Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Task Manager, MSConfig [resolved]


  • This topic is locked This topic is locked

#1
sportspeddler1

sportspeddler1

    Member

  • Member
  • PipPipPip
  • 106 posts
Logfile of HijackThis v1.99.0
Scan saved at 4:38:50 PM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\avast\ashDisp.exe
C:\WINDOWS\system32\SVCHOSTA.EXE
C:\POPUPS~1\POP-UP~1\PSFree.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\avast\ashMaiSv.exe
C:\avast\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Customer\Application Data\Mozilla\Profiles\default\2d3g9r71.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0BA3CCF4-8E70-4C99-91AC-9D01D99C6B8F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74A347BE-10A4-70B8-40AB-4473922B55BF} - C:\WINDOWS\System32\kvfoaskl.dll (file missing)
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [dqqcjiom] C:\WINDOWS\ojbtkgzi.exe
O4 - HKLM\..\Run: [XELRYBIOV] C:\WINDOWS\XELRYBIOV.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [5F8f32V] ersfx12n.exe
O4 - HKLM\..\Run: [Tptattzq] C:\Program Files\Bqxmy\Awzgrln.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [KorpRSZ5l] javhela2.exe
O4 - HKCU\..\RunOnce: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O19 - User stylesheet: (file missing)
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe

I tried everything i could before posting, I hope you can help.
Task Manager and MSConfig will only open for a second then closes, or sometimes does not open at all. Thank you!
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; see here for how to do this if you're unsure.

1. Download the Pocket Killbox.http://www.downloads.subratam.org/KillBox.zip
2. Unzip the contents of KillBox.zip to a convenient location.
3. Double-click on KillBox.exe.
4. Click "Replace on Reboot" and check the "Use Dummy" box.
5. Paste this file into the top "Full Path of File to Delete" box.
* C:\WINDOWS\System32\cgzlil.dll
6. Click the "Delete File" button which looks like a stop sign.
7. Click "Yes" at the Replace on Reboot prompt.
8. Click "No" at the Pending Operations prompt.
9. Repeat steps 4-8 above for these files:
C:\WINDOWS\System32\kvfoaskl.dll
C:\WINDOWS\ojbtkgzi.exe
C:\WINDOWS\XELRYBIOV.exe
SVCHOSTA.EXE
C:\Program Files\Preview AdService\PrevAdServ.exe
ersfx12n.exe
C:\Program Files\Bqxmy\Awzgrln.exe
javhela2.exe

10. Click "Replace on Reboot" and check the "Use Dummy" box.

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchdot.net
O2 - BHO: (no name) - {0BA3CCF4-8E70-4C99-91AC-9D01D99C6B8F} - (no file)
O2 - BHO: (no name) - {74A347BE-10A4-70B8-40AB-4473922B55BF} - C:\WINDOWS\System32\kvfoaskl.dll (file missing)
O4 - HKLM\..\Run: [dqqcjiom] C:\WINDOWS\ojbtkgzi.exe
O4 - HKLM\..\Run: [XELRYBIOV] C:\WINDOWS\XELRYBIOV.exe
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [5F8f32V] ersfx12n.exe
O4 - HKLM\..\Run: [Tptattzq] C:\Program Files\Bqxmy\Awzgrln.exe
O4 - HKCU\..\Run: [KorpRSZ5l] javhela2.exe
O4 - HKCU\..\RunOnce: [Windows Logon Procedure] SVCHOSTA.EXE
O19 - User stylesheet: (file missing)


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\System32\kvfoaskl.dll
C:\WINDOWS\ojbtkgzi.exe
C:\WINDOWS\XELRYBIOV.exe
SVCHOSTA.EXE
C:\Program Files\Preview AdService\PrevAdServ.exe
ersfx12n.exe
C:\Program Files\Bqxmy\Awzgrln.exe
javhela2.exe


Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:
  • 0

#3
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
thatman, Thank you for your help. I dont know if I did something wrong, but when I rebooted in safe mode, I could not find any of the files that you told me to delete. I also notice that i still cant open Task Manager or MSConfig. :tazz: Here is my updated HijackThis Log.

Logfile of HijackThis v1.99.0
Scan saved at 1:25:40 AM, on 3/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\avast\ashDisp.exe
C:\WINDOWS\system32\SVCHOSTA.EXE
C:\POPUPS~1\POP-UP~1\PSFree.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\avast\ashMaiSv.exe
C:\avast\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Customer\Application Data\Mozilla\Profiles\default\2d3g9r71.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\RunOnce: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe

I have even tried to open Task Manager and MSConfig from Emergency Utilities that I downloaded and they wont open that way either. Thank you again for your time and help
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

Please set your system to show all files; Click here for how to do this if you're unsure.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.[/b]

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKCU\..\RunOnce: [Windows Logon Procedure] SVCHOSTA.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

SVCHOSTA.EXE

Exit Explorer, and reboot as normal afterwards.

Please run the following free, online virus scans: Please post the logs From both virus scans and HJT we will need them to remove previous infections that have left files on your system.
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm


And post the fresh logs in this same topic, and let us know how your system's working. ;)

Kc :tazz:
  • 0

#5
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Well I seem to be getting a handle on this finally! Task Manager and MSConfig seem to be working again. Last scans from Housecall and Panda found no viruses. I have not been able to delete the file SVCHOSTA.EXE in C:\WINDOWS\SYSTEM32. When I try to delete it, it says that it is being used by another person or program. Here is a log of my current HiJackThis scan.
Thanks Again!!

Logfile of HijackThis v1.99.0
Scan saved at 8:24:43 AM, on 3/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\avast\ashDisp.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\POPUPS~1\POP-UP~1\PSFree.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\avast\ashMaiSv.exe
C:\avast\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1 ;)

Download the ccleaner
I use this Program and is setup like this all boxs are check.

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

ActiveX Controls could do with a big cleanup. Open your browser and go to Tools > Internet Options and click on the General Tab. Click on Settings (next to Temporary Internet Files) and then click on View Objects. Rightclick on each and choose Properties. If there is anything there that you dont know what it is (microsoft, apple, macromedia etc are OK) or where it came from, delete it. If there are any damaged controls there, delete those also. If any are needed, you will be prompted to download them again anyway.

Please run the following free, online virus scans: Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm


Turn of system restore
Disabling or enabling Windows XP System Restore

Defrag your hard drive turn system restore back on and create a new restore point.


Then restart your computer one more time and post a new HJT log

Kc :tazz:
  • 0

#7
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Hi, I ran CCleaner, cleaned out caches, activex, etc. and ran defrag.

Still have not been able to delete SVCHOSTA in C:\WINDOWS\SYSTEM32

Log file from panda:

Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\system32\cd_clint.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\Temp\FLEOK
Spyware:Spyware/BetterInet No disinfected C:\DOCUME~1\Customer\LOCALS~1\Temp\bi.inf
Adware:Adware/BHO No disinfected Windows Registry
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Customer\Application Data\tvm*.dll
Adware:Adware/Adroar No disinfected C:\WINDOWS\artmmp.ini
Adware:Adware/MyDailyHoroscopeNo disinfected C:\Program Files\My Daily Horoscope
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNRD.inf
Adware:Adware/WUpd No disinfected C:\Program Files\Media Pass
Spyware:Spyware/Altnet No disinfected Windows Registry
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\osconfig.dll
Adware:Adware/E2Give No disinfected C:\Program Files\E2G
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\Cards.ico
Spyware:Spyware/RealSpy No disinfected Windows Registry
Spyware:Spyware/AdClicker No disinfected C:\Documents and Settings\Customer\icon\icon.exe
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Customer\Local Settings\Temp\bi.inf
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Customer\Local Settings\Temp\zsupdater.exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Customer\temp.exe
Adware:Adware/eZula No disinfected C:\Program Files\iMesh\Client\TTIL_imesh.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Pass\MediaPass.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Pass\MediaPassC.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Media Pass\MediaPassK.exe
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\casicon.exe[icon.exe]
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\bi.inf
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNrd.inf
Spyware:Spyware/AdClicker No disinfected C:\WINDOWS\loads.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_80.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_88.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_94.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_48.exe
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\system32\netpals.dll
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\osconfig.dll
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\P2P Networking v123.cpl
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\wbnjigkgymzb.html

The only thing that HouseCall found was a "cookie spyware" COOKIE_442

Logfile of HijackThis v1.99.0
Scan saved at 12:47:41 AM, on 3/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\avast\ashDisp.exe
C:\POPUPS~1\POP-UP~1\PSFree.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\freecell.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\avast\ashMaiSv.exe
C:\avast\ashWebSv.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Any other help and suggestions are appreciated
Thank You
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

Welcome to geekstogo

Please read through the instructions before you start (you may want to print this out).

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - Click here to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

Reboot into Safe Mode: Click here if you don't know how to do this.

Using Windows Explorer delete the following files if present:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\Program Files\iMesh\Client\TTIL_imesh.exe<--Delete the whole folder
C:\Program Files\Media Pass\MediaPass.exe<--Delete the whole folder
C:\Program Files\My Daily Horoscope<--Delete the whole folder
C:\Program Files\E2G<--Delete the whole folder
C:\GatorPatch.log<--Delete the whole folder
C:\Temp\FLEOK<--Delete the whole folder

C:\Documents and Settings\Customer\Application Data\tvm*.dll<--Delete this file
C:\Documents and Settings\Customer\icon\icon.exe<--Delete this file
C:\Documents and Settings\Customer\Local Settings\Temp\bi.inf<--Delete this file
C:\Documents and Settings\Customer\Local Settings\Temp\zsupdater.exe<--Delete this file
C:\Documents and Settings\Customer\temp.exe<--Delete this file

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)


1. Download the Pocket Killbox.
2. Unzip the contents of KillBox.zip to a convenient location.
3. Double-click on KillBox.exe.
4. Click "Replace on Reboot" and check the "Use Dummy" box.
5. Paste each file into the top "Full Path of File to Delete" box.

C:\WINDOWS\system32\wbnjigkgymzb.html
C:\WINDOWS\NDNuninstall4_80.exe
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\NDNuninstall4_94.exe
C:\WINDOWS\NDNuninstall5_48.exe
C:\WINDOWS\system32\netpals.dll
C:\WINDOWS\system32\osconfig.dll
C:\WINDOWS\loads.exe
C:\WINDOWS\casicon.exe
C:\WINDOWS\icon.exe
C:\WINDOWS\system32\Cards.ico
C:\WINDOWS\system32\osconfig.dll
C:\WINDOWS\artmmp.ini
C:\WINDOWS\system32\cd_clint.dll
C:\WINDOWS\NDNuninstall*.exe
C:\WINDOWS\system32\P2P Networking v123.cpl
C:\WINDOWS\inf\bi.inf
C:\WINDOWS\inf\localNrd.inf


6. Click the "Delete File" button which looks like a stop sign.
7. Click "Yes" at the Replace on Reboot prompt.

Reboot into normal mode (simply restart your computer as you normally would),

Please run the following free, online virus scans: Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Kc :tazz:
  • 0

#9
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
After I run KillBox, should the files that I have it replace show up when i search for them? All the files that I put into KillBox to replace on reboot were still on the hard drive after I rebooted.
  • 0

#10
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
I did all the things on your last post.

After I run KillBox, should the files that I have it replace show up when i search for them? All the files that I put into KillBox to replace on reboot were still on the hard drive after I rebooted. A rerun of panda is showing all the same alerts. I am WAY confused!

Logfile of HijackThis v1.99.0
Scan saved at 5:19:20 AM, on 3/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\avast\ashDisp.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\POPUPS~1\POP-UP~1\PSFree.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#11
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

Welcome to geekstogo

Please read through the instructions before you start (you may want to print this out).

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.[/b]

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


Click on {redFix Checked} and exit HijackThis.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. ;)

Please run the following free, online virus scans: Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Please post the logs From both virus scans and HJT.log I do need to see each log, I can then see if items are changing.
As you can see there are two bad items to remove with HJT.

Kc :tazz:
  • 0

#12
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
ran HJT and removed those 2 items. Here is my new HJT log after rebooting. I will run both virus scans and post those logs too. System seems to be running good. Task manager and msconfig are now working.

Thank you!

Logfile of HijackThis v1.99.0
Scan saved at 6:22:42 AM, on 3/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\avast\ashDisp.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\POPUPS~1\POP-UP~1\PSFree.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\avast\ashMaiSv.exe
C:\avast\ashWebSv.exe
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#13
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

Your Hjt.log is clean we now need the scan.log's for the next step if any.

Kc :tazz:
  • 0

#14
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
good news about the HJT log. I ran both virus scans. The TrendMicro Scan found 0 infections and did not give any summary. Following is the summary from the Panda Scan and another copy of my HJT log just in case you need it for anything.
Thanks again for your time and expertise!

Incident Status Location

Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\system32\cd_clint.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe
Adware:Adware/Gator No disinfected C:\DOCUME~1\Customer\LOCALS~1\Temp\bundle.inf
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\FLEOK
Adware:Adware/BHO No disinfected Windows Registry
Spyware:Spyware/TVMedia No disinfected C:\DOCUME~1\Customer\LOCALS~1\Temp\TVMUpdater.exe
Adware:Adware/Adroar No disinfected C:\WINDOWS\artmmp.ini
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNRD.inf
Spyware:Spyware/Altnet No disinfected Windows Registry
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\osconfig.dll
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\Cards.ico
Spyware:Spyware/RealSpy No disinfected Windows Registry

Logfile of HijackThis v1.99.0
Scan saved at 8:55:32 AM, on 3/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\avast\ashDisp.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\avast\ashMaiSv.exe
C:\avast\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#15
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

Let us see if Ad-aware se will remove some off the junk files

Please download Ad-aware Se

1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarrantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Reboot your PC.

If you would please, let me know what it removes.

kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP