Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Any chance someone could look at this for me?

Started by Francouk , Apr 11 2005 01:30 PM

  • Please log in to reply

#1
Francouk
Posted 11 April 2005 - 01:30 PM

Francouk

    New Member

  • Member
  • Pip
  • 7 posts
Hi People :tazz:

I'm new to this forum but have noticed that it is one of the most helpful sites on the net and was wondering if there was any chance somebody could have a look at the logfile below from HijackThis.

I've been having a lot of trouble with the se.dll file keep reappearing on my PC and causing major spyware issues, any assistance would be very grateful!

Logfile of HijackThis v1.99.1
Scan saved at 20:26:20 PM, on 11/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {AD2696D2-1046-464A-B885-52606D78DACB} - C:\WINDOWS\SYSTEM\LHGO.DLL (file missing)
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O18 - Filter: text/html - {8AD31C12-AA4E-4585-AC75-FD38C372ABC8} - C:\WINDOWS\SYSTEM\LHGO.DLL
O18 - Filter: text/plain - {8AD31C12-AA4E-4585-AC75-FD38C372ABC8} - C:\WINDOWS\SYSTEM\LHGO.DLL
  • 0

Advertisements

#2
Wizard
Posted 11 April 2005 - 06:29 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
This one is a bit of bugger to remove!

Lets start by showing all the Computer has to reveal!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.

Make Sure Normal Startup is Checked!!

Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

Here is a link explaining:
http://netsquirrel.com/msconfig/

Please download Srartdreck from here.

UnZip the startdreck.zip file first.
DoubleClick 'StartDreck.exe'
First click on the config button.
Now click the 'Unmark all' button.
Put a check by these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Now click the Save button to save the log. Go to the StartDreck folder and find the Startdreck.log file.

Copy and Paste the contents of that log back here!
  • 0

#3
marcman320
Posted 11 April 2005 - 07:15 PM

marcman320

    New Member

  • Member
  • Pip
  • 9 posts
Please refrain from offering advice in Malware Removal until you have been trained in GeekU.

Don
  • 0

#4
Wizard
Posted 11 April 2005 - 07:42 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I am sorry,are you more qualified to handle this post?

If so,please HAVE AT IT!!!!!!
  • 0

#5
Francouk
Posted 12 April 2005 - 05:57 AM

Francouk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Cretemonster ;)

Please find attached my new HijackThis and Startdreck logs. Thank you in advance for your assistance! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 12:57:59 PM, on 12/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {AD2696D2-1046-464A-B885-52606D78DACB} - C:\WINDOWS\SYSTEM\LHGO.DLL (file missing)
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\RunServices: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O18 - Filter: text/html - {8AD31C12-AA4E-4585-AC75-FD38C372ABC8} - C:\WINDOWS\SYSTEM\LHGO.DLL
O18 - Filter: text/plain - {8AD31C12-AA4E-4585-AC75-FD38C372ABC8} - C:\WINDOWS\SYSTEM\LHGO.DLL

********************************************************************


StartDreck (build 2.1.7 public stable) - 2005-04-12 @ 12:53:34 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at TINY-BMWCZOTZ

»Registry
»Run Keys
»Current User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Default User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Local Machine
»Run
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*CountrySelection=pctptt.exe
*PCTVOICE=pctvoice.exe
*LoadQM=loadqm.exe
*LexStart=lexstart.exe
*SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*WildTangent CDA=RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*SchedulingAgent=mstask.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
»RunServicesOnce
**msf=rundll32 C:\WINDOWS\HLPMD.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{AD2696D2-1046-464A-B885-52606D78DACB}
`InprocServer32=C:\WINDOWS\SYSTEM\LHGO.DLL
»Files
»System/Drivers
»Running Processes
+FFCF4531=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF8399=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE2365=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE29A9=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE1839=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE6E51=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE9FD1=C:\WINDOWS\RUNDLL32.EXE
+FFFEFAA5=C:\WINDOWS\EXPLORER.EXE
+FFFDD1B1=C:\WINDOWS\TASKMON.EXE
+FFFDD069=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC150D=C:\WINDOWS\PCTVOICE.EXE
+FFFD610D=C:\WINDOWS\LOADQM.EXE
+FFFC4FF9=C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
+FFFCA715=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFC1721=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFCD101=C:\WINDOWS\RUNDLL32.EXE
+FFFC8AC9=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFFB0069=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFB6FC5=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFA7291=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFA499D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFAE5CD=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
+FFFCAE89=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
+FFFB891D=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFF9000D=C:\WINDOWS\RUNDLL32.EXE
+FFFC5915=C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
+FFF9D169=C:\WINDOWS\SYSTEM\LEXPPS.EXE
+FFFBCC31=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF88581=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFBD715=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF6D9FD=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF69269=C:\MY DOWNLOAD FILES\STARTDRECK217\STARTDRECK.EXE
»Application specific
  • 0

#6
Francouk
Posted 12 April 2005 - 10:27 AM

Francouk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Cretemonster :tazz:

I've attached my latest logfiles for your interest as my Browser has again been hijacked ;)

Hope you can help!

Logfile of HijackThis v1.99.1
Scan saved at 17:21:48 PM, on 12/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {3E1B6CC8-E66B-417F-AAD2-4A69DD80E2C3} - C:\WINDOWS\SYSTEM\MNAIDAA.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O18 - Filter: text/html - {FDC35352-19D2-4051-A243-68D81250EC4A} - C:\WINDOWS\SYSTEM\MNAIDAA.DLL
O18 - Filter: text/plain - {FDC35352-19D2-4051-A243-68D81250EC4A} - C:\WINDOWS\SYSTEM\MNAIDAA.DLL

********************************************************************

StartDreck (build 2.1.7 public stable) - 2005-04-12 @ 17:27:30 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at TINY-BMWCZOTZ

»Registry
»Run Keys
»Current User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Default User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Local Machine
»Run
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*CountrySelection=pctptt.exe
*PCTVOICE=pctvoice.exe
*LoadQM=loadqm.exe
*LexStart=lexstart.exe
*SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*WildTangent CDA=RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*SchedulingAgent=mstask.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
»RunServicesOnce
**lx=rundll32 C:\WINDOWS\HLPMD.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{3E1B6CC8-E66B-417F-AAD2-4A69DD80E2C3}
`InprocServer32=C:\WINDOWS\SYSTEM\MNAIDAA.DLL
»Files
»System/Drivers
»Running Processes
+FFCF4505=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF83AD=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE2831=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE64F1=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE7D71=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE5751=C:\WINDOWS\RUNDLL32.EXE
+FFFECE59=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFD4251=C:\WINDOWS\EXPLORER.EXE
+FFFD62B1=C:\WINDOWS\TASKMON.EXE
+FFFC0CF9=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC263D=C:\WINDOWS\PCTVOICE.EXE
+FFFC3C3D=C:\WINDOWS\LOADQM.EXE
+FFFCA46D=C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
+FFFC9BE9=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFC9665=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFCEF3D=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFB27B1=C:\WINDOWS\RUNDLL32.EXE
+FFFCF681=C:\WINDOWS\RUNDLL32.EXE
+FFFCCC39=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFFB57C9=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFA072D=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
+FFFA777D=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFABF29=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
+FFFA9B95=C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
+FFF95D3D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF975A1=C:\WINDOWS\RUNDLL32.EXE
+FFF9CE51=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFF770C5=C:\WINDOWS\SYSTEM\LEXPPS.EXE
+FFF675B5=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF648F9=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF6D6A9=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF7D2A1=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFFB7BB9=C:\MY DOWNLOAD FILES\STARTDRECK217\STARTDRECK.EXE
»Application specific
  • 0

#7
Francouk
Posted 12 April 2005 - 11:58 AM

Francouk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
:tazz:

Please find attached my Log Files from HijackThis and Startdreck!

Hope somebody out there can help!

Logfile of HijackThis v1.99.1
Scan saved at 17:21:48 PM, on 12/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {3E1B6CC8-E66B-417F-AAD2-4A69DD80E2C3} - C:\WINDOWS\SYSTEM\MNAIDAA.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O18 - Filter: text/html - {FDC35352-19D2-4051-A243-68D81250EC4A} - C:\WINDOWS\SYSTEM\MNAIDAA.DLL
O18 - Filter: text/plain - {FDC35352-19D2-4051-A243-68D81250EC4A} - C:\WINDOWS\SYSTEM\MNAIDAA.DLL

********************************************************************

StartDreck (build 2.1.7 public stable) - 2005-04-12 @ 17:27:30 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at TINY-BMWCZOTZ

»Registry
»Run Keys
»Current User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Default User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Local Machine
»Run
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*CountrySelection=pctptt.exe
*PCTVOICE=pctvoice.exe
*LoadQM=loadqm.exe
*LexStart=lexstart.exe
*SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*WildTangent CDA=RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*SchedulingAgent=mstask.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
»RunServicesOnce
**lx=rundll32 C:\WINDOWS\HLPMD.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{3E1B6CC8-E66B-417F-AAD2-4A69DD80E2C3}
`InprocServer32=C:\WINDOWS\SYSTEM\MNAIDAA.DLL
»Files
»System/Drivers
»Running Processes
+FFCF4505=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF83AD=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE2831=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE64F1=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE7D71=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE5751=C:\WINDOWS\RUNDLL32.EXE
+FFFECE59=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFD4251=C:\WINDOWS\EXPLORER.EXE
+FFFD62B1=C:\WINDOWS\TASKMON.EXE
+FFFC0CF9=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC263D=C:\WINDOWS\PCTVOICE.EXE
+FFFC3C3D=C:\WINDOWS\LOADQM.EXE
+FFFCA46D=C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
+FFFC9BE9=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFC9665=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFCEF3D=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFB27B1=C:\WINDOWS\RUNDLL32.EXE
+FFFCF681=C:\WINDOWS\RUNDLL32.EXE
+FFFCCC39=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFFB57C9=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFA072D=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
+FFFA777D=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFABF29=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
+FFFA9B95=C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
+FFF95D3D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF975A1=C:\WINDOWS\RUNDLL32.EXE
+FFF9CE51=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFF770C5=C:\WINDOWS\SYSTEM\LEXPPS.EXE
+FFF675B5=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF648F9=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF6D6A9=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF7D2A1=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFFB7BB9=C:\MY DOWNLOAD FILES\STARTDRECK217\STARTDRECK.EXE
»Application specific
  • 0

#8
Wizard
Posted 12 April 2005 - 02:21 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Thats what I needed to see!!!

While Online,Go to Add\Remove Programs and Remove:

Wild Tangent

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php

There is a Direct Download and a description of what the Program does inside this link.
Download,UnZip,Extract All Files!

Open HijackThis and Scan the System,then minimize it!

Open Pocket Kilbox,Copy&Paste the Bold Text Below into the Text Box labeled"Full Path of File to Delete"

C:\WINDOWS\HLPMD.GIF

C:\WINDOWS\SYSTEM\MNAIDAA.DLL

C:\WINDOWS\TEMP\se.dll

Now for this Entry:
C:\WINDOWS\HLPMD.GIF
Select :
"Standard File Kill"
"End Explorer Shell while Killing File"

Once C:\WINDOWS\HLPMD.GIF is copied and pasted into killbox and the required selections have been checked,Click the Red Circle with the White X in the Middle to Delete!
You Should get a Message saying File was Deleted Successfully!

Now for the 2 DLLs:
Copy&Paste:
C:\WINDOWS\SYSTEM\MNAIDAA.DLL
Select these:
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before deleting"
Click the Red Circle to Delete!!

Do the Exact Same for:

C:\WINDOWS\TEMP\se.dll

Now Look in KillBox and Select Tools>>>Select Delete Temp Files and Follow the Prompts!

Please let me know if any files would not delete!!!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {3E1B6CC8-E66B-417F-AAD2-4A69DD80E2C3} - C:\WINDOWS\SYSTEM\MNAIDAA.DLL

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {FDC35352-19D2-4051-A243-68D81250EC4A} - C:\WINDOWS\SYSTEM\MNAIDAA.DLL

O18 - Filter: text/plain - {FDC35352-19D2-4051-A243-68D81250EC4A} - C:\WINDOWS\SYSTEM\MNAIDAA.DLL

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

No please dont restart the PC,I need you to download 2 more Programs!

Please Locate and Delete:

C:\PROGRAM FILES\WildTangent<<< The Entire WildTangent Folder!!

CCleaner:
http://ccleaner.com/ccdownload.asp

Download,Install and Open,Select Run Cleaner and Let it do its thing!

CleanUp!:
http://downloads.ste.../CleanUp312.exe

Download,Install and Open,Select CleanUp!.
This will Prompt you to Log Off,Just restart the PC and Head for this Online Scan:

http://support.f-sec.../home/ols.shtml

Save any results from that Scan and Place them in the Next Post along with a Fresh HijackThis Log!

Edited by Cretemonster, 12 April 2005 - 02:23 PM.

  • 0

#9
Francouk
Posted 12 April 2005 - 03:24 PM

Francouk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Cretemonster :tazz:

Thank you for the response.

When i used killbox it said that both the files below could not be found?

C:\WINDOWS\HLPMD.GIF

C:\WINDOWS\SYSTEM\MNAIDAA.DLL

and that Se.Dll Could not be deleted because it was in use!

Any Suggestions as Se.dll is still on the system?

Logfile of HijackThis v1.99.1
Scan saved at 22:22:46 PM, on 12/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
  • 0

#10
Wizard
Posted 12 April 2005 - 10:57 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I had a feeling that might Happen,lets try a Fix that has been designed for this Infection!

Make a new folder on your desktop and name it "SpSeHjfix"
Please download SpSeHjfix from here and place it in the new folder and unzip the program.

Close any open programs.
Run SpSeHjfix and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the new folder.

Once rebooted, run SpSeHjfix once more to complete the process!

I will need to see both logsfrom the SpSeHjfix along with a Fresh HijackThis log and a Startdrek log as run before!

Please Avoid Restarting the PC after the Second Pass of SpSeHjfix!!
  • 0

#11
Francouk
Posted 13 April 2005 - 01:33 AM

Francouk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Cretemonster,

Please find attached all logs and let me know what you think about them.

SpSeHjFix Logs

(4/13/05 8:23:44 AM) SPSeHjFix started v1.09
(4/13/05 8:23:44 AM) OS: WinME (4.90.73010104)
(4/13/05 8:23:44 AM) Language: english
(4/13/05 8:23:51 AM) Disinfect started
(4/13/05 8:23:51 AM) Bad-Dll(IEP): (not found)
(4/13/05 8:23:51 AM) Bad-Dll(IEP) in BHO: (not found)
(4/13/05 8:23:51 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\MNAIDAA.DLL
4/13/05 8:23:51 AM) Searchassistant Uninstaller - Keys Deleted
(4/13/05 8:23:51 AM) UBF: 6
(4/13/05 8:23:51 AM) UBB: 0
(4/13/05 8:23:51 AM) UBR: 22
(4/13/05 8:23:51 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(4/13/05 8:23:51 AM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(4/13/05 8:23:51 AM) Stealth-String found: C:\WINDOWS\HLPMD.GIF
(4/13/05 8:23:51 AM) File added to delete: c:\windows\system\mnaidaa.dll
4/13/05 8:23:51 AM) File added to delete: c:\windows\temp\se.dll
(4/13/05 8:23:51 AM) File added to delete: c:\windows\hlpmd.gif
(4/13/05 8:23:51 AM) Reboot
(4/13/05 8:25:07 AM) SPSeHjFix 2nd Step
(4/13/05 8:25:07 AM) RunServicesOnce-Key: (alex)
(4/13/05 8:26:02 AM) Cleaned

*******************************************************************]

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 8:29:01 AM, on 13/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab

********************************************************************

Startdreck Logs

StartDreck (build 2.1.7 public stable) - 2005-04-13 @ 08:29:46 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at TINY-BMWCZOTZ

»Registry
»Run Keys
»Current User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Default User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Local Machine
»Run
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*CountrySelection=pctptt.exe
*PCTVOICE=pctvoice.exe
*LoadQM=loadqm.exe
*LexStart=lexstart.exe
*SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMON.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*SchedulingAgent=mstask.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*NPFMonitor=C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
»RunServicesOnce
**xxv=rundll32 C:\WINDOWS\HLPMD.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton AntiVirus\NavShExt.dll
»Files
»System/Drivers
»Running Processes
+FFCF6319=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFA5B1=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFC54D=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFCF81=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE06D1=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE6099=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE4079=C:\WINDOWS\RUNDLL32.EXE
+FFFEEB3D=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
+FFFECD15=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
+FFFD53A9=C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
+FFFCBA19=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFE10C1=C:\WINDOWS\EXPLORER.EXE
+FFFC8459=C:\WINDOWS\TASKMON.EXE
+FFFB31F5=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFB7801=C:\WINDOWS\PCTVOICE.EXE
+FFFB5BB9=C:\WINDOWS\LOADQM.EXE
+FFFBA845=C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
+FFFBB3BD=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFA3901=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFBF69D=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFA23B5=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFA245D=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
+FFFA69E9=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
+FFF937E1=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFF9AC91=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF9F795=C:\WINDOWS\SYSTEM\LEXPPS.EXE
+FFF951E5=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
+FFF83BBD=C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
+FFF8DFF9=C:\WINDOWS\RUNDLL32.EXE
+FFF76FCD=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
+FFF50785=C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
+FFF930ED=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF30BFD=C:\WINDOWS\NOTEPAD.EXE
+FFF4D761=C:\MY DOWNLOAD FILES\STARTDRECK217\STARTDRECK.EXE
»Application specific


Thnak You Again for your help! :tazz:
  • 0

#12
Wizard
Posted 13 April 2005 - 12:56 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,there seems to be some difficulties with this Infection on Windows ME!

So let disable System Restore,Here's a link on how to do that:
http://service1.syma...src=sec_doc_nam

Now the Version of the fix that I gave you is apparently allready outdated,there is a new version:
http://www.derbilk.de/SpSeHjfix109.zip

Please remove the First Copy I had you download and Use this new version with the Exact same Instructions on how to run it!

This time I want you to launch this program while in Safe Mode:
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

So lets run through this!!!

1.Disable System Restore
2.Download the New Version of SPSeHjFix
3.Restart in Safe Mode
4.Run the New Version of SPSeHjFix(Make sure all windows and browsers are closed)
5.When SPSeHjFix Restarts the Machine,Restart in Normal Mode and Let it Complete its process!
6.Save all logs from SPSeHjFix
7.Post any SPSeHjFix logs,Fresh HijackThis Log and a Fresh StartDrek log!

I apologize for the Confusion,this is one tough bugger to fight!!!
  • 0

#13
Francouk
Posted 14 April 2005 - 01:35 AM

Francouk

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Cretemonster,

Please find attached all fresh logs as requested after following your instructions!

SpSeHjFix

(4/14/05 8:29:43 AM) SPSeHjFix started v1.09
(4/14/05 8:29:43 AM) OS: WinME (4.90.73010104)
(4/14/05 8:29:43 AM) Language: english
(4/14/05 8:29:45 AM) Disinfect started
(4/14/05 8:29:45 AM) Bad-Dll(IEP): (not found)
(4/14/05 8:29:45 AM) Bad-Dll(IEP) in BHO: (not found)
(4/14/05 8:29:45 AM) UBF: 6
(4/14/05 8:29:45 AM) UBB: 0
(4/14/05 8:29:45 AM) UBR: 21
(4/14/05 8:29:45 AM) Bad IE-pages:
(4/14/05 8:29:45 AM) Stealth-String found: C:\WINDOWS\HLPMD.GIF
(4/14/05 8:29:45 AM) File added to delete: c:\windows\hlpmd.gif
(4/14/05 8:29:46 AM) Reboot
(4/14/05 8:30:37 AM) SPSeHjFix 2nd Step
(4/14/05 8:30:37 AM) RunServicesOnce-Key: (alex)
(4/14/05 8:30:45 AM) Cleaned

*******************************************************************

HijackThis Log


Logfile of HijackThis v1.99.1
Scan saved at 8:35:01 AM, on 14/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab

******************************************************************

Startdreck Log

StartDreck (build 2.1.7 public stable) - 2005-04-14 @ 08:36:17 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at TINY-BMWCZOTZ

»Registry
»Run Keys
»Current User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Default User
»Run
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*NVIEW=rundll32.exe nview.dll,nViewLoadHook
»RunOnce
»Local Machine
»Run
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*CountrySelection=pctptt.exe
*PCTVOICE=pctvoice.exe
*LoadQM=loadqm.exe
*LexStart=lexstart.exe
*SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMON.EXE
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*SchedulingAgent=mstask.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*NPFMonitor=C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
»RunServicesOnce
**u=rundll32 C:\WINDOWS\HLPMD.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton AntiVirus\NavShExt.dll
»Files
»System/Drivers
»Running Processes
+FFCF225B=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFE4F3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE440F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE4EC3=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE7F3F=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE1323=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE2027=C:\WINDOWS\RUNDLL32.EXE
+FFFEFCC7=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
+FFFEBC2F=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
+FFFD7E0F=C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
+FFFCC56F=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFD06CF=C:\WINDOWS\EXPLORER.EXE
+FFFC89F3=C:\WINDOWS\TASKMON.EXE
+FFFBC48F=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFB0207=C:\WINDOWS\PCTVOICE.EXE
+FFFB166F=C:\WINDOWS\LOADQM.EXE
+FFFBAD17=C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
+FFFA4423=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFA05BB=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFA13AB=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFA0193=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
+FFFA3DFF=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFACC73=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
+FFFA8E97=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
+FFF920D3=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFF9BD0B=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF824B7=C:\WINDOWS\RUNDLL32.EXE
+FFF83BC3=C:\WINDOWS\SYSTEM\LEXPPS.EXE
+FFF88F7B=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
+FFF70FF7=C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
+FFFE3D37=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
+FFF7FC5B=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF923E3=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF36C4B=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF411D3=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF2C343=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF23BB3=C:\MY DOWNLOAD FILES\STARTDRECK217\STARTDRECK.EXE
»Application specific



Thank You for your continued assistance and we will defeat this bugger!!
  • 0

#14
Wizard
Posted 15 April 2005 - 02:46 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,lets try this!!

Reboot into DOS

Click the Start button
Select Shut Down
Select Restart the computer in MS-DOS mode
Click the Yes button


Normally you will have C:\Windows at the prompt.


Type: del C:\Windows\HLPMD.GIF <--note the space between 'del' and 'C:'

Click Enter

Type: Exit

Restart in Normal mode and lets see another StartDrek log!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP