Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NEED HELP with junked up computer


  • Please log in to reply
12 replies to this topic

#1 tv haus cheeks

tv haus cheeks

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 17 November 2004 - 09:31 PM

Hello~
I have recently ridden my computer of some sort of spy-ware virus, but there are still remnants of it present. There will randomly be internet pop-ups on my computer, even when im not using internet explorer. Also, there are 2 files in the microsoft run folder in the registry editor that will not go away (Szep85lm.exe and CMESys.exe). My comp also seems so be slower then it should be. The only thing Ive tried is Ad-Aware 6. Below is my hijackthis log, I hope you can help! Thank you in advance.



Logfile of HijackThis v1.98.2
Scan saved at 9:01:56 PM, on 11/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\RSNet\RSEDNClient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\WEATHE~1\THEWEA~1.EXE
C:\Documents and Settings\Paulie DiCicco\Application Data\urpo.exe
C:\WINDOWS\system32\??oolsv.exe
C:\Program Files\date manager\DateManager.exe
F:\iNsTaLL mE!\XP Themes\Y'z Dock\YzDock.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\ZibK.exe
C:\WINDOWS\System32\JscEyx.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.psu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32F93A27-C93C-78CE-DC02-12550DF4734E} - C:\WINDOWS\system32\iyvvdf.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Paulie DiCicco\Local Settings\Temp\U7.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Szep85lm.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\WEATHE~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Paulie DiCicco\Application Data\urpo.exe
O4 - HKCU\..\Run: [Fiyenxg] C:\WINDOWS\system32\??oolsv.exe
O4 - Startup: Shortcut to YzDock.exe.lnk = F:\iNsTaLL mE!\XP Themes\Y'z Dock\YzDock.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\date manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...245bc6f8b5fbb1c
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {B817734E-046C-11D3-B674-00104BA25195} (PSNQuerySystem Class) - http://pmb001.3m.com/pub/psnotes/psnudate.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/lo...1/bin/imvid.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll

BC AdBot (Login to Remove)

 


m

#2 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:01 AM

Posted 18 November 2004 - 03:55 AM

Hi tv haus cheeks,

Iíll be responsible for handling the review of you log. I will get back to you as soon as possible so please be patient.

#3 tv haus cheeks

tv haus cheeks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 18 November 2004 - 07:41 AM

I appreciate your help very much penmore, please take your time.

#4 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:01 AM

Posted 19 November 2004 - 02:44 AM

Hello tv haus cheeks,

You have a Peper infection which we need to remove but first:
Download the removal tool : Peper Removal Tool

! NOTE: YOU MUST BE ONLINE WHEN RUNNING IT and let is have access to pass the firewall.

!!! Please run this twice with a reboot in between.

Please disconnect from the Internet whilst uninstalling these programs.
You have a Gator infection, please follow the removal instructions Removal Instructions

Please go to Start >> Control Panel >> Add/Remove Programs and remove the following:My Search Bar
MyWay Speed Bar
My Web Search Bar
MidAddle
RSNet
DateManager
GMT

Run HijackThis
Click on the Scan button and when complete
Put a check beside all of the items listed belowO2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: (no name) - {32F93A27-C93C-78CE-DC02-12550DF4734E} - C:\WINDOWS\system32\iyvvdf.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Paulie DiCicco\Local Settings\Temp\U7.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Szep85lm.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Paulie DiCicco\Application Data\urpo.exe
O4 - HKCU\..\Run: [Fiyenxg] C:\WINDOWS\system32\??oolsv.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\date manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...245bc6f8b5fbb1c
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll

Close all open Explorer windows and browsers
Click on the "Fix Checked" button
When complete and all files removed, close the application

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Reboot your computer into Safe Mode.

Please delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.C:\Program Files\MyWay
C:\WINDOWS\system32\iyvvdf.dll
C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\System32\mscb.dll
C:\Documents and Settings\Paulie DiCicco\Local Settings\Temp\U7.dll
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\System32\Szep85lm.exe
C:\Program Files\Common Files\CMEII
C:\Program Files\RSNet
C:\Documents and Settings\Paulie DiCicco\Application Data\urpo.exe
C:\Program Files\date manager
C:\Program Files\Common Files\GMT
C:\WINDOWS\System32\mssaru.dll
Reboot your machine in normal mode, run HijackThis and post a new log.

#5 tv haus cheeks

tv haus cheeks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 20 November 2004 - 05:26 PM

Hey Penmore-
I followed what you said, and so far all is good. no pop-ups, and the files in my run folder are gone. HijackThis gave me an error and couldnt delete a few files. heres the new log:


Logfile of HijackThis v1.98.2
Scan saved at 5:03:32 PM, on 11/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\date manager\DateManager.exe
F:\iNsTaLL mE!\XP Themes\Y'z Dock\YzDock.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.psu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\AlwJR.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\WEATHE~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Shortcut to YzDock.exe.lnk = F:\iNsTaLL mE!\XP Themes\Y'z Dock\YzDock.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\date manager\DateManager.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B817734E-046C-11D3-B674-00104BA25195} (PSNQuerySystem Class) - http://pmb001.3m.com/pub/psnotes/psnudate.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/lo...1/bin/imvid.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll (file missing)

#6 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:01 AM

Posted 21 November 2004 - 03:55 PM

Hello tv haus cheeks,

You appear to have a rather stubborn Peper infection so lets try and remove it again and run HijackThis in safe mode this time and see if we can remove the leftovers from last time. You may want to print these instruction out as when you go into safe mode you wont have access to the internet. I have also asked about another entry in your log please supply this information together with the HijackThis log at the end.

Let's try and get rid of the Peper infection first:If you have deleted the previous copy please download the removal tool : Peper Removal Tool

! NOTE: YOU MUST BE ONLINE WHEN RUNNING IT and let is have access to pass the firewall.

Click the "Find and Fix" button, allow it to scan, then reboot.

Repeat this process (remember to always reboot after a scan) until you get this message in blue text:

No Peper Files were Detected

If you don't get that all clear message after running PeperFix five times, let me know.
Reboot your computer into Safe Mode.

Run HijackThis
Click on the Scan button and when complete
Put a check beside all of the items listed below
  • O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\AlwJR.exe
  • O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll (file missing)
Close all open Explorer windows and browsers
Click on the "Fix Checked" button
When complete and all files removed, close the application

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Please delete the following file (delete item in bold). Please do not be concerned if
if is not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.C:\WINDOWS\System32\AlwJR.exe >>> File Only
You have the following entry in your log.
O4 - Global Startup: Date Manager.lnk = C:\Program Files\date manager\DateManager.exe
Are you running the free version of this?

Reboot your machine in normal mode, run HijackThis and post a new log here together with the information above.

#7 tv haus cheeks

tv haus cheeks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 21 November 2004 - 05:16 PM

Hey penmore-
OK so i ran the pepper remover tool, nothing was detected on the first try. I ran hijack this in safe mode and neither of the two files u told me to fix were there. fianally i checked for that file to delete, and it too wasnt there. It seems like all is good. I appreciate your help soo much. heres my hijackthis log:


Logfile of HijackThis v1.98.2
Scan saved at 5:11:27 PM, on 11/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\WEATHE~1\THEWEA~1.EXE
C:\Program Files\date manager\DateManager.exe
F:\iNsTaLL mE!\XP Themes\Y'z Dock\YzDock.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.psu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\WEATHE~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Shortcut to YzDock.exe.lnk = F:\iNsTaLL mE!\XP Themes\Y'z Dock\YzDock.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\date manager\DateManager.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B817734E-046C-11D3-B674-00104BA25195} (PSNQuerySystem Class) - http://pmb001.3m.com/pub/psnotes/psnudate.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/lo...1/bin/imvid.cab



THANKS AGAIN! let me know if theres anything else i should do.

#8 tv haus cheeks

tv haus cheeks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 21 November 2004 - 05:37 PM

oh and by the way, i do use the free version of date manager so that isnt a problem. THANK YOU again!

#9 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:01 AM

Posted 22 November 2004 - 09:05 AM

Hi tv haus cheeks,

Apart from the O4 entry for Date Manager you log is clean. Well done!!
The Date Manager product is from Gator/Claria and the free version produces popups. I would like you to have a look at the following links and then decide if you wish to keep it. If you wish to remove it this can be done through Start >>> Control Panel >>> Add/Remove Programs facility.

http://www.kephyr.com/spywarescanner/libra...ger/index.phtml
http://www.date-manager.com/

I see you have and Anti Virus program installed but there are other things that you need to do to ensure that your
machine as fully protected as possible. I have included below a full list of items that I consider necessary. Please take
the time to read through them an take appropriate measures as you see fit:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here:Renable system restore with instructions from tutorial above.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
    See this link for a listing of some online & their stand-alone antivirus programs:Virus, Spyware, and Malware Protection and Removal Resources
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
    For a tutorial on Firewalls and a listing of some available ones see the link below:Understanding and Using Firewalls
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit Windows Update Site regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
    A tutorial on installing & using this product can be found here:Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

#10 tv haus cheeks

tv haus cheeks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 23 November 2004 - 12:45 AM

hey penmore-

I have done everything you said to do and my computer hasnt be running cleaner. The only snag I ran into was when I was running Spybot, as it was about to finish deleting the selected files found, it gave me an error saying "This app. has failed to start bc EDENGINE.dll was not found. Re-installing the app. may fix this problem. other then that everything is OK. Thanks again.

#11 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:01 AM

Posted 23 November 2004 - 04:08 PM

Hello tv haus cheeks,

Your problems with Spybot may be to do with lingering files relating to Wild Tangent.
Go to Start >>> Control Panel >>> Add/Remove Programs and remove all references to Wild Tangent.
Check also for entries for Web Driver and remove those if found.

Have a look on your C:\ drive and see if you can find:
C:\windows\WT >>> If found then delete the folder WT


Re-run Spybot and let me know how you go on.

#12 tv haus cheeks

tv haus cheeks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 28 November 2004 - 09:51 PM

hello penmore-
I deleted the folder as well as the program in the control panel, and I got a similar error when running spybot again. This time, the files that 'weren't able to start' were gtools.dll and cmeiiapi.dll. Is there something else I need to delete???

#13 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:12:01 AM

Posted 29 November 2004 - 04:11 PM

Hi tv haus cheeks,

This time, the files that 'weren't able to start' were gtools.dll and cmeiiapi.dll. Is there something else I need to delete???


These two files are connected with GAIN products and could be associated with the Date Manager software that you had installed.

If you didn't uninstall Date Manager then I would strongly recommend that you do and then try running Spybot again.

Can you do a search with Windows Explorer and check whether the following folders/files exist on your system:gain
gator ewallet
precisiontime
date manager
gtools.dll need to know the folder that they exist in
cmeiiapi.dll need to know the folder that they exist in
Run HijackThis again and post a fresh log together with the information I have requested above.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users