Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Pop-up nightmare and program install


  • Please log in to reply

#1
Bone54

Bone54

    Member

  • Member
  • PipPip
  • 15 posts
Please help, I have been fighting with my computer for the last week and every time I think I get a handle on it, it shows up again. I have tried running Spy doctor, spybot, Ad-Aware, Xoftspy, Anti Spy info, The Shredder (that you recommended) and Norton Anti-Virus. I really though I had it beat today as the computer ran all day without one pop-up and when I started using it, it hit again. It will just start opening ad windows faster then I can close them, I could have over 30 IE windows open before I have a chance to blink. It is also trying to install a program called “aun_0032.exe” and I also get script error windows that pop up. I am usually the one helping all my friends and family to fix their computer and clean all the ad-ware and spy-ware off there computer. But this one is kicking my butt. Here is a copy of my hijackthis log and any help you can give would be greatly appreciated. Thanks Dave Please excuse me I have some pop ups to kill..LOL


Logfile of HijackThis v1.99.1
Scan saved at 11:01:05 PM, on 3/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system\okid.exe
C:\PROGRA~1\INCRED~1\bin\IMOLApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\WorkPad\HOTSYNC.EXE
C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.1and1.com/b2home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by 1&1 Internet Inc.
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [xgv] C:\WINDOWS\xgv.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [IMOL] C:\PROGRA~1\INCRED~1\bin\IMOLApp.exe /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\WorkPad\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 6.lnk = C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.1and1.com/b2home/
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1BF16A93-A3C6-413B-9B1B-D04C628F06B0} - http://www.calendar-...TV_Listings.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://wsc3.perfora....ivex/msxml4.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Unknown owner - C:\WINDOWS\system32\basfipm.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Seagate Page Server (pageserver) - Unknown owner - C:\Program Files\Seagate Software\WCS\pageserver.exe" -service -cache -deleteCache (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Unknown owner - C:\Program Files\Seagate Software\WCS\WebCompServer.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Some things just dont fit!!!

At this point make sure Windows is configured to see hidden files and folders. Here's a link on how to do this if needed:
Hidden Files

Follow this Link:
Online File Scan
Select Browse and navigate to this exact location:
C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch
Once the Quick Launch Folder is open,locate and have this file Scanned:
explorer.exe

Post back with those results!
  • 0

#3
Bone54

Bone54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thank you for the quick reply, I have already had the files set to show all the files and folders. Here is a copy of the scan of the file exlorer.exe

Online Virus Scanner


You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

Download a trial version of Kaspersky Anti-Virus
Purchase Kaspersky Anti-Virus in our E-Store
Purchase Kaspersky Anti-Virus from a certified partner

Scanned file: explorer.exe

explorer.exe - OK


Statistics:
Known viruses: 121640 Updated: 20-03-2005
File size (Kb): 1008 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hang on to that file and its location,Explorer.exedoes not belong there,and we will have to take a deeper look at it!

Is this the Correct Internet Provider:
1&1 Internet Inc

Also,I need to know how you feel about Messanger Plus! 3
I would tell you how I feel about it,but would be kicked off the board soon after,as only 4 lettered words best describe my thoughts!

Incredimail,Read This:
Incredible

I phrase these like this,because inevidably,its up to you as to whether the Risk is Worth it!

Both Messanger Plus and IncrediMail pose thier own threats to your Security and Privacy!

Unregister this Dll,to do this:
Click Start>>>Click Run>>>Copy&Paste the Text below and Click OK!

regsvr32 /u btxppanel.dll
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\system32\btxppanel.dll

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [xgv] C:\WINDOWS\xgv.exe

O16 - DPF: {1BF16A93-A3C6-413B-9B1B-D04C628F06B0} - http://www.calendar-...TV_Listings.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://wsc3.perfora....ivex/msxml4.cab

O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
Safe Mode

Now,Go back and Make sure Windows is still Showing Hidden Files!

Locate and Delete the Files in Bold Print:

C:\WINDOWS\xgv.exe<<< File Only!

C:\WINDOWS\system32\btxppanel.dll<<< File Only!

C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\explorer.exe<<< Only in this location,I just checked 3 different PCs,all with XP,both Pro and Home,that entry doesnt exist and that tells me,it doesnt belong there,so please delete that entry from that location only!

When finished, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.
Make Sure Normal Startup is Checked!!
Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

Here is a link explaining:
Msconfig
  • 0

#5
Bone54

Bone54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok finished, now to answer your questions,

1and1 internet Inc is not my ISP provider, I am using Comcast Broadband, 1and1 is a host for my Red Knights motorcycle clubs web site.

Now as far as messanger Plus 3 :tazz: I know better, I have read it is not good for your system and have been considering taking it off anyways, So I agree it is bad (and I said it not you...LOL)

As for Incredimail, you learn something new everyday, I am not married to it so I can lose it without sheding a tear.

I followed all the rest of your instructions with no problems except for when I went to go delete c:\windows\xgv.exe is was not there so I couldn't delete it.

Now as for the explorer in the quick launch I want to say I am sorry (brain fart) it didn't dawn on me until I went to delete it and then it hit me. I put that there because I use explorer alot and it was an easy way for me to launch it, but I did get rid of it.

Here is the latest HiJack This log

Logfile of HijackThis v1.99.1
Scan saved at 1:32:47 AM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system\okid.exe
C:\PROGRA~1\INCRED~1\bin\IMOLApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\WorkPad\HOTSYNC.EXE
C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.1and1.com/b2home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by 1&1 Internet Inc.
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [IMOL] C:\PROGRA~1\INCRED~1\bin\IMOLApp.exe /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\WorkPad\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 6.lnk = C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.1and1.com/b2home/
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Unknown owner - C:\WINDOWS\system32\basfipm.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Seagate Page Server (pageserver) - Unknown owner - C:\Program Files\Seagate Software\WCS\pageserver.exe" -service -cache -deleteCache (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Unknown owner - C:\Program Files\Seagate Software\WCS\WebCompServer.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Great Info,thanks for being so specific!!

The last log is clean,because Messanger is installed and looks like you got in without the ill Side effects that most Suffer,I am going yo get you to Scan the System 2 ways,to be sure its clean!

1. Download Microworlds Antivirus Toolkit Utility:
http://www.mwti.net/...e_utilities.asp

Once at the site select Download Link 1
Download,Extract all files and Install!

Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane.

All I need to see is what is displayed in the lower window,so have eScan produce a log and go through and Copy the Infected entried to a Notepad page and post those results here!

2.Panda Active Scan:
Panda
Also Save any Results from this Scan!

Once all is Completed,Post back with those 2 Scan Results!
  • 0

#7
Bone54

Bone54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok I finally finished all the scans, I am trying to get you all the information I can so you have the info you need to work with. Like I said before I have done a lot of computer work and I know how helpful it is to have as much info as possable. I will uninstall messenger plus 3 and incredimail, I would rather have a clean machine then to take any chances at all. Here is a screen shot of the pop up Invitations I had during my scans. It is also the logs of the two scans

Thanks for all your help,

I used the attached for the screen shot,





Microworlds Antivirus Toolkit Utility

Sun Mar 20 12:08:06 2005 => ***** Scanning complete. *****

Sun Mar 20 12:08:06 2005 => Total Files Scanned: 55034
Sun Mar 20 12:08:06 2005 => Total Virus(es) Found: 117
Sun Mar 20 12:08:06 2005 => Total Disinfected Files: 0
Sun Mar 20 12:08:06 2005 => Total Files Renamed: 0
Sun Mar 20 12:08:06 2005 => Total Deleted Files: 0
Sun Mar 20 12:08:06 2005 => Total Errors: 77
Sun Mar 20 12:08:06 2005 => Time Elapsed: 01:46:24
Sun Mar 20 12:08:06 2005 => Virus Database Date: 2005/03/17
Sun Mar 20 12:08:06 2005 => Virus Database Count: 122324

Sun Mar 20 12:08:06 2005 => Scan Completed.



File C:\WINDOWS\system\okid.exe infected by "Trojan-Downloader.Win32.Small.aly" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system\okid.exe infected by "Trojan-Downloader.Win32.Small.aly" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\2b3fsk0h.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\orgci.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader1.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Downloads\mIRC\mirc616.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\My Downloads\SmileyCentralPFSetup2.0.3.10.exe infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\03B739CA.exe infected by "Trojan.Win32.Hatu" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1B316936 infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\26C12534 infected by "not-a-virus:AdWare.VirtualBouncer.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\291E677B.exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\29595B3A.exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\298D7B01.exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2A127DC9 infected by "Email-Worm.Win32.Bagle.at" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2A6C620B infected by "Trojan.Win32.SecondThought.ba" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2A816164.doc infected by "Trojan.Win32.Hatu" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E4A6018 infected by "Trojan-Downloader.Win32.Agent.hw" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E513411 infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F1241CF.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F156BCB.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F156BCB.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F987B3C.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F9E4F35.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\30070EC2.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\300D62BA.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\308C482E.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3090722B.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\30C411F1.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\30C411F1.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3119418F infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\312C517E.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\31307B7B.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\318B1316.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\318B1316.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\31F452A3.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\31F452A3.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32563E37.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32596834.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32BE7DC4.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32BE7DC4.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\332A674E.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\332A674E.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\338F7CDE.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\338F7CDE.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\33FE1064.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\33FE1064.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\346D23EA.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\346D23EA.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\34C2678C.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\34C2678C.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3534250F.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3534250F.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\35A00E98.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\35A00E98.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\36027A2C.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\36027A2C.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\36670FBD.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\36670FBD.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\36D37946.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\36D62343.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\37380ED7.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\373C38D3.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\378B6ADB infected by "not-a-virus:AdWare.ClearSearch.j" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\378F14D7 infected by "Trojan-Downloader.Win32.Apropo.g" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\37923ED4 infected by "Trojan.Win32.SecondThought.ba" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\379568D0 infected by "Trojan.Win32.SecondThought.bf" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\379912CD infected by "Trojan.Win32.SecondThought.bg" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\379E2467.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\379E2467.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\379F66C5 infected by "not-a-virus:AdWare.BookedSpace.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\37A210C2 infected by "not-a-virus:AdWare.Apropos.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\37A63ABE infected by "Trojan.Win32.SecondThought.ao" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\37A964BB infected by "Trojan.Win32.SecondThought.bd" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\37AC0EB7 infected by "Trojan-Downloader.Win32.Apropo.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\37B362B0 infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\37B60CAC infected by "Trojan.Win32.SecondThought.be" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\37B936A9 infected by "Trojan.Win32.SecondThought.bd" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\380339F8.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\380339F8.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\386B7985.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\386B7985.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\38F45CEE.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\38F45CEE.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\394D4A8D.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\394D4A8D.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3D567B6F infected by "not-a-virus:AdWare.VirtualBouncer.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3F4261FF.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3F4261FF.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3F8D27AC.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3F9051A9.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\40020F2B.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\40063927.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\406150C3.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\406150C3.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\40C0125A.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\40C0125A.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\412851E7.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\412851E7.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\49D84F38 infected by "Trojan.Win32.SecondThought.av" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4D97615D.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4D9A0B5A.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\55680B36 infected by "Trojan.Win32.SecondThought.bd" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\615F3D3C infected by "Trojan.Win32.SecondThought.bf" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\69265E4C.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6CEF793B infected by "Trojan.Win32.SecondThought.bg" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\70541E8C.exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\75EF38E1 infected by "Email-Worm.Win32.Bagle.au" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\768F4C33 infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7880353A infected by "not-a-virus:AdWare.Apropos.e" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7A954BD7.doc infected by "Trojan.Win32.Hatu" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7B0100B9 infected by "not-a-virus:AdWare.Apropos.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7B6320F4.exe infected by "Trojan.Win32.Hatu" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\2b3fsk0h.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\orgci.dll infected by "not-a-virus:AdWare.Adstart.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.



Panda Active Scan


Incident Status Location

Adware:Adware/nCase No disinfected C:\WINDOWS\system32\FLEOK
Adware:Adware/SAHAgent No disinfected Windows Registry
Virus:Trj/Citifraud.A Disinfected Personal Folders\Inbox\eBay\Please update your e-Bay account information
Virus:Trj/Citifraud.A Disinfected Personal Folders\Inbox\Paypal\PayPaI officiaI notice\MSG_RTF.TXT
Adware:Adware/MyWebSearch No disinfected C:\My Downloads\SmileyCentralPFSetup2.0.3.10.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system\okid.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\2b3fsk0h.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\orgci.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\qh4mkbv9.dll
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I would Imagine you allready know what this response will look like!!

Unregister these DLLs,to do this:

Click Start>>>Click Run>>>Copy&Paste the Text below into the Text Box and Click OK!

regsvr32 /u 2b3fsk0h.dll
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\system32\2b3fsk0h.dll

Do the same for these:

regsvr32 /u orgci.dll
or
regsvr32 /u C:\WINDOWS\system32\orgci.dll


regsvr32 /u qh4mkbv9.dll
or
regsvr32 /u C:\WINDOWS\system32\qh4mkbv9.dll

Go ahead and Locate and Delete these Files in Bold Print:

C:\WINDOWS\system32\2b3fsk0h.dll<<< File Only!

C:\WINDOWS\system32\orgci.dll<<< File Only!

C:\WINDOWS\system32\qh4mkbv9.dll<<< File Only!

C:\WINDOWS\system32\FLEOK<<< File Only!

C:\My Downloads\SmileyCentralPFSetup2.0.3.10.exe<<< File Only!

Optional Fixes:

C:\Downloads\mIRC\mirc616.exe<<< File Only!

C:\Program Files\mIRC\mirc.exe<<< File and Folder!!

Post back with a Fresh HijackThis log and lets have a look!
  • 0

#9
Bone54

Bone54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok, yes I was waiting and expecting these. The dll's wouldn't unregister so I rebooted into safe mode and deleted from there. Here is also a new run from HiJack This. I haven't seen any pop-up's sense we started this last round of cleaning. I am not holding my breath but my fingers are crossed. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 6:05:09 PM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\INCRED~1\bin\IMOLApp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\WorkPad\HOTSYNC.EXE
C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.1and1.com/b2home/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by 1&1 Internet Inc.
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [IMOL] C:\PROGRA~1\INCRED~1\bin\IMOLApp.exe /c
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\WorkPad\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 6.lnk = C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.1and1.com/b2home/
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://wsc3.perfora....ivex/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Seagate Page Server (pageserver) - Unknown owner - C:\Program Files\Seagate Software\WCS\pageserver.exe" -service -cache -deleteCache (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Unknown owner - C:\Program Files\Seagate Software\WCS\WebCompServer.exe" -service (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Bout the Only Thing that stands out to me are these:

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://wsc3.perfora....ivex/msxml4.cab

You can fix those with HijackThis and give a day and Post back letting me know how we did!!!
  • 0

#11
Bone54

Bone54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sounds great, I uninstalled Incredimail and cleaned up the registry and did the clean up that you told me to. I have to give the computer some heavy use for a meeting tomorrow night so I will really give it a work out. I also saw a link for people that interested in helping out here and I can't find it again. Can you give me that link. Thanks for all your hard work.
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I believe this is the Link you are looking for,but if not,PM me and I will find the right one!!!!

Help!!!!
  • 0

#13
Bone54

Bone54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Yes that is the link, I really appericate it. Now as for my problem, I have not had one popup sense the changes we did the last. You did a great job helping me, I appericate all you did.

Thanks Dave
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP