Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Controlling my internet address & removing it


  • This topic is locked This topic is locked

#46
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Im going in the safe mode now to use HJT right brb.
I just scanned with pand.
It said No viruses were found.
No REPORT in pand.grrrrrrr :tazz:
  • 0

Advertisements


#47
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Hi LKc,
From the safe mode here is my HJT log;

Logfile of HijackThis v1.99.1
Scan saved at 6:40:09 AM, on 4/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#48
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Task 'Resident protection' used
* Started on Wednesday, April 06, 2005 8:25:31 PM
* VPS: 0514-0, 04/05/2005
*

C:\Documents and Settings\Cuddles\Local Settings\Temporary Internet Files\Content.IE5\63QN6LA5\i282[1].exe [L] Win32:Qoologic-B [Trj] (0)
C:\DOCUME~1\Cuddles\LOCALS~1\Temp\tp7543.exe [L] Win32:Qoologic-B [Trj] (0)
File was successfully deleted...
*
* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on Thursday, April 07, 2005 5:11:36 AM
* VPS: 0514-0, 04/05/2005
*

C:\Documents and Settings\Cuddles\Local Settings\Temporary Internet Files\Content.IE5\63QN6LA5\i282[1].exe [L] Win32:Qoologic-B [Trj] (0)
C:\Documents and Settings\Cuddles\Local Settings\Temporary Internet Files\Content.IE5\4TA7OLAJ\i282[1].exe [L] Win32:Qoologic-B [Trj] (0)
File was successfully moved to chest...
C:\DOCUME~1\Cuddles\LOCALS~1\Temp\tp7543.exe [L] Win32:Qoologic-B [Trj] (0)
File was successfully moved to chest...
I have been over and over putting this in a chest.
*
* Task stopped: Thursday, April 07, 2005 6:37:07 AM
* Run-time was 1 hour(s), 25 minute(s), 31 second(s)
*

*
* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on Thursday, April 07, 2005 6:44:56 AM
* VPS: 0514-0, 04/05/2005
*

C:\Documents and Settings\Cuddles\Local Settings\Temporary Internet Files\Content.IE5\63QN6LA5\i282[1].exe [L] Win32:Qoologic-B [Trj] (0)
C:\DOCUME~1\Cuddles\LOCALS~1\Temp\tp7543.exe [L] Win32:Qoologic-B [Trj] (0)
File was successfully moved to chest..
  • 0

#49
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Classy2

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.

Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

Kc :tazz:
  • 0

#50
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Hi Kc,
I do want to install SP1a on my pc. Tell me what to do after I install it and I cant connect to the internet to look or come to you for help?
(7 months ago I installed SP1a, and I lost my internet connection)

Will you walk me through the steps which I do NOT know of what to do. :tazz:

1. Sayson Microsoft--- You can install SP1 only on a computer that is running Windows XP, and you must be logged on to that computer as an administrator. ;)
( Administrator is ONLY listed to log on to in the SAFE MODE) :)
2. Says Microsoft Important
Automated System Recovery (ASR) will not restore your data files. For more information, see "Backing up files and folders," "Restoring files and folders," and "To create an Automated System Recovery set using Backup" in the Windows XP ( Are they reffering to making a '' Resore Point'')? ;)

Dear Kc I want this installation t be a success,
Sincerely,
Classy2
  • 0

#51
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
ON THE WINDOWS UPDATE PAGE it says this;
"Checking for the latest version of the Windows Update software...

Depending on your connection speed, this might take a minute. During this time, you may receive one or more security warnings. Review each security warning to ensure that the content is signed by Microsoft, and then click Install or Yes to install the software".

I waited a very long time and tried many times with nothing happening :tazz:

Also on the lefft column of the update page; "Install update" (WAS DIMED OUT)

My other problem is with installing SP1a.
It says in update Guide, "Administrators must be the ones to install SP1a"

Remember, I told you the internet will not connect while im in the safe mode.
What am I supposed to do now?
Kc, will you please help me. After all this work I feel I trust ou and I really appreciate all your time ;)
Sincerely,
Classy
  • 0

#52
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Today I stalled XP'S firewall.
Kc, do you think XP's Firewall will do its job?
I went to update some critical files from Micrsoft Update, nothing happened, after trying many times on different days.
Can you help me???.
  • 0

#53
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
God Morning Kc,
Correct me if Im wrong. The ''Internect Connection Firewall' Is part of the SP Intallation Package
I hope you will contiue helping me removing maleware,pleasee. :tazz:
With appreciating,
Classy2
  • 0

#54
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Dear Kc,
I was in the process of manually updating, and it said ---
"Checking for the latest version of the Windows Update software...

Depending on your connection speed, this might take a minute. During this time, you may receive one or more security warnings. Review each security warning to ensure that the content is signed by Microsoft, and then click Install or Yes to install the software".
Kc, can you help me with this problem or does my problem belong in
" Aplications"????
Very frustrated,
Classy
  • 0

#55
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Classy2

Lets see if this will find any hidden Trojan’s http://www.ewido.net/en/download/

This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.

Kc :tazz:
  • 0

Advertisements


#56
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Hi Kc,
This looks likke it found many more Trojans. I ran my system regualry. If you need this program to run in ''Safe mode'' just let me know.
Thank you,
Classy



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:23:34 PM, 4/12/2005
+ Report-Checksum: CE1DBD2E

+ Date of database: 4/13/2005
+ Version of scan engine: v3.0

+ Duration: 49 min
+ Scanned Files: 163498
+ Speed: 55.46 Files/Second
+ Infected files: 66
+ Removed files: 33
+ Files put in quarantine: 33
+ Files that could not be opened: 0
+ Files that could not be cleaned: 33

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
C:\

+ Scan result:
C:\Documents and Settings\Administrator1\Cookies\administrator1@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator1\Cookies\administrator1@adopt.hotbar[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator1\Cookies\administrator1@ads.inet1[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administrator1\Cookies\administrator1@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administror1\Cookies\administror1@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Administror1\Cookies\administror1@bravenet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@247realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@ads.euniverseads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@cancerbacup[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@overture[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@tradedoubler[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Corey\Cookies\corey@zedo[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cuddles\Cookies\cuddles@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cuddles\Cookies\cuddles@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Cuddles\Cookies\cuddles@techrepublic.com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\Helper101.dll -> Spyware.Delf.r -> Cleaned with backup
C:\WINDOWS\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\WINDOWS\system32\Cache\BlazeVCM7.exe -> Trojan.Registrator.b -> Cleaned with backup
C:\WINDOWS\system32\Cache\bs5-va-egihsg.exe -> Spyware.BookedSpace.c -> Cleaned with backup
C:\WINDOWS\system32\Cache\MTE0MzA6ODoxMg.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\WINDOWS\system32\nppku.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\WINDOWS\system32\rjnzxd.exe -> Spyware.Adstart.b -> Cleaned with backup
C:\WINDOWS\system32\winup2date.dll -> Spyware.Small.et -> Cleaned with backup
C:\WINDOWS\unadbeh.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator1\Cookies\administrator1@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Administrator1\Cookies\administrator1@adopt.hotbar[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Administrator1\Cookies\administrator1@ads.inet1[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Administrator1\Cookies\administrator1@exitexchange[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Administror1\Cookies\administror1@atdmt[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Administror1\Cookies\administror1@bravenet[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@247realmedia[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@ads.euniverseads[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@burstnet[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@cancerbacup[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@geocities[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@overture[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@realmedia[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@tradedoubler[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Corey\Cookies\corey@zedo[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Cuddles\Cookies\cuddles@com[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Cuddles\Cookies\cuddles@link[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Cuddles\Cookies\cuddles@techrepublic.com[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\WINDOWS\Helper101.dll -> Spyware.Delf.r -> Error during cleaning
C:\WINDOWS\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Error during cleaning
C:\WINDOWS\system32\Cache\BlazeVCM7.exe -> Trojan.Registrator.b -> Error during cleaning
C:\WINDOWS\system32\Cache\bs5-va-egihsg.exe -> Spyware.BookedSpace.c -> Error during cleaning
C:\WINDOWS\system32\Cache\MTE0MzA6ODoxMg.exe -> Spyware.ISearch.d -> Error during cleaning
C:\WINDOWS\system32\nppku.dll -> TrojanDownloader.Qoologic.i -> Error during cleaning
C:\WINDOWS\system32\rjnzxd.exe -> Spyware.Adstart.b -> Error during cleaning
C:\WINDOWS\system32\winup2date.dll -> Spyware.Small.et -> Error during cleaning
C:\WINDOWS\unadbeh.exe -> TrojanDropper.Win32.Small.wc -> Error during cleaning
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Error during cleaning


::Report End
  • 0

#57
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Classy2

Please read through the instructions before you start (you may want to print this out).

Download Pocket Killbox and unzip it; save it to your Desktop.

Reboot into Safe Mode: Click here if you don't know how to do this.

Now run ewido

Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\Helper101.dll
C:\WINDOWS\isrvs\mfiltis.dll
C:\WINDOWS\system32\Cache\BlazeVCM7.exe
C:\WINDOWS\system32\Cache\bs5-va-egihsg.exe
C:\WINDOWS\system32\Cache\MTE0MzA6ODoxMg.exe
C:\WINDOWS\system32\nppku.dll
C:\WINDOWS\system32\rjnzxd.exe
C:\WINDOWS\system32\winup2date.dll
C:\WINDOWS\unadbeh.exe
C:\WINDOWS\wupdsnff.exe

End of killbox file's

Reboot into normal mode.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#58
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
I ran ewido from the ''Safe Mode.

Here is Ewidos Report;

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:21:23 AM, 4/14/2005
+ Report-Checksum: C93EC79C

+ Date of database: 4/13/2005
+ Version of scan engine: v3.0

+ Duration: 29 min
+ Scanned Files: 60087
+ Speed: 33.74 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
+ Scan result:
No infected files found!
::Report End

In the Safe mode I copied and pasted ALL the from the Killbox, and rebooted at the end.

Heres my HJT Log in regular mode. Or did you want it from the Safe Mode? If so, I'
Logfile of HijackThis v1.99.1
Scan saved at 1:59:44 AM, on 4/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...gin.srf?id=6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#59
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Classy2

Download CW-Shredder at the link below: CWShredder
Run CWShredder to fix your CWS problem.

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Click on { red Fix Checked } when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run CWShredder to fix your CWS problem.

Reboot your system as normal.

Now use Internet Explorer and update you windows.

Please run the following free, online virus scans.http://www.pandasoft.../start_corp.aspPlease post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.[/color]

Kc :tazz:
  • 0

#60
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
I installed CWShredder only to click on fix.
My Search showed Shredder exe showed up in Program files but was nowhere to be found.
But I clicked on ''FIX'' anyway CWShedder and is Shedder's Log;

**** Run Keys ****

RUN: [hpsysdrv] c:\windows\system\hpsysdrv.exe
RUN: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
RUN: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
RUN: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
RUN: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
RUN: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
RUN: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
RUN: [srmclean] C:\Cpqs\Scom\srmclean.exe
RUN: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
RUN: [kmw_run.exe] kmw_run.exe
RUN: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
RUN: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
RUN: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
RUN: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
RUN: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
RUN: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
RUN: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe


**** Browser Helper Objects ****

BHO: [SpywareGuardDLBLOCK.CBrowserHelper] C:\Program Files\SpywareGuard\dlprotect.dll
BHO: [] C:\PROGRA~1\SPYBOT~1\SDHelper.dll


**** IE Toolbars ****

TOOLBAR: []


**** IE Extensions ****

IEExt: [Messenger]
IEExt: [AIM] C:\Program Files\AIM\aim.exe


**** Hosts File Entries ****

HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost


**** IE Settings ****

Default Search: http://www.google.com
Local Page: http://www.google.com
Search Page: http://home.microsof...ss/allinone.asp


**** IE Context Menu (Right click) ****



**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{448EBD2A-3D73-4EC0-BFA2-D40882CDF538}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{448EBD2A-3D73-4EC0-BFA2-D40882CDF538}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B477CD21-9A4D-4539-9330-CE1C248E9261}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B477CD21-9A4D-4539-9330-CE1C248E9261}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{44FBB619-E53D-49B0-B1A8-513BB5EBBE44}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{44FBB619-E53D-49B0-B1A8-513BB5EBBE44}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F1F55999-07DC-4AC6-A33A-F9F16BBA4BA5}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F1F55999-07DC-4AC6-A33A-F9F16BBA4BA5}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8D8EB9-0E1C-4832-96E1-822801CEFE12}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8D8EB9-0E1C-4832-96E1-822801CEFE12}] DATAGRAM 2


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [http://www.apple.com...x/qtplugin.cab]
{166B1BCA-3F9C-11CF-8075-444553540000} [http://download.macr...irector/sw.cab]
{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} [http://protect.micro...?1113268228062] C:\WINDOWS\System32\mssecadv.dll
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} [http://a840.g.akamai...ll/xscan53.cab] C:\WINDOWS\System32\mfc42.dll C:\WINDOWS\loadhttp.dll C:\WINDOWS\aucfg.ini C:\WINDOWS\tmupdate.ini C:\WINDOWS\runtsckl.exe C:\WINDOWS\patchw32.dll C:\WINDOWS\Downloaded Program Files\xscan53.ocx
{8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/...ll-131-win.cab]
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} [http://www.pandasoft...as5/asinst.cab]
{A17E30C4-A9BA-11D4-8673-60DB54C10000} [http://www.pandasoft...as5/asinst.cab]
{A93D84FD-641F-43AE-B963-E6FA84BE7FE7} [http://www.linksysfi...l/gtdownls.cab]
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} [http://messenger.msn...Downloader.cab]
{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} [http://java.sun.com/...ll-131-win.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macr...sh/swflash.cab]


**** Windows Services ****

[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aswUpdSv] "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[avast! Antivirus] "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
[avast! Mail Scanner] "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
[avast! Web Scanner] "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[cisvc] C:\WINDOWS\System32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[ewido security suite control] C:\Program Files\ewido\security suite\ewidoctrl.exe
[ewido security suite guard] C:\Program Files\ewido\security suite\ewidoguard.exe
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[Fax] %systemroot%\system32\fxssvc.exe
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[ImapiService] C:\WINDOWS\System32\imapi.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[msCMTSrvc] C:\WINDOWS\system32\msCMTSrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\System32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\System32\nvsvc32.exe
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{257F6730-5785-45C9-B620-CD36C3832448}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe -k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://ie.search.msn...st/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm
SEARCH: [CustomSearch] http://rd.yahoo.com/.../search/ie.html


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page]
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://login.passpor...gin.srf?id=6528
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://home.microsof...ss/allinone.asp
IEOPT: [Check_Associations] No
IEOPT: [Use Custom Search URL]
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Use FormSuggest] yes
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Default_Search_URL] http://www.google.com/search?q=%s
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Use Search Asst] yes
IEOPT: [AutoSearch]
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Default_Search_URL] http://www.google.com
IEOPT: [Search Page] http://home.microsof...ss/allinone.asp
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] about:blank
IEOPT: [Wizard_Version] 6.00.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Enable Browser Extensions] yes
IEOPT: [SearchAssistant]
IEOPT: [IEWatsonEnabled]
IEOPT: [Search Bar] http://rd.yahoo.com/.../search/ie.html

In the Safe mode, I deleted two of the three files you listed. The line that said " Software\......internet\ main page" was deleted and only found in "Regular Mode"]
Heres HJT Log;

Logfile of HijackThis v1.99.1
Scan saved at 10:20:19 PM, on 4/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passpor...gin.srf?id=6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

When logging back from "Safe Mode" to Regular mode
I recieved "Spybot box Warningasking if I wanted to change my Default page from "about" to "None.com"? Knowing I was to delete the "about line in HJT". I clicked on change default page to "None" in the Spybot warning.
Kc, I hope I clicked the right choice. My da
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP