Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

DrWatson Postmortem Debugger


  • Please log in to reply

#1
standingintheshadow

standingintheshadow

    New Member

  • Member
  • Pip
  • 8 posts
I really need help. Everytime I try to open anything on the right side of the start menu, a message comes up that says "DrWatson Postmortem Debugger has encountered a problem and needs to close. Sorry for the inconvenience." I can't take it anymore. It's driving me insane. If anyone could help me, I would really appreciate it.
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
What Operating System are you running?

Can you download anything?
  • 0

#3
standingintheshadow

standingintheshadow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
operating system?
yes i can download stuff
  • 0

#4
standingintheshadow

standingintheshadow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
windows xp home edition
  • 0

#5
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Lets do this First!

Click Start>>>Click Run>>>Type in Services.msc and Click OK!

This brings up the Services Page,Scroll down the list and see if there is an entry labeled:

Machine Bebug Manager(MDM)

If So,Right Click the Entry and Select Properties,Now locate the Tab labeled Stop and Click It!
Now go on up to StartUpType and Change it to Disabled!

Click Apply,Then OK!

Now use this link to post a HijackThis log here!

PriortoPosting

Post back once all suggestions in the link are completed!

Edited by Cretemonster, 20 March 2005 - 02:52 AM.

  • 0

#6
standingintheshadow

standingintheshadow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
i couldnt find the mdm entry
  • 0

#7
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Wow,Nice Spelling by me!

MDM= Machne Debug Manager

Click Start>>>Click Run>>>Type in Msconfig and Click OK!

Select the Tab at the Top labeled Services,scroll down that list and see if Machine Debug Manager is there,if so Uncheck the Box Beside it and Click Apply,then OK!

This will Prompt a restart,for changes to Take effect,at the next Restart,the System Configuration Utility will throw out a Pop Up saying System Changes had been Made,Check the Box labeled Dont Show this Message again and then Click OK!

Use the Link I gave you,Follow all the Steps and Get the System Scanned with HijackThis and Post those reults!
  • 0

#8
standingintheshadow

standingintheshadow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
there isnt anything there that says machine debug manager
  • 0

#9
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,I cant do anything until I see a HijackThis log,Use the Link im my earlier Post and follow all the Steps and Scan the PC with Hijackthis and Post that log to this thread!
  • 0

#10
standingintheshadow

standingintheshadow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
is this what you want?

Logfile of HijackThis v1.99.1
Scan saved at 12:58:05 PM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\nettp.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\msfn.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINNT\FeatherTexture.bmp:ueiie
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\FeatherTexture.bmp:ueiie
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\Program Files\America Online 9.0c\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\bljnm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\bljnm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\bljnm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\bljnm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\bljnm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\bljnm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\bljnm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1C8346B0-EC38-3721-A931-4588B9CA1BE0} - C:\WINNT\system32\addaq32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [javanc.exe] C:\WINNT\system32\javanc.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [msfn.exe] C:\WINNT\system32\msfn.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteoxx32.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Ajpynjgq] C:\WINNT\system32\?hkntfs.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0d\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk10140US
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.ci.spring...es/mgaxctrl.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...432/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9A76640-20EE-4E93-9BAC-8DED21AF8161}: NameServer = 205.188.146.145
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINNT\nettp.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINNT\FeatherTexture.bmp:ueiie.exe (file missing)
  • 0

#11
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Now I can see plenty!

You are going to have to Download a few Programs,please download them to the Same folder as HijackThis!

Follow this link and select DelDomains.zip
DelsDomains

Please download DelDomains.zip.
Unzip it and right click the file DelDomains.inf and from the drop down menu, click Install.
It will perform a silent process!
Give it about a minute to Complete!

AboutBuster:
Here is the link:
http://majorgeeks.co...wnload4289.html

First unzip all files from the zip folder to a folder or your desktop.
Start it and hit ok.
Then hit update.
A new screen should popup.
On that screen hit Check for Updates.
If it said it found an update hit Download Updates.
If it doesnt it will automatically tell you and exit.
Hang on to it,we will use it later!

Download Pocket KillBox from here:
Pocket KillBox
There is a Direct Download and a description of what the Program does inside this link.
Download,UnZip,Extract All Files and Have it ready to Use!

While Online,Go to Add\remove Programs and Remove these:

WinTools
MyWebSearch
WildTangent CDA\WT GameChannel
Internet Optimizer


Now Back to the Services Page,Click Start>>>Click Run>>>Type in Services.msc and Click OK!

Scroll down the Page and see if any of these exist,exactly as I have them listed:

Workstation NetLogon Service or 11F#`I
and

Network Security Service NSSor %AF

If you come across an Exact Match,please Right Click the entry and select Properties!
Now Click the Stop Button and Go up to StartUp Type and Change it to Disabled!

Unregister these DLLs,to do this:

Click Start>>>Click Run>>>Copy&Paste the Text below into the Text Box and Click OK!

regsvr32 /u bljnm.dll
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\system32\bljnm.dll

Do the same for these:

regsvr32 /u addaq32.dll
or
regsvr32 /u C:\WINDOWS\system32\addaq32.dll

regsvr32 /u msopt.dll
or
regsvr32 /u C:\WINNT\msopt.dll

regsvr32 /u bridge.dll
or
regsvr32 /u C:\WINNT\Downloaded Program Files\bridge.dll

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\bljnm.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\bljnm.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\bljnm.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\bljnm.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\bljnm.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\bljnm.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\bljnm.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {1C8346B0-EC38-3721-A931-4588B9CA1BE0} - C:\WINNT\system32\addaq32.dll

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [javanc.exe] C:\WINNT\system32\javanc.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKLM\..\Run: [msfn.exe] C:\WINNT\system32\msfn.exe

O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteoxx32.exe

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKCU\..\Run: [Ajpynjgq] C:\WINNT\system32\?hkntfs.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk10140US

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.ci.spring...es/mgaxctrl.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll (file missing)

O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINNT\nettp.exe

O23 - Service: Network Security Service (NSS) (%AF) - Unknown owner - C:\WINNT\FeatherTexture.bmp:ueiie.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Now launch AboutBuster and Click start and then Ok. The program should start scanning.Then hit exit and reboot.

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
Safe Mode

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
Hidden Files
Make sure to use the Directions for XP!!

Now Open Pocket KillBox,Place a Check by Standard File Kill
Copy&Paste the Text below into the Text Box labeled Full Path of File to Delete
C:\WINNT\FeatherTexture.bmp:ueiie.exe<<< Text to Copied!

Once that is Copied&Pasted into Killbox,Click the Red Circle with the White X to Delete!

Follow that Very Same Process for all the entries listed Below:

C:\WINNT\system32\msfn.exe

C:\WINNT\system32\addaq32.dll

C:\WINNT\system32\javanc.exe

C:\WINNT\system32\jeliteoxx32.exe

C:\WINNT\bljnm.dll

C:\WINNT\nettp.exe

C:\WINNT\msopt.dll

C:\counter.cab

C:\WINNT\Downloaded Program Files\bridge.dll

C:\Program Files\WildTangent

C:\Program Files\MyWebSearch

C:\Program Files\Internet Optimizer

C:\Program Files\Common Files\WinTools

C:\Program Files\AWS

Now Run About Buster Again,this time I want you to run until you see this Message at the End:

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

If you Have Ad Aware SE Installed on the PC,now would be a great time to Run it and Delete all it Finds!

The Same for SpyBot Search&Destroy!

When finished, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.
Make Sure Normal Startup is Checked!!
Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

Here is a link explaining:
Msconfig
  • 0

#12
standingintheshadow

standingintheshadow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:38:43 PM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\nettp.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\msfn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\Program Files\America Online 9.0c\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jduvp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jduvp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jduvp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jduvp.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {08539DA3-6789-F737-D1E9-9E41DC6763EA} - C:\WINNT\appgd32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitexie32.exe
O4 - HKLM\..\Run: [msfn.exe] C:\WINNT\system32\msfn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0d\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.ci.spring...es/mgaxctrl.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...432/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9A76640-20EE-4E93-9BAC-8DED21AF8161}: NameServer = 205.188.146.145
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINNT\nettp.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#13
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,this time we stay in Normal Mode until these Buggers Submit!!!
Alot of this is repeat of last time,So i will Shorten my Instructions since you allready know how to do most of this!

Now Make sure All Windows and Browsers are Closed!!!
Please Run the DelDomains.inf again,with all Windows Closed this time!

Please go back to the Services Page,Locate,Stop,and Change StartUp Type to Disabled for this Entry:

Workstation NetLogon Service or 11F#`I

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jduvp.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jduvp.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jduvp.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jduvp.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {08539DA3-6789-F737-D1E9-9E41DC6763EA} - C:\WINNT\appgd32.dll

O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitexie32.exe

O4 - HKLM\..\Run: [msfn.exe] C:\WINNT\system32\msfn.exe

O15 - Trusted Zone: *.slotch.com (HKLM)

O15 - Trusted IP range: 206.161.124.130 (HKLM)

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINNT\nettp.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

I am going to the Killbox Instructions for Each File!

Open Pocket KillBox,Place a Check by Standard File Kill

Copy&Paste the Text Below in the Text Box labeled Full Path of File to Delete
C:\winnt\system32\elitexie32.exe
Now Click the Red Circle with the White X in the middle to delete!!

Next File:

Copy&Paste the Text Below in the Text Box labeled Full Path of File to Delete
c:\counter.cab
Now Click the Red Circle with the White X in the middle to delete!!

Next File:

Look in KillBox,Click the Down Arrow by System Process,scroll that list and locate this entry:
msfn.exe<<< Highlight it and Click on the Yield Sign with the Exclamation Point to End Process

Put a Check by Standard File Kill,Copy&Paste this into Full Path of File to Delete:
C:\WINNT\system32\msfn.exe
Click the Red Circle to delete!

Next File:

Look in KillBox,Click the Down Arrow by System Process,scroll that list and locate this entry:
nettp.exe<<< Highlight it and Click on the Yield Sign with the Exclamation Point to End Process

Put a Check by Standard File Kill,Copy&Paste this into Full Path of File to Delete:
C:\WINNT\nettp.exe
Click the Red Circle to delete!

Next File:

This time,Copy&Paste this intoFull Path of File to Delete first:
C:\WINNT\appgd32.dll
Now Put a Check by Standard File Kill and Unregister .dll before Deleting
Now Click the Red Circle to Delete!

Last File:

This time,Copy&Paste this intoFull Path of File to Delete first:
C:\WINNT\system32\jduvp.dll
Now Put a Check by Standard File Kill and Unregister .dll before Deleting
Now Click the Red Circle to Delete!

Now Open AboutBuster and Scan Just as before until you Recieve the Message:

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


When Finished,Post back with a fresh HijackThis log!
  • 0

#14
standingintheshadow

standingintheshadow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:43:46 PM, on 3/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINNT\system32\javavs32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\Program Files\America Online 9.0c\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINNT\system32\d3km32.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {489E7130-1F02-58A2-3D05-BB60FF6F84C1} - C:\WINNT\wines32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitexie32.exe
O4 - HKLM\..\Run: [javavs32.exe] C:\WINNT\system32\javavs32.exe
O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINNT\system32\d3km32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0d\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.ci.spring...es/mgaxctrl.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...432/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9A76640-20EE-4E93-9BAC-8DED21AF8161}: NameServer = 205.188.146.145
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINNT\nettp.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#15
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I missed the 018 in the last post,My Bad!!!!

Lets try this again and dont restart until everthing is done!!!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

Just Scan and Minimize HijackThis!!!

Open Pocket KillBox,Place a Check by Standard File Kill

Copy&Paste the Text Below in the Text Box labeled Full Path of File to Delete
C:\winnt\system32\elitexie32.exe
Now Click the Red Circle with the White X in the middle to delete!!

Next File:

Copy&Paste this intoFull Path of File to Delete first:
C:\WINNT\nettp.exe
Now Put a Check by Standard File Kill
Now Click the Red Circle to Delete!

Next File:

Copy&Paste this intoFull Path of File to Delete first:
C:\WINNT\msopt.dll
Now Put a Check by Standard File Kill and Unregister .dll before Deleting
Now Click the Red Circle to Delete!

Next File:

Copy&Paste this intoFull Path of File to Delete first:
C:\WINNT\system32\rzdbe.dll
Now Put a Check by Standard File Kill and Unregister .dll before Deleting
Now Click the Red Circle to Delete!

Next File:

Copy&Paste this intoFull Path of File to Delete first:
C:\WINNT\wines32.dll
Now Put a Check by Standard File Kill and Unregister .dll before Deleting
Now Click the Red Circle to Delete!

Next File:

Look in KillBox,Click the Down Arrow by System Process,scroll that list and locate this entry:
javavs32.exe<<< Highlight it and Click on the Yield Sign with the Exclamation Point to End Process

Put a Check by Standard File Kill,Copy&Paste this into Full Path of File to Delete:
C:\WINNT\javavs32.exe
Click the Red Circle to delete!

Next File:

Look in KillBox,Click the Down Arrow by System Process,scroll that list and locate this entry:
d3km32.exe<<< Highlight it and Click on the Yield Sign with the Exclamation Point to End Process

Put a Check by Standard File Kill,Copy&Paste this into Full Path of File to Delete:
C:\WINNT\system32\d3km32.exe
Click the Red Circle to delete!

Reopen HijackThis,Put a check by these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rzdbe.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {489E7130-1F02-58A2-3D05-BB60FF6F84C1} - C:\WINNT\wines32.dll

O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitexie32.exe

O4 - HKLM\..\Run: [javavs32.exe] C:\WINNT\system32\javavs32.exe

O4 - HKLM\..\RunOnce: [d3km32.exe] C:\WINNT\system32\d3km32.exe

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gis.ci.spring...es/mgaxctrl.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll (file missing)

O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINNT\nettp.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Run AboutBuster again,just as Instructed Before!!!

Now I need you to use another Scanning Utility:

Download Microworlds Antivirus Toolkit Utility:
MWAV

Once at the site select Download Link 1
Download,Extract all files and Install!

Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane.

All I need to see is what is displayed in the lower window,so have eScan produce a log and go through and Copy the Infected entried to a Notepad page and post those results here with a fresh HijackThis Log!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP