Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Controlling my internet address & removing it

Started by Classy2 , Mar 19 2005 02:34 AM

  • This topic is locked This topic is locked

#16
Guest_thatman_*
Posted 30 March 2005 - 03:37 AM

Guest_thatman_*
  • Guest
Hi Classy2

Click on the Ad-aware icon when the program has opened.

In the box below Usage Statistics:

Objects quarantined Click on Open quarantine list
Now right click in the box a popup box will open click on Delete all Archives

Reboot into safemode

Run Ad-aware

Reboot your Pc.

Post a new HJT.Log

Kc :tazz:
  • 0

Advertisements

#17
Classy2
Posted 30 March 2005 - 04:23 AM

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Before running hijackthis program, In the ''safe mode'' I went in my computer\cuddles and right clicked to delete yahoo and Geek. As you can see its still there. These programs are NOT in ''add and Remove''
Im still unsure of using HJT, IM waiting to see if checking off all refferences in the log to yahoo is the correct one. Also I would like to remove extra button moneyside, I do not like unnecessary things which I never use.
Question; When starting in the ''safe mode'' it seems not to automatically log me in as administrator. Is there something wrong?
Question; Now that I have unlocked all hidden files & turned off Restore. Will this all stay off and is it ok to leave it off?
Sleepless in NY, thanking you very much!



Logfile of HijackThis v1.99.1
Scan saved at 4:19:40 AM, on 3/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\rmmpkm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Documents and Settings\Cuddles\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mssn.com/homepage.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rmmpkm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#18
Classy2
Posted 30 March 2005 - 04:34 AM

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Good morning Kc,
It would help me alot if I could connect to internet while in being in the safe mode. Can you suggest something since I sometimes need to refer to your instructions! :tazz:
  • 0

#19
Classy2
Posted 30 March 2005 - 05:04 AM

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
OK deleted ad ware archives. Ran is safe mode and delted all ad ware.
And I logged in as admistrator. I assume my settings for keeping hiden files open and restore would still be off since I never changed them?


Logfile of HijackThis v1.99.1
Scan saved at 5:55:50 AM, on 3/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\rmmpkm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Cuddles\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Geek Superhero] C:\Program Files\Geek Superhero\GeekSuperhero.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rmmpkm.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#20
Guest_thatman_*
Posted 30 March 2005 - 05:32 AM

Guest_thatman_*
  • Guest
Hi Classy2

Having a internet connection in safemode would give the Malware complete control off you system, you don’t need that do you?

Please read through the instructions before you start (you may want to print this out).

Please download and install these programs –

Download the CCleaner unzip the file to install.
Open the ccleaner.
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
Now click on Run Cleaner

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Reboot into Safe Mode: Click here if you don't know how to do this.

CLOSE ALL WINDOWS AND BROWSERS Scan with HijackThis and put checks next to all the following,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab

Then click on "Fix Checked"

Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

Scan with AdAware and let it remove any bad files found.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

Reboot into normal mode.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#21
Classy2
Posted 30 March 2005 - 06:14 AM

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
I do not have a printer. My bigest problem is I can NOT CONNECT on the internet when Im in the safe mode. I need to look at your instructions while im working.
Do you have a suggestion?
  • 0

#22
Guest_thatman_*
Posted 30 March 2005 - 07:07 AM

Guest_thatman_*
  • Guest
Hi Classy2

Click the first line in the instuctions hold down the left mouse button now move your mouse down the page in view stop at the end off the instruction list let go off the left button now click the right hand mouse button a small popup will show click on copy

Open Notepad and right click again now click on Paste all the instructions from the page you have been viewing are now in your notepad:

Now click on save, give the file a name i.e info HJT, now save it to you Desktop.

Kc :tazz:
  • 0

#23
Classy2
Posted 01 April 2005 - 02:21 AM

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Hi Kc, You requested earlier to post virus scans. I just figured out how to save the log. :tazz: So, below is my Panda Scan:


Incident Status Location

Virus:W32/Spybot.QV.worm Disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dppk.exe
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Cuddles\Local Settings\Temp\dnyyzic.tmp
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\gopkilxg\528t127l.DLL
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\gopkilxg\gopkilxg.dll
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\gopkilxg\gopkilxg.exe
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\gopkilxg\gopkilxg1\gopkilxg1.dll
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\gopkilxg\gopkilxg1\gopkilxg1.exe
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\gopkilxg\s1rs7zlm.DLL
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\gopkilxg\yxze8xi0.DLL
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccC.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccess.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccK.exe
Adware:Adware/AdDestroyer No disinfected C:\RECYCLER\S-1-5-21-166745521-3779935395-2167395947-500\Dc1\AdDestroyerInner.EXE.tcf
Adware:Adware/AdDestroyer No disinfected C:\RECYCLER\S-1-5-21-166745521-3779935395-2167395947-500\Dc1\BundleOuter.EXE
Adware:Adware/ILookup No disinfected C:\RECYCLER\S-1-5-21-166745521-3779935395-2167395947-500\Dc22.exe
Adware:Adware/TopMoxie No disinfected C:\RECYCLER\S-1-5-21-166745521-3779935395-2167395947-500\Dc6\README.txt
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\ceres.dll.tcf
Adware:Adware/BTGrab No disinfected C:\WINDOWS\inf\btgrab.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inst\3p1.exe.tcf
Adware:Adware/IESearchBar No disinfected C:\WINDOWS\isrvs\desktop.exe
Adware:Adware/FIsearch No disinfected C:\WINDOWS\isrvs\edmond.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\isrvs\isearch.xpi[isearch.jar][isearch.js]
Adware:Adware/IESearchBar No disinfected C:\WINDOWS\isrvs\mfiltis.dll
Adware:Adware/FIsearch No disinfected C:\WINDOWS\isrvs\msdbhk.dll
Spyware:Spyware/ClearSearch No disinfected C:\WINDOWS\system32\Cache\CSv13P108.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\Cache\cxtpls_loader.exe
Adware:Adware/ILookup No disinfected C:\WINDOWS\system32\Cache\desktrf-fran-162813.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\system32\Cache\MTE0MzA6ODoxMg.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\Cache\pop.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\Cache\thin-154-1-x-x.exe
Adware:Adware/ILookup No disinfected C:\WINDOWS\system32\Cache\tool2_162813.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\Cache\wrapperouter.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\cewgkl.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\chkynth.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\doolsav.dat
Adware:Adware/Startpage.CM No disinfected C:\WINDOWS\system32\elitebob32.exe
Adware:Adware/Startpage.CM No disinfected C:\WINDOWS\system32\eliteewg32.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\gfufpf.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\gpqpd.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\gpqpdf.exe
Adware:Adware/QoolShown No disinfected C:\WINDOWS\system32\phhirhs.dll
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\psis80ex.ax[mscb.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cashback.exe]
Virus:W32/Spybot.QV.worm Disinfected C:\WINDOWS\system32\qbbak.dat
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\rjnzxf.exe
Virus:W32/Spybot.QV.worm No disinfected C:\WINDOWS\system32\rmmpkm.exe
Virus:Trj/Small.HQ Disinfected C:\WINDOWS\system32\winup2date.dll
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\WTuninst.exe
  • 0

#24
Classy2
Posted 01 April 2005 - 03:10 AM

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Note about Panda scan in above post; Im confused why adware showed up in this scan, when all ad ware quarantine archives were deleted?

The log setup was left at the default setting. So I hope this helps
And here is my Spybot Search & Destroy log


--- Search result list ---

--- Spybot - Search && Destroy version: 1.3 ---
2005-03-03 Includes\Cookies.sbi
2005-03-16 Includes\Dialer.sbi
2005-03-17 Includes\Hijackers.sbi
2005-03-17 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-03-16 Includes\Malware.sbi
2005-03-17 Includes\PUPS.sbi
2005-03-17 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-03-17 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-03-16 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600)
/ Windows XP / SP1 / Q308676: Windows XP Hotfix (SP1) [See Q308676 for more information]
/ Windows XP / SP1 / Q308677: Windows XP Hotfix (SP1) [See Q308677 for more information]
/ Windows XP / SP1 / Q309521: Windows XP Hotfix (SP1) [See Q309521 for more information]
/ Windows XP / SP1 / Q309691: Windows XP Hotfix (SP1) [See Q309691 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311842 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q311889 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q312370 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315000 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q315403 for more information]


--- Startup entries list ---
Located: HK_LM:Run, CPQEASYACC
command: C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
file: C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
size: 32768
MD5: 553235e301a6498595720c9e225b9e54

Located: HK_LM:Run, dla
command: C:\WINDOWS\system32\dla\tfswctrl.exe
file: C:\WINDOWS\system32\dla\tfswctrl.exe
size: 106549
MD5: 6d21f9202a24b36e7cb10e8ed9f9de37

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\System32\hkcmd.exe
file: C:\WINDOWS\System32\hkcmd.exe
size: 114688
MD5: 318b39089ff44d57368eff1ec81bdefd

Located: HK_LM:Run, hpsysdrv
command: c:\windows\system\hpsysdrv.exe
file: c:\windows\system\hpsysdrv.exe
size: 52736
MD5: 06a1ecb63df139ec639e084d4ab3c9d7

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\System32\igfxtray.exe
file: C:\WINDOWS\System32\igfxtray.exe
size: 155648
MD5: c0ca97b06360872117e472eba3d25242

Located: HK_LM:Run, kmw_run.exe
command: kmw_run.exe
file: C:\WINDOWS\system32\kmw_run.exe
size: 106496
MD5: 5ee1ad8304f6f9c1fc3ac9b1223f9890

Located: HK_LM:Run, MMTray
command: C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
file: C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
size: 110592
MD5: d5742e8d40e6cd73cd03193afe8edcda

Located: HK_LM:Run, Recguard
command: C:\WINDOWS\SMINST\RECGUARD.EXE
file: C:\WINDOWS\SMINST\RECGUARD.EXE
size: 212992
MD5: f8955392ccfcefb43084e22d7212645b

Located: HK_LM:Run, srmclean
command: C:\Cpqs\Scom\srmclean.exe
file: C:\Cpqs\Scom\srmclean.exe
size: 36864
MD5: 787b8ad5fef1a68d3ed00e4e393b9d18

Located: HK_LM:Run, StorageGuard
command: "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
file: C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
size: 155648
MD5: 33d18d25af83df302a6e66ab781c4ccf

Located: HK_LM:Run, THGuard
command: "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
file: C:\Program Files\TrojanHunter 4.2\THGuard.exe
size: 1089024
MD5: edb3dca0b1f57ac8d915c8ad0830b27c

Located: HK_LM:Run, type32
command: "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
file: C:\Program Files\Microsoft IntelliType Pro\type32.exe
size: 114688
MD5: 0b45a5b6c854cc6c68c891bdeabec035

Located: HK_LM:Run, WCOLOREAL
command: "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
file: C:\Program Files\COMPAQ\Coloreal\coloreal.exe
size: 143360
MD5: 6db919559153bf8ed0b3200908222867

Located: HK_LM:RunOnce, Compaq_RBA
command: C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z

Located: HK_LM:Run, MMTray (DISABLED)
command: C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
file: C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
size: 110592
MD5: d5742e8d40e6cd73cd03193afe8edcda

Located: HK_LM:Run, NvCplDaemon (DISABLED)
command: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170

Located: HK_LM:Run, nwiz (DISABLED)
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 364544
MD5: fa537c72dc6d4f74b3d8a87f7cfbb6ac

Located: HK_LM:Run, TkBellExe (DISABLED)
command: C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

Located: HK_LM:Run, WinTools (DISABLED)
command: C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

Located: HK_LM:RunOnce, WinTools (DISABLED)
command:

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d



--- Browser helper object list ---
{02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
BHO name:
CLSID name: Yahoo! Companion BHO

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 1:03:00 AM
Date (last access): 4/1/2005 1:45:16 AM
Date (last write): 5/12/2004 1:03:00 AM
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3

{87766247-311C-43B4-8499-3D5FEC94A183} ()
BHO name:
CLSID name:
description: HuntBar variant, HuntBar variant
classification: Confirmed as malware
known filename: Wtoolsb.dll
info link: http://www.doxdesk.c...te/HuntBar.html
info source: TonyKlein

{8952A998-1E7E-4716-B23D-3DBE03910972} ()
BHO name:
CLSID name:
description: HuntBar,
classification: Confirmed as malware
known filename: Toolbar.dll
info link: http://www.doxdesk.c...te/HuntBar.html
info source: TonyKlein



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 1/21/2005 5:46:38 PM
Date (last access): 4/1/2005 1:29:30 AM
Date (last write): 9/9/2004 2:49:12 PM
Filesize: 54488
Attributes: archive
MD5: 943193399C341AC34E842CB07B5F29A0
CRC32: 12DEB8F4
Version: 0.10.0.1

{205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class)
DPF name:
CLSID name: CInstall Class
Path: C:\WINDOWS\DOWNLO~1\
Long name: Install.dll
Short name:
Date (created): 9/30/2004 11:46:24 AM
Date (last access): 4/1/2005 1:46:06 AM
Date (last write): 9/30/2004 11:46:24 AM
Filesize: 315392
Attributes: archive
MD5: B2F217B063FFE01DA62EF1181E726F0E
CRC32: C78ECDD3
Version: 0.2.0.0

{74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
DPF name:
CLSID name: HouseCall Control
description: Trend Micro Antivirus online scanner
classification: Legitimate
known filename: XSCAN53.OCX
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\DOWNLO~1\
Long name: xscan53.ocx
Short name:
Date (created): 6/9/2004 4:56:02 PM
Date (last access): 4/1/2005 1:46:08 AM
Date (last write): 6/9/2004 4:56:02 PM
Filesize: 435712
Attributes: archive
MD5: DCFFCA7F818B4CF4DF29B8932907735D
CRC32: 89BBB9BF
Version: 0.5.0.70

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1)
DPF name: Java Runtime Environment 1.3.1
CLSID name: Java Plug-in 1.3.1
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\JavaSoft\JRE\1.3.1\bin\
Long name: NPJava131.dll
Short name: NPJAVA~1.DLL
Date (created): 8/2/2002 12:16:58 AM
Date (last access): 4/1/2005 1:42:12 AM
Date (last write): 5/6/2001 8:14:22 PM
Filesize: 53338
Attributes: archive
MD5: 8D7694975F0E5C1F153AADD68A460887
CRC32: 2AD23CCB
Version: 0.1.0.3

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 2/8/2005 10:52:16 AM
Date (last access): 4/1/2005 1:32:38 AM
Date (last write): 2/8/2005 10:52:16 AM
Filesize: 110592
Attributes: archive
MD5: D90D6B26641FED8E743E8E78F71F0C09
CRC32: C1BA2509
Version: 0.57.0.5

{A17E30C4-A9BA-11D4-8673-60DB54C10000} ()
DPF name:
CLSID name:

{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1)
DPF name: Java Runtime Environment 1.3.1
CLSID name: Java Plug-in 1.3.1
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\JavaSoft\JRE\1.3.1\bin\
Long name: NPJava131.dll
Short name: NPJAVA~1.DLL
Date (created): 8/2/2002 12:16:58 AM
Date (last access): 4/1/2005 2:48:10 AM
Date (last write): 5/6/2001 8:14:22 PM
Filesize: 53338
Attributes: archive
MD5: 8D7694975F0E5C1F153AADD68A460887
CRC32: 2AD23CCB
Version: 0.1.0.3

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\flash\
Long name: Flash.ocx
Short name:
Date (created): 6/9/2004 3:59:26 PM
Date (last access): 4/1/2005 1:53:12 AM
Date (last write): 6/9/2004 3:59:26 PM
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 0.7.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 4/1/2005 2:48:09 AM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 128 ( 800) C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
PID: 412 (1408) C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID: 460 ( 4) \SystemRoot\System32\smss.exe
PID: 520 ( 460) \??\C:\WINDOWS\system32\csrss.exe
PID: 544 ( 460) \??\C:\WINDOWS\system32\winlogon.exe
PID: 588 ( 544) C:\WINDOWS\system32\services.exe
PID: 600 ( 544) C:\WINDOWS\system32\lsass.exe
PID: 800 ( 588) C:\WINDOWS\system32\svchost.exe
PID: 824 (1844) C:\WINDOWS\System32\rmmpkm.exe
PID: 852 ( 588) C:\WINDOWS\System32\svchost.exe
PID: 952 ( 588) C:\WINDOWS\System32\svchost.exe
PID: 964 ( 588) C:\WINDOWS\System32\svchost.exe
PID: 1144 ( 588) C:\WINDOWS\system32\spoolsv.exe
PID: 1332 (1788) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 1400 ( 588) C:\WINDOWS\System32\alg.exe
PID: 1408 (1340) C:\WINDOWS\Explorer.EXE
PID: 1420 ( 588) C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
PID: 1508 ( 588) C:\WINDOWS\System32\nvsvc32.exe
PID: 1644 (1408) C:\windows\system\hpsysdrv.exe
PID: 1676 (1408) C:\WINDOWS\system32\dla\tfswctrl.exe
PID: 1712 (1408) C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
PID: 1728 (1408) C:\WINDOWS\System32\kmw_run.exe
PID: 1744 (1408) C:\Program Files\Microsoft IntelliType Pro\type32.exe
PID: 1752 (1408) C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
PID: 1764 (1408) THGuard.exe
PID: 1788 (1408) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 1852 (1728) C:\WINDOWS\System32\KMW_SHOW.EXE
PID: 1868 (1712) C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
PID: 1880 (1712) C:\Compaq\EAKDRV\EAUSBKBD.EXE


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 4/1/2005 2:48:09 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://home.microsof...ss/allinone.asp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/search?q=%s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://home.microsof...ss/allinone.asp
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://rd.yahoo.com/.../search/ie.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{448EBD2A-3D73-4EC0-BFA2-D40882CDF538}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{448EBD2A-3D73-4EC0-BFA2-D40882CDF538}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B477CD21-9A4D-4539-9330-CE1C248E9261}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B477CD21-9A4D-4539-9330-CE1C248E9261}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{44FBB619-E53D-49B0-B1A8-513BB5EBBE44}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{44FBB619-E53D-49B0-B1A8-513BB5EBBE44}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F1F55999-07DC-4AC6-A33A-F9F16BBA4BA5}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F1F55999-07DC-4AC6-A33A-F9F16BBA4BA5}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8D8EB9-0E1C-4832-96E1-822801CEFE12}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8D8EB9-0E1C-4832-96E1-822801CEFE12}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace


I also scanned with Trend Micro, Im not sure the log went but I click on
"Auto Clean".
I ran CWShedder ''clicked Fixed it said no CWS were found. Where does this program put its log file??
Im finished posting my virus scans :tazz:

Now I will follow your list of instructions listed in post #20 ;)
  • 0

#25
Guest_thatman_*
Posted 01 April 2005 - 03:34 AM

Guest_thatman_*
  • Guest
Hi Classy2

How are you getting on with copy and paste can you use it now.

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 20 MB at the Settings.
Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Download the CCleaner unzip the file to install.
Open the ccleaner.
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
Now click on Run Cleaner

The next part of this fix which I will post after is very long.
When you have completed this post back and I will post the next part of this fix.any problems let me know.

Kc :tazz:
  • 0

Advertisements

#26
Classy2
Posted 01 April 2005 - 06:00 AM

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
I ran Cleaner, followed your instructions. Except I cant find CCleaner log.
Would it make a difference if I ran HJT in ''regular mode'' now so I can post to you the HJT log??
''About Buster wouldnt run in the safe mode. I think because I copied and paste in ''Program Files'' then added a shortcut in my desktop.
Yes! Coping all your instructions into notepad was a great idea, thank you. :tazz:
May I copy the HJT now to you?

ArchiveData(auto-quarantine- 2005-04-01 06-01-51.bckp)
Referencefile : SE1R34 23.03.2005
======================================================

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=IECache Entry : C:\Documents and Settings\Corey\Cookies\corey@2o7[2].txt
obj[1]=IECache Entry : C:\Documents and Settings\Corey\Cookies\corey@adrevolver[1].txt
obj[2]=IECache Entry : C:\Documents and Settings\Corey\Cookies\[email protected][2].txt
obj[3]=IECache Entry : C:\Documents and Settings\Corey\Cookies\corey@casalemedia[1].txt
obj[4]=IECache Entry : C:\Documents and Settings\Corey\Cookies\corey@cgi-bin[1].txt
obj[5]=IECache Entry : C:\Documents and Settings\Corey\Cookies\corey@euniverseads[2].txt
obj[6]=IECache Entry : C:\Documents and Settings\Corey\Cookies\[email protected][2].txt
obj[7]=IECache Entry : C:\Documents and Settings\Corey\Cookies\corey@questionmarket[1].txt
obj[8]=IECache Entry : C:\Documents and Settings\Corey\Cookies\corey@realmedia[2].txt
obj[9]=IECache Entry : C:\Documents and Settings\Corey\Cookies\corey@trafficmp[1].txt
obj[10]=IECache Entry : C:\Documents and Settings\Corey\Cookies\corey@tripod[1].txt
obj[11]=IECache Entry : C:\Documents and Settings\Corey\Cookies\[email protected][1].txt
obj[12]=IECache Entry : C:\Documents and Settings\Cuddles\Cookies\cuddles@questionmarket[1].txt

IBIS TOOLBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[13]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{8952a998-1e7e-4716-b23d-3dbe03910972}
obj[14]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{87766247-311c-43b4-8499-3d5fec94a183}
  • 0

#27
Classy2
Posted 01 April 2005 - 06:13 AM

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Kc,
I miss yahoo messenger. So I tried downloaading it The email works but the messenger window opens and closes right away. I saw it in the HJT Log but I want your reassured help as to which lines can be deleted. :tazz:
I really appreciate your time in helping me. ;)
  • 0

#28
Classy2
Posted 01 April 2005 - 06:24 AM

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Good Morning, Kc,

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files
:tazz: Clean out from which program? ;)
You can also set the memory limit to about 20 MB at the Settings.
;) Set this from ?????

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:
:) TIF files from which program? :)
  • 0

#29
Classy2
Posted 01 April 2005 - 06:48 AM

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
I just copied this HJK in regular mode, in case it doesnt matter. And since I cant find the one I saved in ''safe mode''.

Can this ''missing dll file'' (C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
be the cause of my logon window to close?



Logfile of HijackThis v1.99.1
Scan saved at 7:31:02 AM, on 4/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\rmmpkm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Cuddles\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rmmpkm.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#30
Guest_thatman_*
Posted 01 April 2005 - 07:52 AM

Guest_thatman_*
  • Guest
Hi Classy2

Copy the instructions

Download Pocket Killbox and unzip it; save it to your Desktop.

Reboot into safemode

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dppk.exe<--Delete this file
C:\Documents and Settings\Cuddles\Local Settings\Temp\dnyyzic.tmp<Delete this file
C:\Program Files\AIM\Sysfiles\WxBug.EXE<--Delete this file

C:\Program Files\Media Access<--Delete the whole folder
C:\Program Files\gopkilxg<--Delete the whole folder

Empty your recycle bin
C:\RECYCLER\S-1-5-21-166745521-3779935395-2167395947-500\Dc1\AdDestroyerInner.EXE.tcf

Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\ceres.dll.tcf
C:\WINDOWS\inf\btgrab.inf
C:\WINDOWS\inf\ceres.inf
C:\WINDOWS\inf\farmmext.inf
C:\WINDOWS\inf\zserv.inf
C:\WINDOWS\inst\3p1.exe.tcf
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\edmond.exe
C:\WINDOWS\isrvs\isearch.xpi
C:\WINDOWS\isearch.jar
C:\WINDOWS\isearch.js
C:\WINDOWS\isrvs\mfiltis.dll
C:\WINDOWS\isrvs\msdbhk.dll
C:\WINDOWS\system32\Cache\CSv13P108.exe
C:\WINDOWS\system32\Cache\cxtpls_loader.exe
C:\WINDOWS\system32\Cache\desktrf-fran-162813.exe
C:\WINDOWS\system32\Cache\MTE0MzA6ODoxMg.exe
C:\WINDOWS\system32\Cache\pop.exe
C:\WINDOWS\system32\Cache\thin-154-1-x-x.exe
C:\WINDOWS\system32\Cache\tool2_162813.exe
C:\WINDOWS\system32\Cache\wrapperouter.exe
C:\WINDOWS\system32\cewgkl.exe
C:\WINDOWS\system32\chkynth.exe
C:\WINDOWS\system32\doolsav.dat
C:\WINDOWS\system32\elitebob32.exe
C:\WINDOWS\system32\eliteewg32.exe
C:\WINDOWS\system32\gfufpf.exe
C:\WINDOWS\system32\gpqpd.dll
C:\WINDOWS\system32\gpqpdf.exe
C:\WINDOWS\system32\phhirhs.dll
C:\WINDOWS\system32\psis80ex.ax
C:\WINDOWS\system32\mscb.dll
C:\WINDOWS\system32\psis80ex.ax
C:\WINDOWS\system32\cashback.exe
C:\WINDOWS\system32\qbbak.dat
C:\WINDOWS\system32\rjnzxf.exe
C:\WINDOWS\system32\rmmpkm.exe
C:\WINDOWS\system32\winup2date.dll
C:\WINDOWS\Temp\WTuninst.exe
End of killbox files

Reboot into normal mode.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm

Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP