Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

web page hijacked


  • This topic is locked This topic is locked
20 replies to this topic

#1 Marko

Marko

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 19 September 2005 - 04:15 PM

Ok when I try to go to certain sites, most importantly Ebay, I am within 5 seconds redirected to some page about spy removal programs or something along that line. Ive tried spybot, adaware, and my antivirus AVG. All with no success. I use hijack this sometimes and I think "LXBSppls.exe" doesnt belong, but it seems to reinstall itself if I remove it.

Anyway heres my log, maybe somebody can help. Oh and I believe I'll be switching to firefox once this is sorted out as well.

Logfile of HijackThis v1.99.1
Scan saved at 4:09:49 PM, on 19/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LXBSPPLS.EXE
C:\WINDOWS\SYSTEM\LXBSPSWX.EXE
C:\WINDOWS\SYSTEM\LXBSJSWX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
F1 - win.ini: run=LXBSppls.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\SYSTEM\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...404/mcfscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab

BC AdBot (Login to Remove)

 


#2 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:08:16 AM

Posted 24 September 2005 - 09:00 PM

Sorry for the delay, Marko.

Let's check a few items before we get started.

To scan individual files for malware analysis, you can use Jotti here:

http://virusscan.jotti.org/

Please check the following files:

C:\WINDOWS\SYSTEM\LXBStime.dll
C:\WINDOWS\SYSTEM\LXBSPPLS.EXE
C:\WINDOWS\SYSTEM\LXBSPSWX.EXE
C:\WINDOWS\SYSTEM\LXBSJSWX.EXE


Post the reports back to this topic, along with a new HiJackThis log.

Thanks,

JC
:thumbsup:
JC

#3 Marko

Marko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 25 September 2005 - 01:06 PM

OK, I scanned all four of them. They all said "status ok" there were no packers detected and all of the scanners said "found nothing."


Heres the highjack this log again. Oh, and thanks for helping. I really appreciate this.


Logfile of HijackThis v1.99.1
Scan saved at 1:05:47 PM, on 25/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\LXBSPPLS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
F1 - win.ini: run=LXBSppls.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\SYSTEM\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...404/mcfscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab

#4 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:08:16 AM

Posted 25 September 2005 - 05:05 PM

Honestly, there was not a lot of information that I could find about those files, but there were hints that it is for a lexmark printer, sound correct? Since you mentioned that you did not recognize it, I thought the scan was the safest thing to do before we started.

There really isn't much showing in you log, but lets get rid of an item and run a couple of scans to make sure. What is the exact site address that you are being redirected to?

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.


:thumbsup: Download Cwshredder.exe and save it to a folder of its own.

Download it from here:
http://www.trendmicro.com/cwshredder/

Start the program, and click on the Check for Update button. If an update is available then download and install it.

With CWSShredder open:

Click Fix -> and click OK at the prompt.

CWShredder will scan and clean your system of CWS files.

Click Next-> and then Exit.


:flowers: Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

O15 - Trusted IP range: 206.161.125.149 <==remove unless you added this yourself, it is for advancedhosters.com

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.


:trumpet: Please do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.
:inlove: Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

Please reply to this post with a new HiJackThis log, the scan log from the Panda Active Scan, and the silent runners log.


JC :cool:

Edited by Joshuacat, 25 September 2005 - 05:12 PM.

JC

#5 Marko

Marko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 26 September 2005 - 05:35 PM

Thanks for helping me out.

Ok, that was my lexmark printer. Odd of me not to realize that, oh well.

I ran the CWS shredder like you said. It found nothing whatsoever.

I used hijack this to remove the ip range. However whenever I run hijackthis again I see that the ip range is still there. So when I remove it, it must be automatically put back.

I ran the panda scan, and that found a few things. It fixed some of them as well. Heres the results of that.

Incident Status Location

Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM\sdkna32.exe
Adware:adware/gator No disinfected C:\WINDOWS\Start Menu\Programs\GAIN Publishing
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\TEMP\A0056734.CPY
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\TEMP\A0058788.CPY
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\TEMP\A0060820.CPY
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\TEMP\A0005884.CPY
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\TEMP\A0005885.CPY
Virus:Trj/Downloader.CCI Disinfected C:\_RESTORE\TEMP\A0005887.CPY
Virus:Trj/Downloader.CCI Disinfected C:\_RESTORE\TEMP\A0005888.CPY
Virus:Trj/Downloader.CCI Disinfected C:\_RESTORE\TEMP\A0005889.CPY
Virus:Trj/Downloader.CCI Disinfected C:\_RESTORE\TEMP\A0005890.CPY
Virus:Trj/Downloader.CCI Disinfected C:\_RESTORE\TEMP\A0005891.CPY
Virus:Trj/Downloader.CCI Disinfected C:\_RESTORE\TEMP\A0005892.CPY
Virus:Bck/Agent.JJ Disinfected C:\_RESTORE\TEMP\A0005893.CPY
Virus:Bck/Agent.JJ Disinfected C:\_RESTORE\TEMP\A0005894.CPY
Virus:Bck/Agent.JJ Disinfected C:\_RESTORE\TEMP\A0005895.CPY
Virus:Bck/Agent.JJ Disinfected C:\_RESTORE\TEMP\A0005896.CPY
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\TEMP\A0008059.CPY
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\TEMP\A0008060.CPY
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\TEMP\A0009285.CPY
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\TEMP\A0009286.CPY
Virus:Bck/Agent.JJ Disinfected C:\_RESTORE\TEMP\A0009290.CPY
Virus:Bck/Agent.JJ Disinfected C:\_RESTORE\TEMP\A0009291.CPY
Virus:Bck/Agent.JJ No disinfected C:\_RESTORE\ARCHIVE\FS9.CAB[A0000240.CPY]
Virus:Bck/Agent.JJ No disinfected C:\_RESTORE\ARCHIVE\FS9.CAB[A0000241.CPY]
Virus:Trj/Downloader.ABO No disinfected C:\_RESTORE\ARCHIVE\FS9.CAB[A0000243.CPY]
Virus:Trj/Downloader.ABO No disinfected C:\_RESTORE\ARCHIVE\FS9.CAB[A0000244.CPY]
Virus:Trj/Multidropper.TZ No disinfected C:\_RESTORE\ARCHIVE\FS9.CAB[A0000246.CPY]
Virus:Trj/Multidropper.TZ No disinfected C:\_RESTORE\ARCHIVE\FS9.CAB[A0000247.CPY]
Virus:Trj/Downloader.ABO No disinfected C:\_RESTORE\ARCHIVE\FS4.CAB[A0000112.CPY]
Virus:Trj/Downloader.ABO No disinfected C:\_RESTORE\ARCHIVE\FS4.CAB[A0000113.CPY]
Virus:Bck/Agent.JJ No disinfected C:\_RESTORE\ARCHIVE\FS4.CAB[A0000115.CPY]
Virus:Bck/Agent.JJ No disinfected C:\_RESTORE\ARCHIVE\FS4.CAB[A0000116.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS6.CAB[A0000171.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS6.CAB[A0000172.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS7.CAB[A0000215.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS7.CAB[A0000216.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS12.CAB[A0000552.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS12.CAB[A0000553.CPY]
Virus:Bck/Agent.JJ No disinfected C:\_RESTORE\ARCHIVE\FS15.CAB[A0000652.CPY]
Virus:Bck/Agent.JJ No disinfected C:\_RESTORE\ARCHIVE\FS15.CAB[A0000653.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS17.CAB[A0001629.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS17.CAB[A0001630.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS18.CAB[A0001718.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS18.CAB[A0001719.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS24.CAB[A0005800.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS24.CAB[A0005801.CPY]
Virus:Bck/Agent.JJ No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0005823.CPY]
Virus:Bck/Agent.JJ No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0005824.CPY]
Virus:Trj/Downloader.ABO No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0005826.CPY]
Virus:Trj/Downloader.ABO No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0005827.CPY]
Virus:Trj/Multidropper.TZ No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0005829.CPY]
Virus:Trj/Multidropper.TZ No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0005830.CPY]
Virus:Trj/Downloader.ABO No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0005832.CPY]
Virus:Trj/Downloader.ABO No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0005833.CPY]
Virus:Trj/Downloader.AQT No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0005845.CPY]
Virus:Trj/Downloader.AQT No disinfected C:\_RESTORE\ARCHIVE\FS25.CAB[A0005846.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS27.CAB[A0006925.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS27.CAB[A0006926.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS30.CAB[A0007973.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS30.CAB[A0007974.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS35.CAB[A0008125.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS35.CAB[A0008126.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS36.CAB[A0008182.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS36.CAB[A0008183.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS37.CAB[A0008211.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS37.CAB[A0008212.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS38.CAB[A0008246.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS38.CAB[A0008247.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS50.CAB[A0013473.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS50.CAB[A0013474.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0015509.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS53.CAB[A0015510.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS59.CAB[A0015549.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS59.CAB[A0015550.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS62.CAB[A0016581.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS62.CAB[A0016582.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS69.CAB[W0028207.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS76.CAB[A0018762.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS76.CAB[A0018763.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS79.CAB[A0018814.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS79.CAB[A0018815.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS81.CAB[A0018849.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS81.CAB[A0018850.CPY]
Adware:Adware/InstaFinder No disinfected C:\_RESTORE\ARCHIVE\FS81.CAB[A0018877.CPY]
Spyware:Spyware/Altnet No disinfected C:\_RESTORE\ARCHIVE\FS81.CAB[A0018883.CPY]
Adware:Adware/P2PNetworking No disinfected C:\_RESTORE\ARCHIVE\FS82.CAB[A0018887.CPY]
Adware:Adware/P2PNetworking No disinfected C:\_RESTORE\ARCHIVE\FS82.CAB[A0018888.CPY]
Adware:Adware/P2PNetworking No disinfected C:\_RESTORE\ARCHIVE\FS82.CAB[A0018889.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS89.CAB[A0020028.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS89.CAB[A0020029.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS90.CAB[A0020046.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS90.CAB[A0020047.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS287.CAB[W0043239.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053616.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053618.CPY]
Virus:Bck/Cartoon No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053620.CPY]
Virus:Bck/Cartoon No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053622.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053624.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053626.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053628.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053630.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053632.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053634.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053636.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053638.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053640.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053642.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053644.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053646.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053648.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053650.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053652.CPY]
Adware:Adware/CWS.Aboutblank No disinfected C:\_RESTORE\ARCHIVE\FS457.CAB[A0053654.CPY]
Virus:Trj/Downloader.DUU Disinfected C:\WINDOWS\050218.exe
Adware:Adware/P2PNetworking No disinfected C:\hijackthis\backups\backup-20050409-033443-145.dll
Adware:Adware/InstaFinder No disinfected C:\hijackthis\backups\backup-20050409-033732-328.dll


Fairly long list I guess. Anyway, I also ran the silent runners program. Heres the results of that one.

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"LoadQM" = "loadqm.exe" [MS]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"LXBSCATS" = "rundll32 C:\WINDOWS\SYSTEM\LXBStime.dll,_RunDLLEntry@16" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Panda_cleaner_164509" = "C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 164509" ["Panda Software"]
"Panda_cleaner_153637" = "C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 153637" ["Panda Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
PowerDesk Menu\(Default) = "{26E7F081-EB97-11d3-9239-006008D2D00F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ontrack\PowerDesk\pdshext.dll" ["Ontrack Data International, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
PowerDesk Menu\(Default) = "{26E7F081-EB97-11d3-9239-006008D2D00F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ontrack\PowerDesk\pdshext.dll" ["Ontrack Data International, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\My Pictures\Dec15006.JPG"


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

WIN.INI
[windows]
INFECTION WARNING! "run=LXBSppls.exe" ["Lexmark International, Inc."]

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\MYSTIF~1.SCR" (Mystify Your Mind.scr) [MS]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\SYSTEM\imslsp.dll ["Zone Labs, LLC"], 01 - 06, 17
C:\WINDOWS\SYSTEM\ZoneLabs\vetredir.dll ["Computer Associates International, Inc."], 07 - 09, 16
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 10
C:\WINDOWS\SYSTEM\msafd.dll [MS], 11 - 13
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 14 - 15


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.2001.0001\EN-CA\MSNTB.DLL" [file not found]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL" ["Yahoo! Inc."]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Heres my Hijack this log again, although I think its the same as before.

Logfile of HijackThis v1.99.1
Scan saved at 5:35:04 PM, on 26/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\LXBSPPLS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\LXBSPSWX.EXE
C:\WINDOWS\SYSTEM\LXBSJSWX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
F1 - win.ini: run=LXBSppls.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\SYSTEM\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunOnce: [Panda_cleaner_164509] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 164509
O4 - HKLM\..\RunOnce: [Panda_cleaner_153637] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 153637
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...404/mcfscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab


Sorry about the long post. Those are some fairly lengthy log files. Oh and I really cant thank you enough for helping.

#6 Marko

Marko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 26 September 2005 - 05:37 PM

Almost forgot. This is the web site that I'm redirected to.

//Mod edit: URL removed per HJT Tech request.

Edited by KoanYorel, 26 September 2005 - 05:47 PM.


#7 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:08:16 AM

Posted 26 September 2005 - 09:59 PM

There were detections of some items that had been removed before with HJT when you were here before. Your system restore points still have some remnants of spyware remaining. They're harmless(unless you restore them), but I will get you to remove them later. The Silent Runners log looks clean. The HJT log still shows the Trusted IP. We will get rid of that, and remove some files that were detected in the Panda scan in your last reply. We will finish off by doing a scan with Ad-aware. Besides the redirection to the search page, do you have any other symptoms?

After reviewing your log I see a few items that require our attention. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

:bike: If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


:thumbsup: Download the following file to your desktop: http://www.mvps.org/winhelp2002/DelDomains.inf
Please do not use program yet


:flowers: Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

O15 - Trusted IP range: 206.161.125.149

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.


:trumpet: Turn on the viewing of hidden files:

* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
* Click Start, Programs and Accessories and open Windows Explorer.
* Select a hard drive from the left hand side of the Windows Explorer window.
* Select View the Entire contents of this drive.
* Close My Computer


:idea: Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you are having problems, additional instructions on how to do this can be found here: How to start Windows in Safe mode.


:inlove: Run DelDomains.inf: Right-click and select: Install(no need to restart)

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.


:cool: Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\SYSTEM\sdkna32.exe <---file
C:\WINDOWS\Start Menu\Programs\GAIN Publishing <--folder



:) Open Ad-aware and do a full scan. Remove all that it finds. If it does find something, run it again to make sure it comes up clean.

Restart your computer.

Please reply to this post with a new HiJackThis log. Let me know if you are still showing symptoms.


JC :woot:

Edited by Joshuacat, 26 September 2005 - 10:02 PM.

JC

#8 Marko

Marko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 27 September 2005 - 11:28 AM

I did what you asked me to do, and guess what?.....It worked! Problem solved. Thank you so very much for spending time to help. This really made my day.

#9 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:08:16 AM

Posted 27 September 2005 - 12:04 PM

Marko: That's Great! :thumbsup:

Could I see one last HiJackThis log to ensure that everything is showing that you are clean? If you are clean, I will give you instructions to turn on hidden files and to clear your restore points. I will also let you know what you need to do to make your computer more secure.

JC
JC

#10 Marko

Marko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 27 September 2005 - 08:23 PM

Sure thing.

Logfile of HijackThis v1.99.1
Scan saved at 8:25:15 PM, on 27/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\LXBSPPLS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\LXBSPSWX.EXE
C:\WINDOWS\SYSTEM\LXBSJSWX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
F1 - win.ini: run=LXBSppls.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\SYSTEM\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...404/mcfscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab

#11 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:08:16 AM

Posted 27 September 2005 - 09:27 PM

Log looks clean...great job! :thumbsup:

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section deselect the radio button labeled Show hidden files and folders.
6. Add a checkmark to the checkbox labeled Hide file extensions for known file types.
7. Add a checkmark to the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.


Disable and Enable System Restore. - Since you are using Windows ME, you should disable and enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to disable and enable system restore here:

Managing Windows Millenium System Restore

--------------------------------------------------------------
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detection and Removal Programs:

You already have 2 good Anti-spyware detection programs -SpyBot, and Ad-Aware. It is important that all of these programs are updated, and you run full system scans on a regular basis.

Please see the following tutorials below:

How to use Ad-Aware to remove Spyware
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers



Prevention Programs:

I recommend the following two programs that will help prevent an infection:

Spywareblaster - SpywareBlaster will prevent spyware from being installed.
Spywareguard - SpywareGuard offers realtime protection from spyware installation attempts.

Both programs will compliment one another.


Other necessary Programs:

Anti-virus program - It looks like you have an anti-virus program. It is important that this program is updated, and you run a full system scan on a regular basis.

More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

Also, please read through the following tutorial:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

Thanks,
JC :flowers:
JC

#12 Marko

Marko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 28 September 2005 - 11:58 PM

Ok I had a bit of a setback today. My problem returned. I was wondering if I should do what I did before, and then follow your advice in your last post right away if that would do it, or is it back to the drawing board?

#13 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:08:16 AM

Posted 29 September 2005 - 08:48 AM

Marko: What are your symptoms? Are you getting any pop-ups, if so, what are they for? Or, are you just being redirected to the website you posted before?
Please give me as much details as you can.

Let's do a scan and see what shows up.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with another HiJackThis Log, and the log from the Kaspersky scan.
JC

#14 Marko

Marko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 29 September 2005 - 11:12 PM

No new symptoms, just that same site that I get redirected when I try to use ebay. No other site seems to suffer that problem. I have ebay as my homepage as well. First ebay's site will load, and I can see the usually ebay page for 5 seconds or so, and then I am automatically sent to that same site as before. I can wait for ebay to load and then hit the stop button on the tool bar and it prevents the annoying site from loading. Thus I can sort of use ebay, I just have to constantly hit stop everytime I open a new page in ebay. Such as when I search and a new page loads, or when I click on an auction and a new page loads.

I'm not sure how to describe it any farther. I'm not getting any pop ups or other problem. When I followed your post right before I said the problem was solved it had temporarily fixed my problem. It must have returned within a day. Perhaps when I restarted the computer. The only websites I'm currently accessing are all pretty well known and safe.

Thanks for sticking with me on this one. Also, heres the kaspersky log and hijack this log.

KASPERSKY ON-LINE SCANNER REPORT
Thursday, September 29, 2005 22:58:12
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/09/2005
Kaspersky Anti-Virus database records: 151765
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 25033
Number of viruses found: 14
Number of infected objects: 153
Number of suspicious objects: 0
Duration of the scan process: 3395 sec

Infected Object Name - Virus Name
c:\_RESTORE\TEMP\A0056734.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0058788.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0060820.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0060879.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0060881.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0060883.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0060885.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0060887.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0060889.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0060891.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0060893.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0060895.CPY Infected: not-a-virus:AdWare.Win32.Simbar.b
c:\_RESTORE\TEMP\A0061920.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0061929.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0062939.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0005884.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0005885.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0005887.CPY Infected: Trojan-Downloader.Win32.Delf.cb
c:\_RESTORE\TEMP\A0005888.CPY Infected: Trojan-Downloader.Win32.Delf.cb
c:\_RESTORE\TEMP\A0005889.CPY Infected: Trojan-Downloader.Win32.Delf.cb
c:\_RESTORE\TEMP\A0005890.CPY Infected: Trojan-Downloader.Win32.Delf.cb
c:\_RESTORE\TEMP\A0005891.CPY Infected: Trojan-Downloader.Win32.Delf.cb
c:\_RESTORE\TEMP\A0005892.CPY Infected: Trojan-Downloader.Win32.Delf.cb
c:\_RESTORE\TEMP\A0005893.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\TEMP\A0005894.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\TEMP\A0005895.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\TEMP\A0005896.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\TEMP\A0008059.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0008060.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0009285.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0009286.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A0009290.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS9.CAB/A0000240.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS9.CAB/A0000241.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS9.CAB/A0000243.CPY Infected: Trojan-Downloader.Win32.Donn.ab
c:\_RESTORE\ARCHIVE\FS9.CAB/A0000244.CPY Infected: Trojan-Downloader.Win32.Donn.ab
c:\_RESTORE\ARCHIVE\FS9.CAB/A0000246.CPY Infected: Trojan-Dropper.Win32.Small.oy
c:\_RESTORE\ARCHIVE\FS9.CAB/A0000247.CPY Infected: Trojan-Dropper.Win32.Small.oy
c:\_RESTORE\ARCHIVE\FS9.CAB Infected: Trojan-Dropper.Win32.Small.oy
c:\_RESTORE\ARCHIVE\FS4.CAB/A0000112.CPY Infected: Trojan-Downloader.Win32.Donn.ab
c:\_RESTORE\ARCHIVE\FS4.CAB/A0000113.CPY Infected: Trojan-Downloader.Win32.Donn.ab
c:\_RESTORE\ARCHIVE\FS4.CAB/A0000115.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS4.CAB/A0000116.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS4.CAB Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS6.CAB/A0000171.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS6.CAB/A0000172.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS6.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS7.CAB/A0000215.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS7.CAB/A0000216.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS7.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS12.CAB/A0000552.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS12.CAB/A0000553.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS12.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS15.CAB/A0000652.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS15.CAB/A0000653.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS15.CAB Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS17.CAB/A0001629.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS17.CAB/A0001630.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS17.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS18.CAB/A0001718.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS18.CAB/A0001719.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS18.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS24.CAB/A0005800.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS24.CAB/A0005801.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS24.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS25.CAB/A0005823.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS25.CAB/A0005824.CPY Infected: Trojan-Downloader.Win32.Agent.dk
c:\_RESTORE\ARCHIVE\FS25.CAB/A0005826.CPY Infected: Trojan-Downloader.Win32.Donn.ab
c:\_RESTORE\ARCHIVE\FS25.CAB/A0005827.CPY Infected: Trojan-Downloader.Win32.Donn.ab
c:\_RESTORE\ARCHIVE\FS25.CAB/A0005829.CPY Infected: Trojan-Dropper.Win32.Small.oy
c:\_RESTORE\ARCHIVE\FS25.CAB/A0005830.CPY Infected: Trojan-Dropper.Win32.Small.oy
c:\_RESTORE\ARCHIVE\FS25.CAB/A0005832.CPY Infected: Trojan-Downloader.Win32.Donn.ab
c:\_RESTORE\ARCHIVE\FS25.CAB/A0005833.CPY Infected: Trojan-Downloader.Win32.Donn.ab
c:\_RESTORE\ARCHIVE\FS25.CAB/A0005845.CPY Infected: Trojan-Downloader.Win32.Small.ajy
c:\_RESTORE\ARCHIVE\FS25.CAB/A0005846.CPY Infected: Trojan-Downloader.Win32.Small.ajy
c:\_RESTORE\ARCHIVE\FS25.CAB Infected: Trojan-Downloader.Win32.Small.ajy
c:\_RESTORE\ARCHIVE\FS27.CAB/A0006925.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS27.CAB/A0006926.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS27.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS30.CAB/A0007973.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS30.CAB/A0007974.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS30.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS35.CAB/A0008125.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS35.CAB/A0008126.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS35.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS36.CAB/A0008182.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS36.CAB/A0008183.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS36.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS37.CAB/A0008211.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS37.CAB/A0008212.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS37.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS38.CAB/A0008246.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS38.CAB/A0008247.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS38.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS50.CAB/A0013473.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS50.CAB/A0013474.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS50.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS53.CAB/A0015509.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS53.CAB/A0015510.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS53.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS59.CAB/A0015549.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS59.CAB/A0015550.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS59.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS62.CAB/A0016581.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS62.CAB/A0016582.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS62.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS69.CAB/W0028207.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS69.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS76.CAB/A0018762.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS76.CAB/A0018763.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS76.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS79.CAB/A0018814.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS79.CAB/A0018815.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS79.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS81.CAB/A0018849.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS81.CAB/A0018850.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS81.CAB/A0018877.CPY/stream Infected: not-a-virus:AdWare.Win32.404Search.h
c:\_RESTORE\ARCHIVE\FS81.CAB/A0018877.CPY Infected: not-a-virus:AdWare.Win32.404Search.h
c:\_RESTORE\ARCHIVE\FS81.CAB/A0018883.CPY Infected: not-a-virus:AdWare.Win32.Altnet.d
c:\_RESTORE\ARCHIVE\FS81.CAB Infected: not-a-virus:AdWare.Win32.Altnet.d
c:\_RESTORE\ARCHIVE\FS89.CAB/A0020028.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS89.CAB/A0020029.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS89.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS90.CAB/A0020046.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS90.CAB/A0020047.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS90.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS190.CAB/A0024964.CPY Infected: not-a-virus:AdWare.Win32.FunWeb.a
c:\_RESTORE\ARCHIVE\FS190.CAB Infected: not-a-virus:AdWare.Win32.FunWeb.a
c:\_RESTORE\ARCHIVE\FS287.CAB/W0043239.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS287.CAB Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053614.CPY Infected: Trojan-Proxy.Win32.Delf.q
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053616.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053618.CPY Infected: Trojan.Win32.StartPage.uo
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053620.CPY Infected: Trojan-Dropper.Win32.Agent.jt
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053622.CPY Infected: Trojan-Downloader.Win32.Small.bck
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053624.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053626.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053628.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053630.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053632.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053634.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053636.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053638.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053640.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053642.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053644.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053646.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053648.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053650.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053652.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB/A0053654.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS457.CAB Infected: Trojan.Win32.StartPage.vr
c:\hijackthis\backups\backup-20050409-033732-328.dll Infected: not-a-virus:AdWare.Win32.404Search.h

Scan process completed.

_________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 11:13:58 PM, on 29/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\LXBSPPLS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\LXBSPSWX.EXE
C:\WINDOWS\SYSTEM\LXBSJSWX.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
F1 - win.ini: run=LXBSppls.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\SYSTEM\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archives.ca/mrsidi_cab/MrSIDI.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...404/mcfscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

#15 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:08:16 AM

Posted 30 September 2005 - 03:02 PM

Nothing showing really. Just a few items that are in your system restore, and one item that is in the back-up directory for HJT -these are normal. I mentioned in my clean up speech how to disable and re-enable your system restore points.

Let's try to reset IE back to its' search defaults and see if that helps.

Download this .reg file to a temporary place, like Desktop. http://www.spywareinfo.com/downloads/tools/IEFIX.reg
Double-click on it and answer Yes.
It will restore all the default Search settings for IE.

Reboot and try it again. Let me know if that helps.
JC




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users