[justconfusedenough]

I started this post earlier today, before I knew wether or not the malware was gone. Now I know that it is still here and makes an appearance every time I reboot. I've kept my original post because it might be helpful, but I'm adding my Hijack log.



Hello you wonderful computer people you! I just have a quick question before I post a Hijack log.

I've gone through all of the steps, and rebooted. The malware that I have keeps messing up my internet connection information, and I keep changing it back manually. I'm not sure if the malware is still there because:

1) I have two Windows XP installed on my one computer. This was due to reasons I can't even remember now, but when I boot up, I have to choose the correct installed version, because the other version doesn't work at all. I'm not sure how to get this other non-working version off (perhaps that answer is in another thread).

2)Also, my computer is divided into my section, and my husband's section.

Could these two things keep malware hidden on my computer somewhere, or should the steps I have already followed root out all the issues from both versions of XP, as well as from both sides of my computer? (I am to the point in the steps where the Hijack log is next).

Should I post a Hijack log to make absolutely sure that the malware is gone? *this malware seems to be sporadic...sometimes it'll mess with my connection, other times it won't.* When I first found the infection, it was due to finding icons on my desktop (and my husband's) as well as pinned to my start up menu, and also hiding in my program list.

Here's my Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:30:01 PM, on 5/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SYSTEM32\usbn.exe
C:\Program

Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CallWave\IAM.exe
C:\Program

Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Documents and

Settings\Jennifer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://red.clientapp...ize/ie/defaults

/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.ht

ml
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://red.clientapp...ize/ie/defaults

/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.consolidated.net/front/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.fastaccess.org
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://red.clientapp...ize/ie/defaults

/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://red.clientapp...ize/ie/defaults

/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.ht

ml
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://red.clientapp...ize/ie/defaults

/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://www.ask.com/i...asp?origin=7019
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://red.clientapp...ize/ie/defaults

/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft Internet

Explorer by ICTC
O2 - BHO: Yahoo! Companion BHO -

{02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_

0.dll
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_

0.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program

Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program

Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program

Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe

SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program

files\javasoft\jre1.4\1.4.1\bin\jusched.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM32\usbn.exe

-go -c28 -w
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program

Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch]

"C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =

C:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk =

C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft

Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF:

START_PAGE_URL=http://www.fastaccess.org
O15 - Trusted Zone: http://awbeta.net-nucleus.com

(HKLM)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52}

(HS_live Control) -

http://install.homes...tallFiles/SIFil

es/lpxlive/HS_live.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} -

file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} -

file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} -

file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} -

file://c:\ex.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}

(RdxIE Class) -

http://207.188.7.150...a22/netzip/RdxI

E601.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C}

(CWDL_DownLoadControl Class) -

http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}

(YAddBook Class) -

http://us.dl1.yimg.c...com/dl/installs

/suite/yautocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}

(Symantec RuFSI Registry Information Class) -

http://security.syma...redContent/comm

on/bin/cabsa.cab
O21 - SSODL: SystemCheck2 -

{54645654-2225-4455-44A1-9F4543D34545} -

C:\WINDOWS\System32\vbsys2.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel

Corporation - C:\WINDOWS\System32\NMSSvc.exe



I am just editing this to announce that thanks to the steps and tools posted on this website, my malware appears to be gone!

The very last tool I tried, was the TDS3, which found a few Trojan problems. I also called Dell, and they helped me get the extra copy of Windows off my computer.

I woke up this morning, booted up my computer, and was THRILLED to see the correct internet connection info right where it's supposed to be. *huge happy sigh*

Hopefully I'm right here, and this is over. I thank you all soooooo much for posting the tools and easy to understand instructions that got my computer back to where it should be. Your kindness, your skills, and your patience is greatly greatly appreciated. I thank you all sooooo much.

Edited by justconfusedenough, 20 May 2005 - 02:46 PM.

[Advertisements]

If you like,Post a fresh HijackThis log and I will have a look!

[Wizard]

If you like,Post a fresh HijackThis log and I will have a look!

[justconfusedenough]

Cool! I'll be right back!

[justconfusedenough]

Here it is....*crosses fingers*


Logfile of HijackThis v1.99.1
Scan saved at 4:21:38 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CallWave\IAM.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.consolidated.net/front/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fastaccess.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ask.com/i...asp?origin=7019
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer by ICTC
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.1\bin\jusched.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM32\usbn.exe -go -c28 -w
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.fastaccess.org
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{210DB483-DE6F-430A-B037-80C64BC77694}: NameServer = 216.176.95.129 216.176.95.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{210DB483-DE6F-430A-B037-80C64BC77694}: NameServer = 216.176.95.129 216.176.95.161
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

[Wizard]

Just a few little bugs left in there but I think we can handle it!

You may have allready downloaded the programs I suggest,if thats so just follow the Instructions for thier use!

Please dont run them until I ask you to!

Please Download Ad Aware SE 1.05
http://www.bleepingc...showtutorial=48

Follow the Instructions inside the link and Install>Update and Configure just as described!

Please Download CleanUp! 4.0
http://downloads.ste...p/CleanUp40.exe

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingc...showtutorial=62

Locate and Delete these files

C:\ex.cab<< File Only!

C:\eied_s7.cab<< File Only!

C:\WINDOWS\SYSTEM32\usbn.exe<< File Only!

C:\WINDOWS\System32\vbsys2.dll<< File Only!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM32\usbn.exe -go -c28 -w

O14 - IERESET.INF: START_PAGE_URL=http://www.fastaccess.org

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Still in Safe Mode>Scan the PC with Ad Aware and Remove all it finds!

Open and Run CleanUp!>When Propted to Log Off>Do so>then Restart!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates and post it back herealong with a Fresh HiijackThis log!!

[justconfusedenough]

Well, I can't find the 'ex.cab' and 'eied_s7' files. How do I find them? Everything else is pretty much ready to go.....just need to find those files.

[Wizard]

Those entries were probably self deleting upon execution therefore the entries we kiiled with HijackThis fixed the problem!

Have you noticed any difference in the PC?

Post another HijackThis log and Lets have a look!

[justconfusedenough]

Let me just say, that I have been working out in the sun all day, so maybe simple concepts are flying right over my head (actually....I very often don't need the sun's participation in my confusion lol!).

All I have done so far is to configure Adaware and made sure I downloaded Clean UP. I went in in Safe Mode and couldn't find the files. So, going against my impulsive grain, I decided that since I couldn't find them, that I'd come here and ask you about it before I went ahead and scanned anything.

I'm trying to make darn sure that I don't mess this up further, or make your job of helping me any harder.

So do I not worry about the files and go ahead with all the scanning and deleting of stuff (according to your post)?

[Wizard]

Goof Call,coming back and asking,go on ahead with the fix as described the link,remove the entries in HijackThis!

In Safe Mode>Do the fixes with Hijackthis>Scan with Ad Aware>Restart in Normal Mode>Scan at the Panda Site>Save the log from the Panda Scan>Post the Panda log and a fresh HijackThis log!

[justconfusedenough]

Okeeee....Here we go. First is the Panda thing. I hope it's the right report....seems kind of short, but hopefully that's a good thing.

Panda:


Incident Status Location

Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Jennifer\Desktop\backups\backup-20050523-151754-119.inf

And here is Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 4:53:01 PM, on 5/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Jennifer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.consolidated.net/front/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fastaccess.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ask.com/i...asp?origin=7019
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer by ICTC
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] c:\program files\javasoft\jre1.4\1.4.1\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{210DB483-DE6F-430A-B037-80C64BC77694}: NameServer = 216.176.95.129 216.176.95.161
O17 - HKLM\System\CS1\Services\Tcpip\..\{210DB483-DE6F-430A-B037-80C64BC77694}: NameServer = 216.176.95.129 216.176.95.161
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe



Before I ran these scans, I was in safe mode and looking to check off the files you listed. I couldn't find some of those either.

Oh but hey, after posting this, I read through and those files are there now. I wonder if I should check them off now and fix them? I'll wait to hear from you again.

Edited by justconfusedenough, 23 May 2005 - 04:03 PM.

[Wizard]

Seems awful short is very good in this case!

Hows the PC running!

Open HijackThis and Put a Tick Next to these

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

Make sure all Windows are Closed and Click "Fix Checked"

Thats all I see!

Download,Install and Update these 2 for some added Security to Internet Explorer!

SpywareBlaster and Spyware Guard:
http://www.javacoolsoftware.com/
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Please get Windows Updated to SP2>The Updates are Critical to the Systems Security level!

If you have any more questions>Feel free to Ask!

[justconfusedenough]

Okay, I just fixed the last few, and I think my puter runs much much.....(thinks back to the infestations from just days ago)....MUCH BETTER!!!!!! THANK YOU SOOOOOOO MUCH!!!!!!!

Now, I'll download and install SP2, and I have Spyware Blaster, actually.......

I now have Adaware, AVG, Spyware Blaster, CW Shredder, and TDS-3. And I'll need the two others you listed, even if IE isn't my main browser? I use Mozilla, but I do have to use IE to log into my ISP's email filter, to get the messages that seem to get lodged in there. And....some sites don't like Mozilla, like Homestead, which is where my own website is hosted. I better fix IE, like you said.

I was wondering too, that when I run routine scans for viruses and all, do I run scans with all of these programs? or just one of them? or just a few of them? I'd love your input on that.

Again, THANK YOU SO MUCH!!!! YOU ROCK!!!!!

[Wizard]

Good Question!!!

My weekly regimite consist of

Windows Updates
Ad Aware Scan
Spyware Blaster Updates
Anti Virus Scan

About every 2 days I Update my Antivirus!

And because you just made me notice something I missed....We need to talk about Firewalls!

The one that SP2 brings to the PC is well intended but just not enough in my opinion!

I highly recommend either of these

Kerio Personal Firewall 4
http://www.kerio.com...f_download.html

Sygate Personal Firewall:
http://smb.sygate.co...pf_standard.htm


Kerio has partnered with Grisoft to make the Beta AVG 7 plus Firewall!

Since its in its Beta Form and a limited trial as far as I know and you allready have AVG 7 why not give Kerio a try!?

That would be your call....You can always remove it if you dont like it!

I hope this helps!

[justconfusedenough]

COOL!!!!! I'm gonna' write this down and tape it to my computer screen so that I won't forget.

I'm also gonna' take another stab at SP2 today. I tried to get it last night, but the links in the Microsoft Update area just took me around in circles. They want me to enable my automatic update thing, but the last time I did that, an update got stuck during the download and my computer was shut down for probably a week. I'll get SP2 out of them yet though.

And I'll do the Firewall thing tonight too. You have been more helpful than I would have ever dared to hope for. Most other help sites on the net, seem to be very often run by people who hate helping people (and this is just based on my own personal experience, and is my own opinion...I am in no way trying to condemn other web sites....I'm just stating what I feel I have experienced).

I cannot thank you enough. Simple words just fall so far short of expressing how I feel about this, so I'll give you one of my biggest cyber hugs ever: ((((((((((((((((((((((((((((((((((((((HUUUUUUUGG!))))))))))))))))))))))))))))))))))))))))))))))

And, I also plan on joining Geek U as soon as I can and if you'll accept me. I'm too broke to donate any money right now, but I'm never too broke to donate my time.