Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help!


  • Please log in to reply
15 replies to this topic

#1 DebbieHunter

DebbieHunter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 31 January 2006 - 02:01 PM

When I try to access the interent I keep getting page not found. I haven't had earthlink in about a year and am a cable internet user with Comcast. Would someone please look at my log and tell me what's wrong here????

Thank you


Logfile of HijackThis v1.99.1
Scan saved at 10:56:52 AM, on 1/31/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\PAVFNSVR.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\PSIMSVC.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\FIREWALL\PNMSRV.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\TPSRV9X.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\APVXDWIN.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\WEBROOT\WASHER\WWDISP.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\WEBPROXY.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html
R3 - URLSearchHook: (no name) - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN3\YT.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"
O4 - HKLM\..\RunServices: [PAVFNSVR] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe"
O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PSIMSVC.exe"
O4 - HKLM\..\RunServices: [PNMSRV] "c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE"
O4 - HKLM\..\RunServices: [TPSrv9x] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv9x.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.2.21/flin...r-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.9.4.30...o-ob-assets.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...er/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = earthlink.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.217.77.82,207.217.120.83

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 05 February 2006 - 12:08 PM

Hi DebbieHunter,

Before anyone can help you we need to know if you are going to try our suggestions and give feedback on what has worked and what hasn't. You've posted about issues with Earthlink and Norton before, advice has been given, but we've not heard back from you as to what worked and what didn't. For most problems now and especially for your re-occuring problem, you really can't and shouldn't expect a one shot fix. If you want us to help you we need feedback from you--you need to help us to figure out what exactly the problem is so we can then figure out how to fix it.

So can you please tell me if you followed the instructions in these two posts:
http://www.bleepingcomputer.com/forums/ind...topic=33395&hl=
http://www.bleepingcomputer.com/forums/ind...topic=38577&hl=

Then post a fresh HijackThis log and give me as much information as you can as to what could be triggering reversion back to Earthlink and Norton.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 DebbieHunter

DebbieHunter
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 06 February 2006 - 12:47 AM

I have done everything from the previous posts. All my icons keep changing on my desk top and documents and when I access theinternet, most times I get page not found and I have to click on my home button in my browser. I also uninstalled Zone Alarm and I get a vsdata95 error everytime I boot my computer

here's my new log:

Logfile of HijackThis v1.99.1
Scan saved at 9:44:18 PM, on 2/5/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\PAVFNSVR.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\PSIMSVC.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\FIREWALL\PNMSRV.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\TPSRV9X.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\APVXDWIN.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\WEBROOT\WASHER\WWDISP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\WEBPROXY.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN3\YT.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"
O4 - HKLM\..\RunServices: [PAVFNSVR] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe"
O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PSIMSVC.exe"
O4 - HKLM\..\RunServices: [PNMSRV] "c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE"
O4 - HKLM\..\RunServices: [TPSrv9x] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv9x.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.2.21/flin...r-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.9.4.30...o-ob-assets.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...er/imloader.cab

Thanks

Debbie

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 06 February 2006 - 08:40 PM

OK, your log looks better. There is no active malware in your log, just one leftover in the first one you posted. Still some leftovers from previous installs of Norton and Earthlink, fix these also/again:

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)


Reboot and post a new log to see if the fix "took".

After looking over some of your older threads I see you had Ghost installed as part of Norton's System Works. It looks like somehow part of Ghost is still active and doing at least a partial restoration. Or you have some other software that takes a snapshot of your system and does an automatic resotration, possibly System Mechanic. It would be helpful to know exactly what you were doing just before Earthlink and Norton gets restored to your registry and if you knowingly have another program set up to take and restore a snapshot of your system.

Norton and some other security tools like firewalls that have to embed themselves deep into your system are not easy to uninstall properly. Even done properly, sometimes the programs don't go quietly. With Norton you pretty much have to use a removal tool. If I'm correct about Ghost restoring old reg entries, then it would probably help to run the removal tool for it first. But I need to know which version of Ghost or System Works you had installed in order to use the correct removal tool. For example, if you had the Works package installed, was it Norton SystemWorks 2006 or Norton SystemWorks 2006 Basic Edition or exactly what. Or if you didn't have an entire package installed, but added things like the antivirus and Ghost seperately, I would need to know that and those versions too. For example:
Norton AntiVirus 2004
Norton AntiVirus Professional 2004
Norton Ghost 2003
Norton Ghost 10.0
NAV 2003
NIS 2003


Etc.

And before trying to root out these programs in the registry, it would be best to uninstall Panda Titanium 2006 as it may interfere with what you want to do or become damaged. Has that been paid for or is it a trial and do you have a backup copy of the instalation files and license key?

To be very honest with you, with all these type failed uninstalls and as long as you've been struggling with all this, I think you would be better off to back up all your critical data and do a reformat and reinstall. Throw in the possible use of Registry Mechanic and the way IncrediMail works makes solving this all the more dificult. Win 98 can especially benefit from a reinstall--either way you go is going to be time consuming. If you want to go that route let me know and if so do you have your installation CD?

If you still want to continue, I may know of a way to solve the error associated with ZoneAlarm but will still need some more information. First what is the exact error message you get? Plese write it down and post it back here. Second, please do the following:

Download Registry Search.

- Create a new folder on your desktop named Regsearch
- Extract the regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK.

vsdata95

- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply.

One more thing. Did you install this program yourself and do you use it? If so how?
NVClock

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 DebbieHunter

DebbieHunter
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 07 February 2006 - 12:45 AM

I used to have SystemWorks 2003 and it was totally destroyed by a virus, so an IT guy I know installed Norton Corporate and then it was destroyed again by a virus, he re-installed it and wham, it happened again, so I followed instructions to remove Norton from my system (took me about 3 hours) and purchased Panda. Panda was actually the software that found all the garbage on my computer. Norton did absolutely nothing for me :thumbsup:. Any how, after removing Norton, the entry was still in my add/remove programs and I could not get rid of it, so I ignored it. I just went in to add/remove and it's gone and so is the folder in my Programs! As to what NV Clock is, I have no idea. When this first happened, my husband was chaecking the status of a bass that he had custom built for him, the screen flashed blue, everything was disabled. I had to reinstall everything from Acrobat to ActiveX, even my windows update stopped working! I will run the program now in regards to my vsdata95 issue. I had to have a reformat about a year and a half ago and really do not want to go that route again.

Here's my current log:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:38 PM, on 2/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\PAVFNSVR.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\PSIMSVC.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\FIREWALL\PNMSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\TPSRV9X.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\APVXDWIN.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\WEBROOT\WASHER\WWDISP.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\WEBPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\AVCIMAN.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\PSIMREAL.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN3\YT.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"
O4 - HKLM\..\RunServices: [PAVFNSVR] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe"
O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PSIMSVC.exe"
O4 - HKLM\..\RunServices: [PNMSRV] "c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE"
O4 - HKLM\..\RunServices: [TPSrv9x] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv9x.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.2.21/flin...r-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.9.4.30...o-ob-assets.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...er/imloader.cab


Thanks for all your help

Debbie

#6 DebbieHunter

DebbieHunter
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 07 February 2006 - 12:56 AM

here's the log from RegSearch:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.0.1

; Results at 2/6/06 9:52:05 PM for strings:
; 'vsdata95 '
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


I re-booted and it's vsdata95.vxd and here's another log on that search:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.0.1

; Results at 2/6/06 9:55:59 PM for strings:
; 'vsdata95.vxd'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VSDATA95]
"StaticVxD"="vsdata95.vxd"

; End Of The Log...

From what researching I did on this, it's apparently associated with Zone Alarm

thanks again

Debbie

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 07 February 2006 - 10:43 PM

Yep, vsdata95.vxd is Zone Alarm and should be causing the error on boot. Not sure if it's causing the problem with internet access. As I understand it, that problem can be caused if you did not disable ZA before uninstalling it. The preferred way to resolve that problem is to reinstall ZA, then disable it and then uninstall, but we don't want to do that as long as Panda's Firewall is active.

Let's try cleaning up any remnants you may have and see how it goes.

Download the following attached regfile, ZAFix.reg, and save it to your desktop.

Reboot your computer into Safe Mode.

Double-click ZAFix.reg and allow it to merge with your registry.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Click Start >> Find and select your local hard drive, type in VSDATA*.* and click on the Find Now button.

If you find any files named VSDATA95 or VSDATANT, delete them (you can do this directly from the Search window by right-clicking on the file and select delete).

Now in the Find field, type in INTERNET LOGS and click Search.

You should see an INTERNET LOGS folder. Delete it.

Empty your recycle bin and boot back into normal mode.

If you get the VSDATA95 or VXD error on boot, just OK it and run the ZAFix.reg file again. Test by rebooting and let me know if the error goes away and if your internet access is better.

Correcting the Ghost possibly still resoring your system to an earlier state will be a bit more complex and is why I think a reformat would be the way to go. SystemWorks 2003 doesn't appear to have a removal tool and Corporate Edition on top of that... We can give it a shot if you want, but there are no gurantees and you may wind up having to reformat anyway.

NV Clock appears to be "a small utility that allows users to overclock NVIDIA based video cards running on the Linux platform." Altho is does appear it can be used on Windows.
http://www.linuxhardware.org/nvclock/

Have you or your husband looked into Linux or overclocking? May not be related to your problem but overclocking can contribute to stability issues. I would leave it alone for now unless you know how to safely remove it.

Also let me see a bit more information on your system and to make sure there isn't any more malware hanging around.

Download WinPFind!
  • Extract WinPFind.zip to your c:\ folder.
  • Reboot your computer into Safe Mode
  • Then open c:\WinPFind and double-click on WinPFind.exe.
  • When the program is open, click on the Start Scan button to start scanning your computer.
  • Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed.
  • Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Attached Files


The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#8 DebbieHunter

DebbieHunter
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 08 February 2006 - 12:35 AM

woo hoo....vsdata is gone!!!!! The internet goes to my home page everytime :thumbsup: I did see something while I was searching for vsdata....it's Zone Alarm containing Earthlink information!!!!! I uninstalled Zone Alarm following instructions on their site. I really dislike that program and was really sorry I actually bought it!!!!!!!!!! It's in my applications

As for the clock, at one time I was looking into Unix, but never downloaded anything. Way too complicated for me...I believe that was late 2005

Here's my log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 10/23/05 2:42:38 PM 16162093 C:\WINDOWS\LPT$VPN.907
qoologic 10/23/05 2:42:38 PM 16162093 C:\WINDOWS\LPT$VPN.907
SAHAgent 10/23/05 2:42:38 PM 16162093 C:\WINDOWS\LPT$VPN.907
web-nex 2/7/06 9:14:56 PM RH 1732640 C:\WINDOWS\USER.DAT
ad-w-a-r-e.com 2/7/06 9:14:56 PM RH 1732640 C:\WINDOWS\USER.DAT
UPX! 8/4/03 5:00:00 AM 44032 C:\WINDOWS\Unwash5.exe
UPX! 2/18/05 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/05 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
UPX! 1/10/05 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/23/05 2:42:38 PM 16162093 C:\WINDOWS\VPTNFILE.907
qoologic 10/23/05 2:42:38 PM 16162093 C:\WINDOWS\VPTNFILE.907
SAHAgent 10/23/05 2:42:38 PM 16162093 C:\WINDOWS\VPTNFILE.907
UPX! 5/3/05 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
web-nex 2/7/06 4:37:24 PM 1880096 C:\WINDOWS\USER.BAD
ad-w-a-r-e.com 2/7/06 4:37:24 PM 1880096 C:\WINDOWS\USER.BAD

Checking %System% folder...
UPX! 9/27/04 10:03:32 PM 119808 C:\WINDOWS\SYSTEM\thinInstOIT61MegaV2s.dlltmp
aspack 9/27/04 10:03:32 PM 119808 C:\WINDOWS\SYSTEM\thinInstOIT61MegaV2s.dlltmp
qoologic 2/26/05 12:27:44 PM 8616912 C:\WINDOWS\SYSTEM\pav.sig
aspack 2/26/05 12:27:44 PM 8616912 C:\WINDOWS\SYSTEM\pav.sig
SAHAgent 2/26/05 12:27:44 PM 8616912 C:\WINDOWS\SYSTEM\pav.sig
winsync 2/26/05 12:27:44 PM 8616912 C:\WINDOWS\SYSTEM\pav.sig
aspack 3/18/05 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM\d3dx9_25.dll
aspack 5/26/05 3:34:52 PM 2297552 C:\WINDOWS\SYSTEM\d3dx9_26.dll
aspack 7/22/05 7:59:04 PM 2319568 C:\WINDOWS\SYSTEM\d3dx9_27.dll
aspack 12/5/05 6:09:18 PM 2323664 C:\WINDOWS\SYSTEM\d3dx9_28.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/7/06 9:14:56 PM RH 10657824 C:\WINDOWS\SYSTEM.DAT
2/7/06 9:14:56 PM RH 1732640 C:\WINDOWS\USER.DAT
2/5/06 11:17:42 PM H 26375 C:\WINDOWS\ttfCache
12/24/05 6:17:08 PM H 1192927 C:\WINDOWS\ShellIconCache
12/24/05 10:50:56 AM H 9793 C:\WINDOWS\HELP\windows.GID
2/7/06 9:00:42 PM HS 1092 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
1/1/06 2:34:20 PM HS 67 C:\WINDOWS\Temporary Internet Files\desktop.ini
1/20/06 9:47:40 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
1/20/06 9:47:44 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GTARWTM5\desktop.ini
1/20/06 10:03:22 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WPM3OLUV\desktop.ini
1/20/06 9:47:46 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\4LERWTUB\desktop.ini
1/20/06 9:47:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\F33O6Z18\desktop.ini
1/20/06 10:03:26 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\Q36PUPCT\desktop.ini
1/20/06 9:47:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\Z5NJMG10\desktop.ini
1/20/06 9:47:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\CHMNSDMR\desktop.ini
1/20/06 9:47:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\C18RSH67\desktop.ini
1/20/06 9:47:54 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\I1B3DEOP\desktop.ini
1/20/06 9:55:26 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\IDCZA3GV\desktop.ini
1/21/06 7:49:22 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GVXNPLPU\desktop.ini
1/21/06 7:49:34 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\4PANS5E7\desktop.ini
2/7/06 4:11:48 PM HS 82 C:\WINDOWS\History\desktop.ini
2/7/06 8:56:58 PM H 6 C:\WINDOWS\Tasks\SA.DAT
12/24/05 3:40:42 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini

Checking for CPL files...
Microsoft Corporation 4/23/99 10:22:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 60928 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 420864 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 93248 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 7952 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 51984 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 5/1/02 6:51:36 PM 442368 C:\WINDOWS\SYSTEM\JOY.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 66048 C:\WINDOWS\SYSTEM\ACCESS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 72192 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 103424 C:\WINDOWS\SYSTEM\MAIN.CPL
4/23/99 10:22:00 PM 70656 C:\WINDOWS\SYSTEM\STICPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 387072 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14848 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 37376 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 2/10/99 11:48:48 AM 40960 C:\WINDOWS\SYSTEM\FINDFAST.CPL
Sun Microsystems, Inc. 11/10/05 1:03:50 PM 49265 C:\WINDOWS\SYSTEM\jpicpl32.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
11/24/05 8:06:46 PM 0 C:\WINDOWS\Application Data\dm.ini
2/4/06 10:36:52 AM 14799 C:\WINDOWS\Application Data\dw.log
8/4/05 8:59:14 AM 74032 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IMMenuShellExt
{F8984111-38B6-11D5-8725-0050DA2761C4} = C:\PROGRAM FILES\INCREDIMAIL\BIN\IMSHEXT.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100} = C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\SHELLTIT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BitDefender Antivirus v8
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100} = C:\PROGRAM FILES\PANDA SOFTWARE\PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE\SHELLTIT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
Comcast Toolbar = C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN3\YT.DLL
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} = Comcast Toolbar : C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{D7F30B62-8269-41AF-9539-B2697FA7D77E} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN3\YT.DLL
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} = Comcast Toolbar : C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TaskMonitor C:\WINDOWS\taskmon.exe
SystemTray SysTray.Exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
NVCLOCK Rundll32 nvclock.dll,fnNvclock
EPSON Stylus C62 Series C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
APVXDWIN "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
Gene USB Monitor C:\WINDOWS\SYSTEM\USBMonit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent mstask.exe
SAgent2ExePath C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PavProc "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"
PAVFNSVR "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe"
PSIMSVC "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PSIMSVC.exe"
PNMSRV "c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE"
TPSrv9x "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv9x.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IncrediMail C:\Program Files\IncrediMail\bin\IncMail.exe /c
Window Washer C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
projselector "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
CriticalUpdate C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
Yahoo! Pager "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL

<<< WARNING! - NOT A VALID WIN98*Grinler KEY! >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs APITRAP.DLL


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/7/06 9:20:48 PM

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 10 February 2006 - 12:20 AM

Hi DebbieHunter,

Glad your access is back and sorry it's taken so long to get back to you. Would you say your main problem is solved now?

I only see one possible trace of malware in your Pfind log and there is not much information about it. Otherwise you have some other issues I can see, most of them not serious. Then again there is this bit of strangeness that may be causing some of your problems.

<<< WARNING! - NOT A VALID WIN98*Grinler KEY! >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs APITRAP.DLL



As the warning says you should not even have an AppInit_DLLs in the 98SE registry, but the APITRAP.DLL file itself belongs to Norton's Clean Sweep. I don't know as we should do anything about it for now as I would like to get some more information.

The one file I see that might be malicious is thinInstOIT61MegaV2s.dlltmp. Could you navigate to C:\WINDOWS\SYSTEM\thinInstOIT61MegaV2s.dlltmp and right click on it, choose properties and post back here the company name and version if listed? If it is something you don't recognize, scan it with jotti and post back the results.

A few things I'm seeing:

1. C:\WINDOWS\USER.BAD--Did you have problems with your user profile and renamed it from USER.DAT to USER.BAD? Or have another explaination as to how that file got there?

2. C:\WINDOWS\ShellIconCache--I'm not sure what is happaning with your icons that you mentioned--how had they changed? Do you customize your icons or use a program to do so? ShellIconCache can be deleted if it's causing the problem, see here for how to do that and if it fits the description of your problem:
http://64.233.179.104/search?q=cache:mRNX0...us&ct=clnk&cd=1

3. The following can also be deleted safely if you choose. The first is a font cache that can sometimes cause problems, and the second is a sort of temp file related to Help files in 98:

C:\WINDOWS\ttfCache
C:\WINDOWS\HELP\windows.GID


4. There are a few reg entries in the toolbar area of the registry for Norton and Earthlink's popup blocker that should be relatively harmless. We can clean those up but before we do I'd like to see what else from Norton and Earthlink is hanging around.

Run RegSearch like you did before and search for the following terms/strings and post back the results:

[b]Norton
Symantec
Live Update
Ghost
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
{D7F30B62-8269-41AF-9539-B2697FA7D77E}
Earthlink

Then let me know what else is going on now and what else you'd like to do.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#10 DebbieHunter

DebbieHunter
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 10 February 2006 - 01:18 AM

I will post the rest of the stuff you requested tomorrow.......it's late here and I popped in to see if you had replied yet, and thought I should post this immediately


here's the results of the Jotti Scan:


Service load: 0% 100%

File: thinInstOIT61MegaV2s.dlltmp
Status: INFECTED/MALWARE
MD5 0f814b8b2ab5f24bc484077151d5bc4e
Packers detected: PE_PATCH
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Smalldrp.DIR
UNA Found nothing
VBA32 Found nothing

#11 DebbieHunter

DebbieHunter
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 10 February 2006 - 12:02 PM

Here's the first RegSearch log:


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.0.1

; Results at 2/10/06 9:00:05 AM for strings:
; '(b)norton'
; 'symantec'
; 'live update'
; 'ghost'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

Edited out for privacy and security reasons--I've saved a copy on my machine. PK

#12 DebbieHunter

DebbieHunter
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 10 February 2006 - 12:11 PM

I am posting the second log, but let me answer the questions you asked:

I never renamed User.Dat
I never customized my icons.......The ShellIconCache is not found :thumbsup: and either is ttfCache or Windows.GID

When I had the last infection and everything was disabled....when I was doing all my Windows updates again, I would get a message that Windows98 was not my current platform

Here's my log:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.0.1

; Results at 2/10/06 9:09:07 AM for strings:
; '(42cdd1bf-3ffb-4238-8ad1-7859df00b1d6)'
; '(d7f30b62-8269-41af-9539-b2697fa7d77e)'
; 'earthlink'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

Edited out for privacy and security reasons--I've saved a copy on my machine. PK

#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 10 February 2006 - 01:00 PM

OK, thanks for the logs. As you can see you've still got a lot of Norton and Earthlink in your registry. It's a bit overwhelming so give me some time to look it over and come up with some ideas. Also as you may have noticed by now, I edited the logs--much of that doesn't need to be posted in public. I recommend you store your copie(s) of the logs in a safe place.

Boot into safe mode and delete thinInstOIT61MegaV2s.dlltmp and let me know how it goes. Be sure to have your files and folders unhidden as instructed earlier. Were your files unhidden when you tried to delete the iconcache, etc., files?

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#14 DebbieHunter

DebbieHunter
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 10 February 2006 - 02:30 PM

thinInstOIT61megaV2s.dlltmp is gone now.........I have deleted the tffcache and iconcache and the logs have been copied to my d drive

Thanks so much for all your help....looking forward to your reply on the other issues of Norton and Earthlink


Debbie Hunter

#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 14 February 2006 - 11:50 PM

Hi, sorry for the delay. I haven't had much time to research this and I have to say that manually removing this from your registry is a bit beyond me as far as doing it safely. We generally stick to malware issues in the HJT forum and that appears to be resolved. I'm willing to continue on with some of this, but if my idea doesn't work I think you would be better served posting in the main forum where you can get help from others with more expertise and other ideas in this area.

The safest course that I would like to try is to reinstall the programs you want to get rid of and then uninstall them with the assistance of some other tools. Before we start that I need to know the answers to the following questions--sorry, I don't know much about System works and other Norton stuff except for NAV 2003 that i ran for a year:

1. SystemWorks 2003: Do you have the original CD or any other set of installation files so we can reinstall it? Did that include an antivirus?

2. Norton Corporate: Same question here. Does the IT guy you know still have a copy you can use or do you have a copy yourself? It would still be helpful to know the exact name and version of the product. I'm not sure exactly what happened when you tried to install this before from what you describe. If this was a recent version of Norton, they have engineered some anti-piracy protection, so that may have been the problem insead of malware. So was this actually installed? From looking at those reg logs I see a lot of System Works stuff and an antivirus, but I can't tell if Corporate Edition was ever fully installed.

3. Earthlink: I have more experience with. Got a couple of CD's they sent me. I'm not real confident on trying a reinstall/uninstall with it tho. We might try it last, but let me know if you have a CD for it.

4. PANDA TITANIUM 2006 ANTIVIRUS + ANTISPYWARE: I still think it would be better to uninstall this before trying to root out Norton at least. I just looked over their website and as far as I know uninstalling it is pretty straightforward. As long as you have your license key, it can be reinstalled by downloading again if need be.

How's the PC running now?

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users