Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT problem with About:Buster


  • Please log in to reply
12 replies to this topic

#1 kms18

kms18

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 02 August 2005 - 03:15 AM

Hello,

I recently found my way onto this site after searching throughtout the internet for a way to remove Home Search Assistant from my computer. I went through your self help article on it, and it seemed to get rid of everything :thumbsup:

however, when i ran about:buster at the final part of the program, i seem to have lost some internet based functionality (eg: signing into MSN messenger, logging onto secure website - eg google mail, and my uni mail secure site)

I was hoping that if i posted the log of everything about:buster got rid of, then you could tell me if any of those were ones i needed?

thank you so much :flowers:
kms18

AboutBuster 5.0 reference file 28
Scan started on [06/06/2005] at [20:54:32]
------------------------------------------------
Removed Stream! C:\WINDOWS\002243_.tmp:cgfkqp
Removed Stream! C:\WINDOWS\aajui.txt:kunney
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:lkehp
Removed Stream! C:\WINDOWS\bootstat.dat:uhpqss
Removed Stream! C:\WINDOWS\clock.avi:duxaya
Removed Stream! C:\WINDOWS\cmsetacl.log:eoyizy
Removed Stream! C:\WINDOWS\COM+.log:etumf
Removed Stream! C:\WINDOWS\comsetup.log:ylvvtr
Removed Stream! C:\WINDOWS\control.ini:ivabyg
Removed Stream! C:\WINDOWS\d3dx.dat:fhlbjo
Removed Stream! C:\WINDOWS\desktop.ini:iuxvz
Removed Stream! C:\WINDOWS\EAGRAPH.INI:aqtgqv
Removed Stream! C:\WINDOWS\emachines_32.bmp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Removed Stream! C:\WINDOWS\EReg072.dat:ivqcw
Removed Stream! C:\WINDOWS\EReg072.dat:srmmsx
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:lkermi
Removed Stream! C:\WINDOWS\frwhq.dat:ayfrhq
Removed Stream! C:\WINDOWS\Greenstone.bmp:blrnb
Removed Stream! C:\WINDOWS\jtrfh.log:jqxdwq
Removed Stream! C:\WINDOWS\KB823980.log:crhiys
Removed Stream! C:\WINDOWS\KB886185.log:zuduc
Removed Stream! C:\WINDOWS\KB887472.log:xyzdpx
Removed Stream! C:\WINDOWS\KB887742.log:qcjofv
Removed Stream! C:\WINDOWS\KB890175.log:ndnlho
Removed Stream! C:\WINDOWS\KB890923.log:temzbi
Removed Stream! C:\WINDOWS\KB893086.log:vnnxsb
Removed Stream! C:\WINDOWS\KB893086.log:yeyvdb
Removed Stream! C:\WINDOWS\lbbho.ini:rfijxl
Removed Stream! C:\WINDOWS\Lexmark_ICM.ini:efpryd
Removed Stream! C:\WINDOWS\Lexmark_ICM.ini:ggqioo
Removed Stream! C:\WINDOWS\mHotkey.reg:oascg
Removed Stream! C:\WINDOWS\mixerdef.ini:onsgik
Removed Stream! C:\WINDOWS\mixerdef.ini:zhjnqy
Removed Stream! C:\WINDOWS\ModemLog_Conexant SoftK56 Modem(M).txt:rlkyx
Removed Stream! C:\WINDOWS\mozver.dat:pzbcuq
Removed Stream! C:\WINDOWS\msgsocm.log:bjvffa
Removed Stream! C:\WINDOWS\msoffice.ini:ntxemo
Removed Stream! C:\WINDOWS\ntbtlog.txt:bmvqt
Removed Stream! C:\WINDOWS\ntbtlog.txt:emtirx
Removed Stream! C:\WINDOWS\pxcyt.log:drdan
Removed Stream! C:\WINDOWS\Q329390.log:wrxyo
Removed Stream! C:\WINDOWS\Q810565.log:osplk
Removed Stream! C:\WINDOWS\Q811493.log:hsirl
Removed Stream! C:\WINDOWS\setupapi.log:zaocyn
Removed Stream! C:\WINDOWS\setupapi.log.0.old:txujr
Removed Stream! C:\WINDOWS\spupdsvc.log:kbauva
Removed Stream! C:\WINDOWS\svcpack.log:pevsts
Removed Stream! C:\WINDOWS\system.html:cukapk
Removed Stream! C:\WINDOWS\system.ini:oaqzh
Removed Stream! C:\WINDOWS\Thumbs.db:encryptable
Removed Stream! C:\WINDOWS\WindowsUpdate.log:mstao
Removed Stream! C:\WINDOWS\WindowsUpdate.log:uqkkr
Removed Stream! C:\WINDOWS\winnt256.bmp:oqiar
Removed Stream! C:\WINDOWS\WMSysPrx.prx:ojrwi
Removed Stream! C:\WINDOWS\X63_DS.ini:frndo
Removed Stream! C:\WINDOWS\xefpv.log:zjltf
Removed Stream! C:\WINDOWS\_default.pif:aayvm
------------------------------------------------
Removed File! : C:\Windows\addas.exe
Removed File! : C:\Windows\addpx.exe
Removed File! : C:\Windows\apidk32.exe
Removed File! : C:\Windows\apiib32.exe
Removed File! : C:\Windows\apixx32.dll
Removed File! : C:\Windows\atlbf32.exe
Removed File! : C:\Windows\atlcg32.dll
Removed File! : C:\Windows\atlcj.exe
Removed File! : C:\Windows\atlcs32.exe
Removed File! : C:\Windows\atlfi32.exe
Removed File! : C:\Windows\atlns32.exe
Removed File! : C:\Windows\atlqt.dll
Removed File! : C:\Windows\atlrc32.exe
Removed File! : C:\Windows\atlun32.exe
Removed File! : C:\Windows\ceblz.dll
Removed File! : C:\Windows\crdg.exe
Removed File! : C:\Windows\crrt32.exe
Removed File! : C:\Windows\crtv32.dll
Removed File! : C:\Windows\crxd32.exe
Removed File! : C:\Windows\d3ec32.dll
Removed File! : C:\Windows\d3qu.exe
Removed File! : C:\Windows\d3ry.exe
Removed File! : C:\Windows\d3sv32.exe
Removed File! : C:\Windows\d3vi.exe
Removed File! : C:\Windows\d3zt.exe
Removed File! : C:\Windows\ebixn.dll
Removed File! : C:\Windows\efmds.dll
Removed File! : C:\Windows\ehico.dll
Removed File! : C:\Windows\gxpko.dll
Removed File! : C:\Windows\iebl.exe
Removed File! : C:\Windows\iegx.exe
Removed File! : C:\Windows\ienb.dll
Removed File! : C:\Windows\ienu32.exe
Removed File! : C:\Windows\iezy32.exe
Removed File! : C:\Windows\ipce.exe
Removed File! : C:\Windows\ipck32.dll
Removed File! : C:\Windows\ipkf32.exe
Removed File! : C:\Windows\ipww32.exe
Removed File! : C:\Windows\javaam32.exe
Removed File! : C:\Windows\javaja.exe
Removed File! : C:\Windows\javaqx.exe
Removed File! : C:\Windows\knjuh.dll
Removed File! : C:\Windows\mfcbe32.exe
Removed File! : C:\Windows\mfcrk32.exe
Removed File! : C:\Windows\mscm.exe
Removed File! : C:\Windows\mscu32.exe
Removed File! : C:\Windows\msfu32.dll
Removed File! : C:\Windows\msjr32.exe
Removed File! : C:\Windows\msts32.exe
Removed File! : C:\Windows\msxe.exe
Removed File! : C:\Windows\netnr32.exe
Removed File! : C:\Windows\netqe.exe
Removed File! : C:\Windows\netrg.exe
Removed File! : C:\Windows\nhefv.dll
Removed File! : C:\Windows\ntfx32.exe
Removed File! : C:\Windows\ntms32.dll
Removed File! : C:\Windows\ntoi.exe
Removed File! : C:\Windows\ntsy.exe
Removed File! : C:\Windows\ntvy.exe
Removed File! : C:\Windows\pudgk.dll
Removed File! : C:\Windows\rpexb.dat
Removed File! : C:\Windows\sdkyt.dll
Removed File! : C:\Windows\sysgs.exe
Removed File! : C:\Windows\syshv32.exe
Removed File! : C:\Windows\sysqy.exe
Removed File! : C:\Windows\sysrl32.exe
Removed File! : C:\Windows\talmr.dat
Removed File! : C:\Windows\winic.dll
Removed File! : C:\Windows\winkr32.dll
Removed File! : C:\Windows\winob.exe
Removed File! : C:\Windows\winoi.exe
Removed File! : C:\Windows\System32\addmo.exe
Removed File! : C:\Windows\System32\addmq.dll
Removed File! : C:\Windows\System32\addpj.dll
Removed File! : C:\Windows\System32\addsh32.dll
Removed File! : C:\Windows\System32\apiix.exe
Removed File! : C:\Windows\System32\apiuh32.exe
Removed File! : C:\Windows\System32\apiwc.exe
Removed File! : C:\Windows\System32\appho.exe
Removed File! : C:\Windows\System32\appox32.dll
Removed File! : C:\Windows\System32\appuj.exe
Removed File! : C:\Windows\System32\appuk.exe
Removed File! : C:\Windows\System32\appyk32.exe
Removed File! : C:\Windows\System32\appym32.dll
Removed File! : C:\Windows\System32\atlss32.exe
Removed File! : C:\Windows\System32\crlr32.exe
Removed File! : C:\Windows\System32\cruw32.dll
Removed File! : C:\Windows\System32\cryr.exe
Removed File! : C:\Windows\System32\d3cx.dll
Removed File! : C:\Windows\System32\d3ed32.dll
Removed File! : C:\Windows\System32\d3oj32.exe
Removed File! : C:\Windows\System32\iebz32.exe
Removed File! : C:\Windows\System32\ieew.exe
Removed File! : C:\Windows\System32\ieje.exe
Removed File! : C:\Windows\System32\iekd32.dll
Removed File! : C:\Windows\System32\ieoz.exe
Removed File! : C:\Windows\System32\ieqw32.exe
Removed File! : C:\Windows\System32\iews.dll
Removed File! : C:\Windows\System32\iezn32.exe
Removed File! : C:\Windows\System32\ipmy.dll
Removed File! : C:\Windows\System32\mfcqa32.exe
Removed File! : C:\Windows\System32\mfcqn32.exe
Removed File! : C:\Windows\System32\netqi32.exe
Removed File! : C:\Windows\System32\netxt.exe
Removed File! : C:\Windows\System32\ntak32.exe
Removed File! : C:\Windows\System32\ntaw32.exe
Removed File! : C:\Windows\System32\ntek32.exe
Removed File! : C:\Windows\System32\ntkb.exe
Removed File! : C:\Windows\System32\ntko.dll
Removed File! : C:\Windows\System32\ntod32.dll
Removed File! : C:\Windows\System32\ntrf32.dll
Removed File! : C:\Windows\System32\ntxy.exe
Removed File! : C:\Windows\System32\nymzi.dll
Removed File! : C:\Windows\System32\oxsxi.dat
Removed File! : C:\Windows\System32\pbloj.dat
Removed File! : C:\Windows\System32\reiek.dll
Removed File! : C:\Windows\System32\sdklz.exe
Removed File! : C:\Windows\System32\sdkqs.exe
Removed File! : C:\Windows\System32\sdkvk32.exe
Removed File! : C:\Windows\System32\sdkwn.exe
Removed File! : C:\Windows\System32\sdkxe.exe
Removed File! : C:\Windows\System32\sdkyi32.exe
Removed File! : C:\Windows\System32\sysgg.exe
Removed File! : C:\Windows\System32\syshd.exe
Removed File! : C:\Windows\System32\sysio32.exe
Removed File! : C:\Windows\System32\sysjk.dll
Removed File! : C:\Windows\System32\sysoo.exe
Removed File! : C:\Windows\System32\syssl.exe
Removed File! : C:\Windows\System32\syssv32.exe
Removed File! : C:\Windows\System32\ujnur.dll
Removed File! : C:\Windows\System32\uueqa.dll
Removed File! : C:\Windows\System32\vnqqg.dll
Removed File! : C:\Windows\System32\wdzye.dll
Removed File! : C:\Windows\System32\winfu.exe
Removed File! : C:\Windows\System32\wingb32.exe
Removed File! : C:\Windows\System32\winkq32.exe
Removed File! : C:\Windows\System32\winpf32.dll
Removed File! : C:\Windows\System32\zhcpz.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 20:57:29



BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:49 PM

Posted 02 August 2005 - 06:34 PM

Hello kms18 and welcome to the BC malware forum. There is nothing in that log that should not be there. For us to evaluate the computer we will need a HijackThis log. follow the directions below to post a log.

We need a complete HijackThis (HJT) log file to be able to analyze what is happening on your computer. If you do not have a copy of HijackThis or do not have the latest version (1.99.1) then download it from here: HijackThis_sfx.exe
Double-click on the file you just downloaded and click on the UnZip button to install the program. It will be installed to the C:\Program Files\HijackThis\ folder by default.

Boot normally, start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 kms18

kms18
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 03 August 2005 - 07:30 AM

Logfile of HijackThis v1.99.1
Scan saved at 19:04:26, on 06/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\addog32.exe
C:\WINDOWS\system32\mfcjs.exe
C:\Documents and Settings\k-man\Desktop\aboutbuster\AboutBuster.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D197A0E1-57CF-5D1D-AB6B-C7313C71B514} - C:\WINDOWS\system32\ipmy.dll
O2 - BHO: Class - {FB118E8B-875C-AD27-289B-C22A5B4AA454} - C:\WINDOWS\appws32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKLM\..\Run: [CCCBAF70] C:\WINDOWS\System32\vfsykkbjn.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [msupdate Service] msupdate.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [mfcjs.exe] C:\WINDOWS\system32\mfcjs.exe
O4 - HKLM\..\Run: [crrs.exe] C:\WINDOWS\crrs.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [mshc32.exe] C:\WINDOWS\system32\mshc32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] svshost.exe
O4 - HKLM\..\RunServices: [A2CA092A] C:\WINDOWS\System32\vfsykkbjn.exe
O4 - HKLM\..\RunServices: [msupdate Service] msupdate.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msupdate Service] msupdate.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Panorama.exe
O4 - Startup: prama$$$.bmp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...2/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117598189671
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25A7220E-4B94-4EE3-897E-67D9769DCE8C}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{25A7220E-4B94-4EE3-897E-67D9769DCE8C}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addog32.exe"  /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:49 PM

Posted 03 August 2005 - 10:35 AM

Hi kms18. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download CCleaner and install it but do not run it yet.

Download cwsserviceremove.zip and unzip it to your desktop. Right-click on the cwsserviceremove.reg file and choose Merge from the options. Answer Yes or Ok to any further prompts. You should get a message that the files was merged successfully into the registry.

Step #2

Restart in Safe Mode
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hyjsn.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D197A0E1-57CF-5D1D-AB6B-C7313C71B514} - C:\WINDOWS\system32\ipmy.dll
O2 - BHO: Class - {FB118E8B-875C-AD27-289B-C22A5B4AA454} - C:\WINDOWS\appws32.dll
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKLM\..\Run: [CCCBAF70] C:\WINDOWS\System32\vfsykkbjn.exe
O4 - HKLM\..\Run: [msupdate Service] msupdate.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [mfcjs.exe] C:\WINDOWS\system32\mfcjs.exe
O4 - HKLM\..\Run: [crrs.exe] C:\WINDOWS\crrs.exe
O4 - HKLM\..\Run: [mshc32.exe] C:\WINDOWS\system32\mshc32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] svshost.exe
O4 - HKLM\..\RunServices: [A2CA092A] C:\WINDOWS\System32\vfsykkbjn.exe
O4 - HKLM\..\RunServices: [msupdate Service] msupdate.exe
O4 - HKCU\..\Run: [msupdate Service] msupdate.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\hyjsn.dll
C:\WINDOWS\system32\ipmy.dll
C:\WINDOWS\System32\vfsykkbjn.exe
C:\WINDOWS\system32\mfcjs.exe
C:\WINDOWS\system32\mshc32.exe
C:\WINDOWS\system32\addog32.exe
C:\WINDOWS\crrs.exe
C:\WINDOWS\appws32.dll
C:\WINDOWS\winh.exe

Now search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.svshost.exe
msupdate.exe

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Run CWShredder
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
Step #7

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #8

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE:
  • Download and Install AdAware SE Personal v1.06, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #9

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 kms18

kms18
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 03 August 2005 - 06:39 PM

OldTimer,

just a quick question before i get started on that.

Ive already followed and run the whole of the self-help tutorial on your website, and I believe my computer is clear of the virus/malware. My only question is that after i ran the last part of the self help tutorial, About:Buster might have deleted some files from the /windows or the /system32 folder that my computer needs to run properly.

However, i dont know which these may be (thank you windows for useless filenaming!) so i was just wondering if there are any in the initial about:buster log that are definitely not supposed to be removed?

thank you, and ill try out your solution in the coming week :thumbsup:

thank you again
kms18

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:49 PM

Posted 03 August 2005 - 08:23 PM

Hi kms18. No, aboutbuster will not delete any files that are not infected. The original list were all valid malware files.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 kms18

kms18
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 04 August 2005 - 07:33 AM

Thanks OT,

will try your solution today then :thumbsup:

thank you!
kms18

#8 kms18

kms18
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 06 August 2005 - 09:49 AM

OT,

I have done a most recent HJT log - about 2 minutes ago. Here is the latest HJT log, please could we work using this one, as the other one is very old and was made before I started using the self help tutorial? :thumbsup: thank you so much!

Logfile of HijackThis v1.99.1
Scan saved at 15:45:43, on 06/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {BB0058FA-B2CF-E8A4-7D77-15E7458BC241} -

C:\WINDOWS\system32\appym32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"

/background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player

2K2) -

http://sib1.od2.com/common/Member/ClientIn...2/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) -

file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5co.../x86/client/wuw

eb_site.cab?1117598189671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...icro.com/housec

all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient

Class) -

http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25A7220E-4B94-4EE3-897E-

67D9769DCE8C}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{25A7220E-4B94-4EE3-897E-

67D9769DCE8C}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program

Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton Internet Security\Norton

AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:49 PM

Posted 06 August 2005 - 11:44 AM

Hi kms18. Almost there.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O2 - BHO: Class - {BB0058FA-B2CF-E8A4-7D77-15E7458BC241} - C:\WINDOWS\system32\appym32.dll (file missing)
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system32\appym32.dll
OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 kms18

kms18
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 07 August 2005 - 03:14 PM

Logfile of HijackThis v1.99.1
Scan saved at 21:11:25, on 07/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...2/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - file://C:\Program Files\EA SPORTS\FIFA 2004\update.1.1\patchx2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117598189671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25A7220E-4B94-4EE3-897E-67D9769DCE8C}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{25A7220E-4B94-4EE3-897E-67D9769DCE8C}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


did as you asked :thumbsup: restarted the comp, and did a scan. here is the log :flowers:

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:49 PM

Posted 07 August 2005 - 11:48 PM

Hi kms18. This log looks clean. How are things running? Any problems?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • CHECK Turn off System Restore.
    • Click Apply, and then click OK.
  • Restart your computer.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You already have a good anti-virus, and you should also have a good firewall for blocking unwanted access to and from your computer. These also are free for personal use:It is best to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 kms18

kms18
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 12 August 2005 - 09:09 AM

hello OT,

sorry for the late reply. Unfortunately, i am still unable to log into msn, or secure server sites - using both mozilla firefox or ie 6 :thumbsup:

i was hoping to compare my computers /system32 with a friends also running XP, and insert any files that are missing in mine from hers. is that wise?

thank you
kms18

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:49 PM

Posted 12 August 2005 - 03:21 PM

Hi kms18. I would not recommend comparing 2 machines unless they are EXACTLY the same (hardware/software/updates etc). Each machine is unique and files needed for one can cause problems on a different machine.

Not being able to connect to secure sites can be caused by any number of issues. I would start with Micorsoft's recommendations and work through those first.

Here is a link:

http://support.microsoft.com/?kbid=813444

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users