Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Want To Install Windows Sp2---is My Hjt Log Ok?


  • This topic is locked This topic is locked
42 replies to this topic

#1 SpaceHog

SpaceHog

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 24 May 2006 - 01:38 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:28:19 AM, on 5/24/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy1.4\TeaTimer.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.roadrunner.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rr.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {38751CF5-7E5C-73A0-F21D-75775B01AB64} - C:\WINDOWS\System32\xopzrolz.dll (file missing)
O2 - BHO: (no name) - {40C70213-5264-0495-02BA-36B40B586DB3} - C:\WINDOWS\System32\hrhuyjlu.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.4\SDHelper.dll
O2 - BHO: (no name) - {5ED98B6A-251B-F6C4-A6A9-4651D91817E2} - C:\WINDOWS\System32\jsmfefaa.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9D08C744-3D58-BDD7-1E75-F8EA167C959A} - C:\WINDOWS\System32\zprgjhfy.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Configuration Loader] scvhost32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1.4\TeaTimer.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: pbwywpsjtdrt (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINDOWS\system32\mm\aysshell.exe
O23 - Service: Network Drivers Service - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


I see several things that are questionable but I am not knowledgeable enough myself. I dont seem to have anything obvious now that shows up everytime I start my comp, but IE sometimes seems odd at times and I am not really sure Ive gotten all traces removed. Anything stand out in this HJT log?

Thanks in advance!

SpaceHog

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:14 PM

Posted 24 May 2006 - 09:28 PM

Hello SpaceHog,

Welcome to Bleeping Computer. :thumbsup:

I commend you on your forethought! :flowers: Looks like you've done a good job too, as there are mostly leftovers present.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {38751CF5-7E5C-73A0-F21D-75775B01AB64} - C:\WINDOWS\System32\xopzrolz.dll (file missing)
O2 - BHO: (no name) - {40C70213-5264-0495-02BA-36B40B586DB3} - C:\WINDOWS\System32\hrhuyjlu.dll (file missing)
O2 - BHO: (no name) - {5ED98B6A-251B-F6C4-A6A9-4651D91817E2} - C:\WINDOWS\System32\jsmfefaa.dll (file missing)
O2 - BHO: (no name) - {9D08C744-3D58-BDD7-1E75-F8EA167C959A} - C:\WINDOWS\System32\zprgjhfy.dll (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Configuration Loader] scvhost32.exe
O23 - Service: pbwywpsjtdrt (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)
O23 - Service: Network Drivers Service - Unknown owner - C:\WINDOWS\svchost.exe (file missing)


Close all browser and other windows except for HijackThis!, and click "Fix Checked".

Reboot your computer

Please download, install, and update the free version of Ewido Anti-Malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run Ewido for the first time, you might get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main Ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes, the status bar at the bottom will display "Update successful"
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido
In your reply, please post the log from Ewido and a new HijackThis log. How is your computer running?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 SpaceHog

SpaceHog
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 24 May 2006 - 11:05 PM

Thanks for your reply...I did all you said to do. Can't seem to get rid of this entry:

O23 - Service: pbwywpsjtdrt (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)

Otherwise here's what i got:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:53:50 PM, 5/24/2006
+ Report-Checksum: 33E05DCA

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
C:\Documents and Settings\Kevin\Cookies\kevin@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-299502267-725345543-500\Dc14.dll -> Downloader.IstBar : Cleaned with backup
C:\WINDOWS\system32\shellstyle.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\wfukj.dllx -> Adware.Adstart : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 10:56:22 PM, on 5/24/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy1.4\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.roadrunner.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rr.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {38751CF5-7E5C-73A0-F21D-75775B01AB64} - (no file)
O2 - BHO: (no name) - {40C70213-5264-0495-02BA-36B40B586DB3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.4\SDHelper.dll
O2 - BHO: (no name) - {5ED98B6A-251B-F6C4-A6A9-4651D91817E2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9D08C744-3D58-BDD7-1E75-F8EA167C959A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1.4\TeaTimer.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: pbwywpsjtdrt (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINDOWS\system32\mm\aysshell.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:14 PM

Posted 24 May 2006 - 11:57 PM

Hello,

All that real time protection you have going interfered with our fix. You'll have to disable it all for this to work.

Disable SpySweeper:

You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.

* Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
* Over to the left click "shields" and uncheck all there.
* Uncheck" home page shield".
* Uncheck ''automatically restore default without notification".

After all of the fixes are complete it is very important that you enable SpySweeper again.

please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean.

To disable Ad-Watch:

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off
3. Uncheck (red X) both items.

I recommend you uninstall SpyKiller via add/remove programs. Read here for more info: http://netsecurity.about.com/b/a/183387.htm

Now can you please follow all the directions again in the previous post?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 SpaceHog

SpaceHog
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 25 May 2006 - 01:42 AM

Hello

OK...when I had the real time protection all on I believe I clicked the correct things to keep them from blocking the changes. But nonetheless I did all u said to do. First, my SpySweeper trial period expired so its not running anyways. I turned off TeaTimer and AdAware AdWatch. Even with the real time protection turned off the files remain after running HJT and "fix checked". I notice that when I click on "Fix Checked" in HJT the the HJT list screen goes blank. I have heard about some things shutting down HJT when u try to delete them...could this be the problem? Also there is no SpyKiller in the Add/Remove Program list. There is a folder in C:\Programs called SpyKiller...but there is no SpyKiller.exe file. I never see it running in the Process list, only in the Startup list on HJT.

Edited by SpaceHog, 25 May 2006 - 01:52 AM.


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:14 PM

Posted 25 May 2006 - 02:31 AM

HHmmmm....can you try it in safe mode? While you're there, run a scan with Ewido and post its log and a new HijackThis, if it's successful this time.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 SpaceHog

SpaceHog
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 25 May 2006 - 08:53 AM

OK...I tried it in safe mode and same thing happens. Also ran ewido and it found nothing.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:14 PM

Posted 25 May 2006 - 04:13 PM

Okay then....it's nothing you've done wrong! :thumbsup: We just need to get a wee bit more radical here. AdAware, or more specifically Ad Watch, does its job a little too well sometimes, so I'm going to ask you to uninstall it while we clean your computer. You can reinstall it AFTER you upgrade to SP2. Leave Spybot's Tea Timer disabled as well, then try the instructions again. :flowers:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 SpaceHog

SpaceHog
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 25 May 2006 - 08:28 PM

OK...deleted AdAware and AdWatch. Closed all browsers and windows and ran HJT scan.

Put a check next to the following files:
O2 - BHO: (no name) - {38751CF5-7E5C-73A0-F21D-75775B01AB64} - (no file)
O2 - BHO: (no name) - {40C70213-5264-0495-02BA-36B40B586DB3} - (no file)
O2 - BHO: (no name) - {5ED98B6A-251B-F6C4-A6A9-4651D91817E2} - (no file)
O2 - BHO: (no name) - {9D08C744-3D58-BDD7-1E75-F8EA167C959A} - (no file)
O23 - Service: pbwywpsjtdrt (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)

Clicked on "Fix checked"

I decided to run scan again immediately to see if the files were still there...they were :thumbsup:

I restarted computer...ran ewido and it found nothing.

I ran HJT and all files I tried to fix remain. :flowers:

BTW I really appreciate your help with this...I kinda feel like I am wasting your time with this.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:14 PM

Posted 26 May 2006 - 12:34 AM

Don't you dare feel bad! You're not wasting my time, and we're not out of options here. :thumbsup: This has to be done so you can upgrade to SP2 and make your computer more secure. It's worth it. :flowers:

All right, so this is where we are. You have AdAware out of the picture for the time being, Tea Timer disabled, and SpySweeper disabled. SpyKiller uninstalled (rogue program).Trend Micro Real Time? If it's not, then disable it. Boot into safe mode and try the deletions again with HijackThis.

Not to worry, we'll get this done. :huh:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 SpaceHog

SpaceHog
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 26 May 2006 - 02:08 AM

OK...I basically disabled everything and upon shutting down windows I got an 'access violation error" and Spybot didnt close properly and I had to manually "end program". Upon restarting and before I could boot into safe mode my comp said it had detected a Hardrive error or something. Said to choose f1 to continue or f2 to run setup. When I chose f2 I really didnt see anything that I could choose to correct the problem. Not sure if its related , but anyways. So I ran safe mode and did same in HJT and again the programs wont delete.

I will take this opportunity to mention a few things that I saw that I couldn't do anything with before I first ran HJT and posted it here the first time. There was an Active-x file that was listed in the Active-x part of SpyBot-SD that had a red X next to it and said it was known malware. Here is the log with the malware item highlighted at the end:


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-05-17 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-05-12 Includes\Cookies.sbi
2006-05-12 Includes\Dialer.sbi
2006-05-12 Includes\Hijackers.sbi
2006-05-12 Includes\Keyloggers.sbi
2006-05-15 Includes\Malware.sbi
2006-05-12 Includes\PUPS.sbi
2006-05-12 Includes\Revision.sbi
2006-05-12 Includes\Security.sbi
2006-05-12 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-05-12 Includes\Trojans.sbi

axscanner (axscanner)
DPF name: axscanner
CLSID name:
Installer:
Codebase: http://www.pestscan.com/scanner/axscanner.cab

axscannerruntime (axscannerruntime)
DPF name: axscannerruntime
CLSID name:
Installer:
Codebase: http://www.pestscan.com/scanner/axscannerruntime.cab

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

mscomctl (mscomctl)
DPF name: mscomctl
CLSID name:
Installer:
Codebase: http://www.pestscan.com/scanner/mscomctl.cab

msvcp71 (msvcp71)
DPF name: msvcp71
CLSID name:
Installer:
Codebase: http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab

msvcr71 (msvcr71)
DPF name: msvcr71
CLSID name:
Installer:
Codebase: http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab

ppctlcab (ppctlcab)
DPF name: ppctlcab
CLSID name:
Installer:
Codebase: http://www.pestscan.com/scanner/ppctlcab.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{0000000A-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmsp9dmo.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{00000075-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\voxacm.inf
Codebase: http://codecs.microsoft.com/codecs/i386/voxacm.CAB
description: Microsoft Audio Codec
classification: Legitimate
known filename: VOXACM.CAB
info link:
info source: Patrick M. Kolla

{00000161-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\msaudio.inf
Codebase: http://codecs.microsoft.com/codecs/i386/msaudio.cab
description: Microsoft Audio Codec
classification: Legitimate
known filename: MSAUDIO.CAB
info link:
info source: Patrick M. Kolla

{00000162-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wma9dmo.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wma9dmo.cab
description: Microsoft Audio Codec
classification: Legitimate
known filename: WMA9DMO.CAB
info link:
info source: JavaCool

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 7/6/2003 11:28:32 AM
Date (last access): 5/25/2006 8:55:30 PM
Date (last write): 10/19/2004 5:17:50 PM
Filesize: 360504
Attributes: archive
MD5: F88CD154B9627646E9DDA1679155E4E3
CRC32: 5B04FF79
Version: 6.5.1.17

{02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control)
DPF name:
CLSID name: Eyeball Video Message Control
Installer: C:\WINDOWS\Downloaded Program Files\gVideoContol.inf
Codebase: http://imlive.com/ChatSource/gVideoContol.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: CoVideoMessage.ocx
Short name: COVIDE~1.OCX
Date (created): 7/3/2003 5:01:10 PM
Date (last access): 5/25/2006 7:53:46 PM
Date (last write): 7/3/2003 5:01:10 PM
Filesize: 286720
Attributes: archive
MD5: 670A23707B96427C56BE5AA344CB9036
CRC32: 25EE441C
Version: 3.1.425.1

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwa...director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 8/27/2004 10:30:06 PM
Date (last access): 5/25/2006 7:53:46 PM
Date (last write): 5/28/2004 1:38:00 AM
Filesize: 54480
Attributes: archive
MD5: 408F53722D9C1280BF4EDD70341EA7F2
CRC32: 4EB8819E
Version: 10.0.1.4

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 4/10/2006 1:00:34 PM
Date (last access): 5/25/2006 7:53:46 PM
Date (last write): 4/10/2006 1:00:34 PM
Filesize: 555824
Attributes: archive
MD5: 593F9787C3161CC77FA9B4BEBE823582
CRC32: B36241BF
Version: 1.5.526.0

{31564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmvax.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmvax.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{33363249-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\i263_32.inf
Codebase: http://codecs.microsoft.com/codecs/i386/i263_32.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf
Codebase: http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf
Codebase: http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla

{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)
DPF name:
CLSID name: BDSCANONLINE Control
Installer: C:\WINDOWS\Downloaded Program Files\oscan8.inf
Codebase: http://download.bitdefender.com/resources/scan8/oscan8.cab
description:
classification: Legitimate
known filename: oscan8.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: oscan8.ocx
Short name:
Date (created): 3/9/2005 3:40:44 PM
Date (last access): 5/25/2006 7:53:48 PM
Date (last write): 3/9/2005 3:40:44 PM
Filesize: 475136
Attributes: archive
MD5: 38F3695A3824342E29703D28404B121A
CRC32: AD9D0B16
Version: 1.0.0.1

{6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5)
DPF name:
CLSID name: Housecall ActiveX 6.5
Installer: C:\WINDOWS\Downloaded Program Files\hcImpl.inf
Codebase: http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: Housecall_ActiveX.dll
Short name: HOUSEC~1.DLL
Date (created): 4/26/2006 5:51:28 PM
Date (last access): 5/25/2006 7:53:48 PM
Date (last write): 4/26/2006 5:51:28 PM
Filesize: 359936
Attributes: archive
MD5: 9E964EFD02785E75819941DD486933AB
CRC32: FE48FA14
Version: 6.5.2.9

{74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
DPF name:
CLSID name: HouseCall Control
Installer: C:\WINDOWS\Downloaded Program Files\xscan.inf
Codebase: http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
description: Trend Micro Antivirus online scanner
classification: Legitimate
known filename: XSCAN53.OCX
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\DOWNLO~1\
Long name: xscan53.ocx
Short name:
Date (created): 11/2/2005 6:07:08 PM
Date (last access): 5/26/2006 1:12:58 AM
Date (last write): 11/2/2005 6:07:08 PM
Filesize: 435712
Attributes: archive
MD5: BEC3AAB1D47A4DC26D7A7C4C5CAE3304
CRC32: D7C39B20
Version: 5.70.0.1090

{85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class)
DPF name:
CLSID name: SecureLogin class
Installer:
Codebase: http://secure2.comned.com/signuptemplates/...login-devel.cab
description:
classification: Open for discussion
known filename: securelogin.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: securelogin.ocx
Short name: SECURE~1.OCX
Date (created): 11/16/2004 10:44:22 PM
Date (last access): 5/25/2006 7:53:48 PM
Date (last write): 11/16/2004 10:44:22 PM
Filesize: 22088
Attributes: archive
MD5: 464558B35F280D82EADF7F80A4FC3499
CRC32: A104BD24
Version: 0.0.6.0

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name:
Installer:
Codebase:
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf
Codebase: http://acs.pandasoftware.com/activescan/as5free/asinst.cab
description:
classification: Open for discussion
known filename: ASINST.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 4/11/2006 5:10:10 PM
Date (last access): 5/25/2006 7:53:48 PM
Date (last write): 4/11/2006 5:10:10 PM
Filesize: 135168
Attributes: archive
MD5: 7267AE9C8DF527C30885DC29687D2A9B
CRC32: 1B1733A3
Version: 58.5.0.0

{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Installer: C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.inf
Codebase: http://messenger.msn.com/download/MsnMesse...pDownloader.cab
description:
classification: Legitimate
known filename: MsnMessengerSetupDownloader.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnMessengerSetupDownloader.ocx
Short name: MSNMES~1.OCX
Date (created): 3/17/2005 2:48:34 PM
Date (last access): 5/25/2006 7:53:48 PM
Date (last write): 3/17/2005 2:48:34 PM
Filesize: 113152
Attributes: archive
MD5: 92D24B6643919005213F60D5B537196A
CRC32: 31684779
Version: 1.0.0.2

{B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class)
DPF name:
CLSID name: YAddBook Class
Installer: C:\Program Files\Yahoo!\Common\yaddbook.dll
Codebase: http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
description: Yahoo! Address book
classification: Legitimate
known filename: %ProgramFiles%\Yahoo!\Common\yaddbook.dll
info link:
info source: Patrick M. Kolla
Path: C:\PROGRA~1\Yahoo!\Common\
Long name: yaddbook.dll
Short name:
Date (created): 6/14/2004 6:13:16 PM
Date (last access): 5/25/2006 7:53:48 PM
Date (last write): 6/14/2004 6:13:16 PM
Filesize: 218184
Attributes: archive
MD5: ACC63341696FD63627720F2858F72B3E
CRC32: 80D50344
Version: 2004.6.14.1

{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07)
DPF name: Java Runtime Environment 1.4.1_07
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: NPJPI141_07.dll
info link:
info source: Safer Networking Ltd.

{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 3/2/2006 1:52:58 PM
Date (last access): 5/25/2006 7:53:48 PM
Date (last write): 11/10/2005 1:22:12 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 3/2/2006 1:52:58 PM
Date (last access): 5/26/2006 1:27:10 AM
Date (last write): 11/10/2005 1:22:12 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwa...ash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash8.ocx
Short name:
Date (created): 8/27/2005 1:38:56 PM
Date (last access): 5/26/2006 12:32:46 AM
Date (last write): 8/27/2005 1:38:56 PM
Filesize: 1435272
Attributes: archive
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 8.0.22.0

{1C955F3B-5B32-4393-A05D-24B4970CD2A1} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\videox.inf
Codebase: http://streamp.babenet.com/cabs/videox.cab
description: Dialer
classification: Confirmed as malware
known filename:
info link:
info source: JavaCool


I clicked this and then clicked remove in SpyBot-SD but it doesnt get removed.

Also when I ran Pandascan Activescan it showed me what it found and what it did with the files. Unfortunately its an online scan and it only disinfected the Trojan it found...the rest it said "not disinfected". It kinda bothered me, but most of the items were things that either looked like traces or were files I couldnt find (I assume i had disabled most somehow someway already). But nonetheless these were the only things I wasnt able to clean before coming to this site and asking for help.

Maybe the solution is somewhere in these problems?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:14 PM

Posted 26 May 2006 - 03:12 AM

Let's make SURE before we nuke it.

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\WINDOWS\Downloaded Program Files\videox.inf

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:14 PM

Posted 26 May 2006 - 03:29 AM

Also, please do the following :

Click start > run, copy and paste the following, then click OK:

sc delete MsUpdate6

I'd like you to perform an online virus scan with Kaspersky Online Virus Scanner

Navigate (using Internet Explorer only, other browsers won't work) to the following site: http://www.kaspersky.com/virusscanner

Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

* In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
* When you get the Windows dialog asking if you want to install this software, click the "Install" button.
* The scanner will download the latest definition files. When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
* Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
* Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop. Close the Kaspersky On-line Scanner window.

In your reply, please post the log from Kaspersky kavscan.txt, and a new HijackThis log.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 SpaceHog

SpaceHog
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 26 May 2006 - 03:11 PM

When I tried to scan C:\WINDOWS\Downloaded Program Files\videox.inf I received this message:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


I ran sc delete MsUpdate6...seems to be gone now.


Heres the Kapersky scan result:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, May 26, 2006 2:34:40 PM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 26/05/2006
Kaspersky Anti-Virus database records: 196563
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 74358
Number of viruses found: 14
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 01:09:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Kevin\.housecall\Quarantine\94.tmp.bac_a27728/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\94.tmp.bac_a27728/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\94.tmp.bac_a27728/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\94.tmp.bac_a27728 ZIP: infected - 3 skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\94.tmp.bac_a27728 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E1.tmp.bac_a27728/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.e skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E1.tmp.bac_a27728/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E1.tmp.bac_a27728/WebCounter.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E1.tmp.bac_a27728/a.class Infected: Trojan.Java.Shiwow skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E1.tmp.bac_a27728 ZIP: infected - 4 skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E1.tmp.bac_a27728 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E2.tmp.bac_a27728/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.e skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E2.tmp.bac_a27728/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E2.tmp.bac_a27728/WebCounter.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E2.tmp.bac_a27728/a.class Infected: Trojan.Java.Shiwow skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E2.tmp.bac_a27728 ZIP: infected - 4 skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\E5E2.tmp.bac_a27728 CryptFF.b: infected - 4 skipped
C:\Documents and Settings\Kevin\.housecall\Quarantine\vbsys2.dll.bac_a27728 Infected: Trojan-Clicker.Win32.Agent.ac skipped
C:\Documents and Settings\Kevin\Local Settings\Temp\GLB120.tmp/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.e skipped
C:\Documents and Settings\Kevin\Local Settings\Temp\GLB120.tmp WiseSFX: infected - 1 skipped
C:\Documents and Settings\Kevin\Local Settings\Temp\GLB12A.tmp/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped
C:\Documents and Settings\Kevin\Local Settings\Temp\GLB12A.tmp WiseSFX: infected - 1 skipped
C:\Documents and Settings\Kevin\Local Settings\Temp\GLB135.tmp/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped
C:\Documents and Settings\Kevin\Local Settings\Temp\GLB135.tmp WiseSFX: infected - 1 skipped
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\4ADF.tmp Infected: not-a-virus:Client-IRC.Win32.mIRC.601 skipped
C:\RECYCLER\S-1-5-21-776561741-299502267-725345543-500\Dc11.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\Buddy.exex Infected: not-a-virus:AdWare.Win32.BetterInternet.ad skipped
C:\WINDOWS\system32\mm\linkd.exe Infected: not-a-virus:NetTool.Win32.PsKill skipped

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:56:10 PM, on 5/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy1.4\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.roadrunner.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.rr.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {38751CF5-7E5C-73A0-F21D-75775B01AB64} - (no file)
O2 - BHO: (no name) - {40C70213-5264-0495-02BA-36B40B586DB3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.4\SDHelper.dll
O2 - BHO: (no name) - {5ED98B6A-251B-F6C4-A6A9-4651D91817E2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {9D08C744-3D58-BDD7-1E75-F8EA167C959A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1.4\TeaTimer.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINDOWS\system32\mm\aysshell.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:14 PM

Posted 26 May 2006 - 04:00 PM

Hello again....still hanging in there? :thumbsup:

Please make sure all your realtime protection is still disabled. This includes TrendMicro, SpySweeper, TeaTimer. Did you try to uninstall SpyKiller?

Empty Trend Micro's quarantine folders, then Empty out everything in the Temp folder:

Delete Temp Files:
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.
This should open up the temp directory that your machine uses. Please delete all files that are found there.

Delete Temporary Internet Files:
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Empty your Recycle Bin

Go to Add/Remove Programs and remove ALL the old versions of Java. The only one that should be there is jre1.5.0_06

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot", and then select "All files".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Downloaded Program Files\videox.inf

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After a reboot, try HijackThis again:
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {38751CF5-7E5C-73A0-F21D-75775B01AB64} - (no file)
O2 - BHO: (no name) - {40C70213-5264-0495-02BA-36B40B586DB3} - (no file)
O2 - BHO: (no name) - {5ED98B6A-251B-F6C4-A6A9-4651D91817E2} - (no file)
O2 - BHO: (no name) - {9D08C744-3D58-BDD7-1E75-F8EA167C959A} - (no file)
Check these if you or an admin did not set them:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -


Close all browser and other windows except for HijackThis!, and click "Fix Checked".

Reboot once again

In your reply, let me know how all this went, and of course, a new HijackThis log please. :flowers:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users