[Denise]

Logfile of HijackThis v1.99.1
Scan saved at 8:56:00 PM, on 19/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
My screen is still white..sometimes flashing.
I can't reset my desktop.

When I open ie 2 of the same page always open up.
1 google.com lank
1 proper google.com
I'll do part be and send that in later
thanks
D


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Denise\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116123610640
O23 - Service: Commander Service - Unknown owner - C:\Program Files\Seagull\BarTender 6.20\Trial\CmdrSrv.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\system32\ahtun.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

[Advertisements]

Reboot into safe mode and uninstall the following (if found)

MyWebSearch
MySoftware Fonts and/or NewsFlsh

Then, delete the following folders:

C:\Program Files\MyWebSearch

Delete this file:
C:\WINDOWS\Web\desktop.html

Reboot normally, and do the following:

1. Right-click on the Desktop
2. Go to "Properties"
3. Select Desktop tab
4. Click on the "Customize Desktop" button
5. Select Web tab
6. Uncheck or delete whatever seems to be suspicious in the WEBPAGE box

[Kat]

Reboot into safe mode and uninstall the following (if found)

MyWebSearch
MySoftware Fonts and/or NewsFlsh

Then, delete the following folders:

C:\Program Files\MyWebSearch

Delete this file:
C:\WINDOWS\Web\desktop.html

Reboot normally, and do the following:

1. Right-click on the Desktop
2. Go to "Properties"
3. Select Desktop tab
4. Click on the "Customize Desktop" button
5. Select Web tab
6. Uncheck or delete whatever seems to be suspicious in the WEBPAGE box

[Denise]

Object "SideFind Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "MyWebSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "MyWebSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "MyWebSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "MyBar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Power scan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Gator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "precisiontime Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "morpheus Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "GrokSter Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\brix6ie.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ipixx.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\iSetupML.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\LSSupCtl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MSNChat42.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\surferplugin.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\SymAData.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\weather.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\webeye.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\BSTIEPrintCtl1.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1EFD6A40-3999-11CF-9150-00AA0059F70D}" refers to invalid object "E:\PROGRAM\32\mci32.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3775D2E0-7C5D-11CF-899E-00AA00688B10}" refers to invalid object "E:\PROGRAM\32\mci32.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}" refers to invalid object "E:\PROGRAM\32\mci32.ocx". Action Taken: No Action Taken.
Entry "HKCR\Word.Backup.8" refers to invalid object "{00020906-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\Word.Document.8" refers to invalid object "{00020906-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\Word.RTF.8" refers to invalid object "{00020906-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\Word.Template.8" refers to invalid object "{00020906-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\Word.Wizard.8" refers to invalid object "{00020906-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3dr32tm.dll infected by "Rootkit.Win32.Agent.c" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\kbdtf80n.dll infected by "Backdoor.Win32.PPdoor.j" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\qapptl32.exe infected by "Backdoor.Win32.PPdoor.m" Virus! Action Taken: No Action Taken.
File C:\Program Files\Common Files\Java\flncpy.exe infected by "Trojan.Win32.Zapchast" Virus! Action Taken: No Action Taken.
File C:\Program Files\NetMeeting\WeatherInstMain.exe tagged as "not-a-virus:AdWare.SaveNow.ae". Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245290. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245291. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245312. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245314. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245322. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245323. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245342. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245370. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245378. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245389. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00414461. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00414464. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00414469. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00414485. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3dr32tm.dll infected by "Rootkit.Win32.Agent.c" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\kbdtf80n.dll infected by "Backdoor.Win32.PPdoor.j" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\qapptl32.exe infected by "Backdoor.Win32.PPdoor.m" Virus! Action Taken: No Action Taken.
File C:\Program Files\Common Files\Java\flncpy.exe infected by "Trojan.Win32.Zapchast" Virus! Action Taken: No Action Taken.
File C:\Program Files\NetMeeting\WeatherInstMain.exe tagged as "not-a-virus:AdWare.SaveNow.ae". Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245290. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245291. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245312. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245314. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245322. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245323. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245342. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245370. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245378. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00245389. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00414461. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00414464. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00414469. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\NPROTECT\00414485. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3dr32tm.dll infected by "Rootkit.Win32.Agent.c" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\kbdtf80n.dll infected by "Backdoor.Win32.PPdoor.j" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\qapptl32.exe infected by "Backdoor.Win32.PPdoor.m" Virus! Action Taken: No Action Taken.

[Kat]

1. ok, here we go! First, I want you to go into Safe Mode, and search for any of the following programs. If you find them, uninstall them. Also, please check your C:\ProgramFiles folder for any corresponding folders, and delete if found.

SideFind
MyWebSearch
MyBar
AltNet
Gator
precisiontime
morpheus
GrokSter
NetMeeting


2. Copy the contents of the Code box below to a blank notepad.
Close it, saving to your desktop as:

File name: delfiles.bat
Save As Type: All Files

attrib -h -r -s C:\WINDOWS\brix6ie.ocx
del C:\WINDOWS\brix6ie.ocx
attrib -h -r -s C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
del C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
attrib -h -r -s C:\WINDOWS\Downloaded Program Files\ipixx.ocx
del C:\WINDOWS\Downloaded Program Files\ipixx.ocx
attrib -h -r -s C:\WINDOWS\Downloaded Program Files\iSetupML.dll
del C:\WINDOWS\Downloaded Program Files\iSetupML.dll
attrib -h -r -s C:\WINDOWS\Downloaded Program Files\LSSupCtl.dll
del C:\WINDOWS\Downloaded Program Files\LSSupCtl.dll
attrib -h -r -s C:\WINDOWS\Downloaded Program Files\MSNChat42.ocx
del C:\WINDOWS\Downloaded Program Files\MSNChat42.ocx
attrib -h -r -s C:\WINDOWS\Downloaded Program Files\RdxIE.dll
del C:\WINDOWS\Downloaded Program Files\RdxIE.dll
attrib -h -r -s C:\WINDOWS\Downloaded Program Files\surferplugin.ocx
del C:\WINDOWS\Downloaded Program Files\surferplugin.ocx
attrib -h -r -s C:\WINDOWS\Downloaded Program Files\SymAData.dll
del C:\WINDOWS\Downloaded Program Files\SymAData.dll
attrib -h -r -s C:\WINDOWS\Downloaded Program Files\weather.dll
del C:\WINDOWS\Downloaded Program Files\weather.dll
attrib -h -r -s C:\WINDOWS\Downloaded Program Files\webeye.ocx
del C:\WINDOWS\Downloaded Program Files\webeye.ocx
attrib -h -r -s C:\WINDOWS\System32\BSTIEPrintCtl1.dll
del C:\WINDOWS\System32\BSTIEPrintCtl1.dll
attrib -h -r -s E:\PROGRAM\32\mci32.ocx
del E:\PROGRAM\32\mci32.ocx
attrib -h -r -s E:\PROGRAM\32\mci32.ocx
del E:\PROGRAM\32\mci32.ocx
attrib -h -r -s E:\PROGRAM\32\mci32.ocx
del E:\PROGRAM\32\mci32.ocx
attrib -h -r -s C:\WINDOWS\system32\d3dr32tm.dll 
del C:\WINDOWS\system32\d3dr32tm.dll 
attrib -h -r -s C:\WINDOWS\system32\kbdtf80n.dll 
del C:\WINDOWS\system32\kbdtf80n.dll 
attrib -h -r -s C:\WINDOWS\system32\qapptl32.exe 
del C:\WINDOWS\system32\qapptl32.exe 
attrib -h -r -s C:\Program Files\Common Files\Java\flncpy.exe 
del C:\Program Files\Common Files\Java\flncpy.exe

3. Reboot into Safe Mode, and double click on delfiles.bat and let it run. Then reboot normally, post a fresh HJT log here for review and let me know how things are running. **Also, please be sure to navigate to your Nortons' recycle bin and delete EVERYTHING there. It is found in C:\RECYCLER\NPROTECT\

[Denise]

Hi kat,

Hi I can't get to this until Sat night... will repost then.

Thanks for ALL your help.

D

[Denise]

Hi Kat,

Ok so I Tried to do everthing you said but ic ouln't locate a lot of the files only netmeeting
the c:windows WEB Desktop >html came up when I right clicked on my desktop and then properties but I could not find it to delete it.

As a last resort I went into the desktop the control panel and deleted "security" under the web tab.
That seems to have worked. I now have my desktop back...but I've noticed that my computer is rebooting very slowly now.
I also removed a program called seagull?
Is my computer safe now and if so how do I keep it safe?
Here's the log...

Thanks in advance!!

D

Logfile of HijackThis v1.99.1
Scan saved at 10:18:39 PM, on 21/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Denise\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1116123610640
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\system32\ahtun.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

[Kat]

Hello again! Your HJT log is clean. Looking at your log though, I see a lot of unnecessary things that are causing your slow boot times. Read through the following, along with their description. If you choose to remove them from automatic startup, fix them in HijackThis the same way you fixed your Malware. Then reboot and let me know if that helped!

**Removing these items from AutoStart does NOT remove or interfere with the programs. It simply stops them from starting up until YOU choose to have them run!

Also, do you have Spybot? If not, I will give you a link. If so, you can use Spybot to manage what programs do and do not automatically load when you boot up.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime Given the extremely simple functionality of this Tray icon, it is a totally unreasonable resource hog – it has been measured to use as much as 1.5Mb of memory at times.

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
For a start, on many PCs EVNTSVC/REALSCHED slows down boot-ups unacceptably, using up to 90% of CPU time at times.

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
CTFMon comes with Microsoft Office XP and Windows XP – it activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar.

O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background It is a good idea to turn OFF all automatic update managers. We recommend checking manually for all updates. These are unnecessary resource hogs.

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe This is not necessary to have running all the time. Fixing it in HJT will not remove the program, or the Assistant. Instead, it will simply open AS YOU NEED it.

[Denise]

Hey KAt!

Ok so I did as instructed but I still notice 4 problems
1. Whenever I try to open word i get a message saying windows installer it tries to install something and then I get an error message saying..error occured..feature not running properlyrun setup and select repair????
2. The look of the icons at the top right hand of the page(_x minimize) look different?
3. In spybot i keep getting an error during check c:windows\win\ini kann nicht geoffnet werden.??????????????

Even though it says my system is clean.
4. my task scheduler will not run?


Again thank you you are amazing!!!!!!!!!!!!!

D

[Kat]

Denise:

As far as the issue about MS Word, that is not Malware related. Please start a topic in the "Applications" section of the board, and the Excellent Staff members over there will help you with it!!

As far as the problem error with Spybot...you are the third person now in 24 hours I have had with this same odd error. I have posted a thread in the Experts' forum, asking some of our guru's to take a look and give me some feedback. Hang in there, and I should have an answer for you by tomorrow, ok??

[Kat]

Hi again Denise! As to the Spybot problem:

For the following error:

    * Error during check!: **various** (File C:\WINDOWS\wininit.ini (also win.ini or system.ini) cannot be opened. The process cannot access the file because it is being used by another process) ()

The following applies:

    * The error message translated from German to English is:
          o Datei = File.
          o kann nicht geöffnet werden = cannot be opened.
          o Therefore:
                + Error during check!: **various** (File C:\WINDOWS\wininit.ini (also win.ini or system.ini) cannot be opened. The process cannot access the file because it is being used by another process) ()
    * The error terminates the scan.

Probable cause:

    * An old "advcheck.dll" program.
    * To check:
          o Make sure that the "Modified" date on C:\Program Files\Spybot - Search & Destroy\advcheck.dll (right click > Properties) is:
            Monday, October 04, 2004 or later.

If the advcheck.dll is old it must be updated. The method that you use to update the advcheck.dll depends or how you normally update Spybot-S&D.

    * If you normally update Spybot-S&D using the integrated update facility within Spybot-S&D:
          o Go into Spybot > Update
          o Click "Search for Updates"
          o Check everything found
                + One of the updates should be for:
                  Advanced detection library - Advanced detection routines update (75 KB) - 2004-10-14
          o Click "Download Updates"
    * If you normally download updates directly from safer-networking.org:
          o Go to the following WEB page:
                + Downloads – The home of Spybot-S&D!
                  http://www.safer-net...load/index.html
                + There is an item on that page described as follows:
                      # Advanced check library update 2004-10-14 - product description
                        This is an update for a detection library. Only needed if you do not want to use the update function integrated into Spybot-S&D.
                + Download and execute the installation program (spybotsd_advcheck.exe) to install the new advcheck.dll. The direct download link is:
                  http://www.spybotupd...sd_advcheck.exe

If the advcheck.dll is not old or the original error that I cited is not the error that you are receiving, please post the date of the advcheck.dll and/or the exact error you are getting. Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Pervious reports. Look for the last Checks.yymmdd-hhmm file. While viewing the Checks.yymmdd-hhmm file in Spybot, Right click > Select all > Right click > Copy. Paste into another post.

LINK


What exactly is the issue with the task scheduler? What won't allow you to schedule..and from where??

As far as the buttons, that sounds to me like a display issue, not an actual problem with the background and such. Go into your control panel and select "display". Check your settings there to make sure they are how you want them.

Edited by ~Kat~, 22 May 2005 - 01:43 AM.

[Denise]

Hi KAt,

OK everything seems to be under control now except for the windows problem...it's new ever since I was hijacked...it says that the windows installer is installing then it says run setup and repair???
I guess I'll start a thread in applications as advised.

You've been great!

If I send you a donation thru PP will you direct it to your charity (or keep it..you deserve it!) Everyone said that I would have to take my computer in and you helped me prove them wrong!


Thanks

D

[Kat]

I'm so glad we got you all fixed up! I enjoy doing this work a lot, and it gives me a lot of joy! If you choose to send a donation, it will go to the camp. I have already decided that if anyone chooses to donate, that's where the money will go!

Thanks so much for being patient, and for being so easy to work with!!

Before you start the new thread....take out your Office CD and put it in. Choose "repair" and then "Word" and let it do its' thing. See if that clears it up for you! It should!!



Congratulations! Your log is now clean!
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
• More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

[Kat]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.