfile of HijackThis v1.99.1
Scan saved at 11:15:02 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Rocky\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qjfvx.dll/sp.html#89328
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\System32\EZPOPS~1.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:23 PM

Posted 01 August 2005 - 06:52 AM

Hi sllancaster31. Well, that looks better but we still have a couple of items to take care of. Please print these directions and then proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Step #2

Restart in Safe Mode
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qjfvx.dll/sp.html#89328
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKCU\..\RunOnce: [Web Offer] Command /c del C:\WINDOWS\System32\EZPOPS~1.EXE
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\qjfvx.dll
C:\WINDOWS\System32\EZPOPS~1.EXE (look for a file whose name begins with EZPOPS)

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Run CWShredder
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
Step #7

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #8

AdAware SE v1.06
  • Close ALL windows and start Ad-Aware SE.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #9

Download xp_fix.exe and run it. Reboot your computer when finished. this should repair the problem you are having with the 16-bit subsystem.

Step #10

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 sllancaster31

sllancaster31
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 02 August 2005 - 02:24 AM

I couldnt find these two files:
C:\WINDOWS\system32\qjfvx.dll
C:\WINDOWS\System32\EZPOPS~1.EXE (look for a file whose name begins with EZPOPS)


And this one keeps coming back on my hijack this list.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qjfvx.dll/sp.html#89328

Other then that it mostly seems to be working ok. I ran the tests and came back with one or two errors and deleted the files. AD-Aware came back clean. I also have not seen the 16 bit subsystem error in quite awhile.

Thanks again,

Shane






Logfile of HijackThis v1.99.1
Scan saved at 12:17:17 AM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rocky\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qjfvx.dll/sp.html#89328
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:04:23 PM

Posted 02 August 2005 - 09:27 AM

Hi sllancaster31. If the files are not there then it is probably TeaTimer that is just holding those entries inthe registry. Let's disable TeaTimer and fix

First disable TeaTimer so it soes not interfere with the changes we are going to make.
  • Start Spybot-S&D.
  • Go to the Mode menu, and make sure Advanced Mode is selected.
  • On the left hand side, choose Tools and then click on Resident.
  • Uncheck Resident TeaTimer and choose OK for any furhter prompts.
  • Restart your computer.
Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qjfvx.dll/sp.html#89328
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

There. Now reboot and post a new HijackThis log.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 sllancaster31

sllancaster31
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 04 August 2005 - 08:21 PM

Hey OT,

Im back at school. I hope you got the paypal i sent. I Cleaned everything back at my house comp. I just had a questions about my laptop, just wondering if there was anything i didnt need in my hijack log. I know most of the stuff in there i dont use.

Shane


Logfile of HijackThis v1.99.1
Scan saved at 9:16:18 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\ESPN\BottomLine\bline.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Cisco\Clean Access\CCAAgent.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 170.115.249.27:80
R3 - URLSearchHook: HyperSearchHook - {A90353E3-0DB0-45EC-B72C-416825FAE598} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Mskkdvk] C:\WINNT\system32\MSKKDVK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco\Clean Access\CCAAgent.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1119029868331
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1119029822845
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users