Hello you wonderful computer people you! I just have a quick question before I post a Hijack log.
I've gone through all of the steps, and rebooted. The malware that I have keeps messing up my internet connection information, and I keep changing it back manually. I'm not sure if the malware is still there because:
1) I have two Windows XP installed on my one computer. This was due to reasons I can't even remember now, but when I boot up, I have to choose the correct installed version, because the other version doesn't work at all. I'm not sure how to get this other non-working version off (perhaps that answer is in another thread).
2)Also, my computer is divided into my section, and my husband's section.
Could these two things keep malware hidden on my computer somewhere, or should the steps I have already followed root out all the issues from both versions of XP, as well as from both sides of my computer? (I am to the point in the steps where the Hijack log is next).
Should I post a Hijack log to make absolutely sure that the malware is gone? *this malware seems to be sporadic...sometimes it'll mess with my connection, other times it won't.* When I first found the infection, it was due to finding icons on my desktop (and my husband's) as well as pinned to my start up menu, and also hiding in my program list.
Here's my Hijack Log:
Logfile of HijackThis v1.99.1
Scan saved at 3:30:01 PM, on 5/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SYSTEM32\usbn.exe
C:\Program
Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CallWave\IAM.exe
C:\Program
Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Documents and
Settings\Jennifer\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://red.clientapp...ize/ie/defaults
/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.ht
ml
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapp...ize/ie/defaults
/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://www.consolidated.net/front/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://www.fastaccess.org
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://red.clientapp...ize/ie/defaults
/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://red.clientapp...ize/ie/defaults
/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.ht
ml
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapp...ize/ie/defaults
/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.ask.com/i...asp?origin=7019
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) =
http://red.clientapp...ize/ie/defaults
/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Microsoft Internet
Explorer by ICTC
O2 - BHO: Yahoo! Companion BHO -
{02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_
0.dll
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat
5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio -
{8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_
0.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program
Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program
files\javasoft\jre1.4\1.4.1\bin\jusched.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM32\usbn.exe
-go -c28 -w
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program
Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch]
"C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =
C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk =
C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk =
C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search -
file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft
Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary -
file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -
file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF:
START_PAGE_URL=http://www.fastaccess.org
O15 - Trusted Zone: http://awbeta.net-nucleus.com
(HKLM)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52}
(HS_live Control) -
http://install.homes...tallFiles/SIFil
es/lpxlive/HS_live.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} -
file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} -
file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} -
file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
file://c:\ex.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}
(RdxIE Class) -
http://207.188.7.150...a22/netzip/RdxI
E601.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C}
(CWDL_DownLoadControl Class) -
http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}
(YAddBook Class) -
http://us.dl1.yimg.c...com/dl/installs
/suite/yautocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}
(Symantec RuFSI Registry Information Class) -
http://security.syma...redContent/comm
on/bin/cabsa.cab
O21 - SSODL: SystemCheck2 -
{54645654-2225-4455-44A1-9F4543D34545} -
C:\WINDOWS\System32\vbsys2.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -
GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -
GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel
Corporation - C:\WINDOWS\System32\NMSSvc.exe
I am just editing this to announce that thanks to the steps and tools posted on this website, my malware appears to be gone!
The very last tool I tried, was the TDS3, which found a few Trojan problems. I also called Dell, and they helped me get the extra copy of Windows off my computer.
I woke up this morning, booted up my computer, and was THRILLED to see the correct internet connection info right where it's supposed to be. *huge happy sigh*
Hopefully I'm right here, and this is over. I thank you all soooooo much for posting the tools and easy to understand instructions that got my computer back to where it should be. Your kindness, your skills, and your patience is greatly greatly appreciated. I thank you all sooooo much.
Edited by justconfusedenough, 20 May 2005 - 02:46 PM.