Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

problems with getting on the forum [RESOLVED]


  • This topic is locked This topic is locked

#1
klockdoc

klockdoc

    Member

  • Member
  • PipPipPip
  • 101 posts
I originally posted problem in XP forum. I did as requested and went through all the steps required for removal of spyware and virus components. Here is the HighJack log I received after the scans.

When I got home though, I could get on the Internet through IE6.0 when last night I couldn't. Also, in the middle of searching for downloads, the computer just shut down completely. Hasn't done it since the scans though.

Logfile of HijackThis v1.99.1
Scan saved at 9:36:31 PM, on 5/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Desktop\All The Games\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\roctw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {EFF80E42-AC7D-BE18-E98A-B6EDE16CC5AB} - C:\WINDOWS\atlzr.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ZBLIZ] C:\WINDOWS\ZBLIZ.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BEHKORUXB] C:\WINDOWS\BEHKORUXB.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Fonos] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Celt] C:\Documents and Settings\mike\Application Data\noea.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AOL MessageTosser.LNK = C:\Program Files\AOL MessageTosser\aol_MT.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.char...oad/tgctlcm.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...porter.cab?RND=
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/do...ommon/ieell.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FC89F9FA-0FEF-43DA-AE71-5C7897DC000D} (XLiteInstall Class) - http://www.cabcconne...nstall_Full.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0099FC6-48A7-42E0-AFB0-2D69506F7F4D}: NameServer = 205.188.146.145
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\mfcea.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Let me know what to do next.
Thank you
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, you have multiple infections here. I will ask you to fix them all up and see how it looks like.

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.

Download KazaaBegone http://www.greyknigh...KazaaBegone.zip. This uninstaller will remove all elements from all Kazaa versions, as well as all of the bundled software that comes with it. Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. Before using KazaaBegone, download WinsockFix http://www.greyknigh.../WinsockFix.zip just in case you need it (if it breaks your internet connection).

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service (NSS) ( 11F#`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\roctw.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EFF80E42-AC7D-BE18-E98A-B6EDE16CC5AB} - C:\WINDOWS\atlzr.dll (file missing)
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ZBLIZ] C:\WINDOWS\ZBLIZ.exe
O4 - HKLM\..\Run: [BEHKORUXB] C:\WINDOWS\BEHKORUXB.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKCU\..\Run: [Fonos] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Celt] C:\Documents and Settings\mike\Application Data\noea.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...porter.cab?RND=
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\mfcea.exe" /s (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

Close all open windows except for HijackThis and click Fix Checked.

Uninstall Altnet Points Manager from Add/Remove panel.

Delete these if found:

C:\WINDOWS\atlzr.dll
C:\WINDOWS\isrvs\
C:\WINDOWS\ZBLIZ.exe
C:\WINDOWS\BEHKORUXB.exe
c:\program files\altnet\
C:\Program Files\Kazaa\
C:\Documents and Settings\mike\Application Data\noea.exe


Do a search for ??chost.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here.
  • 0

#3
klockdoc

klockdoc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
I originally posted a malware problem. I then received instructions on several removal methods and was to re-post the results on my original post. This was "Virus and connection problems" posted May 27, 8:57 P.M.

The problem is, I cannot log onto the forum. Everytime I try, it does not recognize me and says the page is defaulted. The origianl reply was by greyknight17.

When I look for the post, it is not listed in the forum! I logged under this time through Internet Explorer. It would not accept it under AOL.

I would try to post to the original, but I am afraid that I might not be able to get on again. I think I got lucky this time.

If someone has some ideas why I cannot get on or locate my original post, please advise.

Here is the aboutBlaster list and my highjackthis log as previously requested. Maybe this will help.

Here is the original suggestion by greyknight17:OK, you have multiple infections here. I will ask you to fix them all up and see how it looks like.

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://users.pandora.be/bluepatchy/
nailfix.zip (for Windows XP) or http://users.pandora.be/bluepatchy/
nailfix2k.zip (for Windows 2000) Unzip it to the desktop
but do NOT run it yet.

Download KazaaBegone http://www.greyknigh...KazaaBegone.zip.
This uninstaller will remove all elements from all Kazaa versions,
as well as all of the bundled software that comes with it. Warning:
This version has a bug that can cause your Internet connection to
be broken when removing New.Net, WebHancer or CommonName. Before
using KazaaBegone, download WinsockFix http://www.greyknight17.com/
spy/WinsockFix.zip just in case you need it (if it breaks your
internet connection).

Right click on this link and choose Save As. Save it to your
desktop. Right click on that file and choose Install. It will run
immediately (you won't be able to see anything happen). You may
delete it afterwards.

Download AboutBuster http://www.greyknigh...AboutBuster.zip
and unzip it to a folder on your the Desktop. Run AboutBuster and
click OK. Click Update and then Check For Update to see if there
are any updates. Close the program now.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu
shows up (and choose Safe Mode from the list). In some systems, this
may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd (or
nailfix2k.bat if you have Windows 2000). Your desktop and icons
will disappear and reappear, and a window should open and close
very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Go to Start->Run and type in services.msc and hit OK. Then look
for Network Security Service (NSS) ( 11F#`I) and double
click on it. Click on the Stop button and under Startup type,
choose Disabled.

Run a scan in HijackThis. Check each of the following and hit
'Fix checked' (after checking them) if they still exist (make
sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= res://C:\WINDOWS\roctw.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EFF80E42-AC7D-BE18-E98A-B6EDE16CC5AB} -
C:\WINDOWS\atlzr.dll (file missing)
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ZBLIZ] C:\WINDOWS\ZBLIZ.exe
O4 - HKLM\..\Run: [BEHKORUXB] C:\WINDOWS\BEHKORUXB.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\
points manager\points manager.exe -s
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKCU\..\Run: [Fonos] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Celt] C:\Documents and Settings\mike\Application
Data\noea.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
(MiniBugTransporterX Class) - http://download.weatherbug.com/
minibug/tri...porter.cab?RND=
O23 - Service: Network Security Service (NSS) ( 11F#`I)
- Unknown owner - C:\WINDOWS\system32\mfcea.exe" /s (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
c:\windows\SvcProc.exe (file missing)

Close all open windows except for HijackThis and click Fix Checked.

Uninstall Altnet Points Manager from Add/Remove panel.

Delete these if found:

C:\WINDOWS\atlzr.dll
C:\WINDOWS\isrvs\
C:\WINDOWS\ZBLIZ.exe
C:\WINDOWS\BEHKORUXB.exe
c:\program files\altnet\
C:\Program Files\Kazaa\
C:\Documents and Settings\mike\Application Data\noea.exe

Do a search for ??chost.exe and right click on any of the files
found. Go to Properties->Version tab and see if it's from Microsoft.
Do this for each file found. If it's not from Microsoft (or doesn't
even have a version tab) and it was created recently, then delete it.

Run AboutBuster and click OK. Click Start->OK and then follow the rest
of the prompts to scan (choose Yes/OK for all). It will ask you if
you want a second scan, choose Yes. Save the log file and post it here.

Restart your computer in normal mode and post a new HijackThis log, as
well as the log from the Ewido scan.

Download FindIt's.zip to your desktop: http://forums.net-integration.net/
index.ph...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad
to open a text file. It will take a while so please be patient ...
3. Then post the results here.

Here is the results. I couldn't get a log from ewido. It did not have that function or wouldn't allow me to copy and paste.

Aboutlaster

Scanned at: 2:54:06 AM on: 5/29/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

HighJackthis:
Logfile of HijackThis v1.99.1
Scan saved at 3:01:17 AM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\Documents and Settings\All Users\Desktop\All The Games\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AOL MessageTosser.LNK = C:\Program Files\AOL MessageTosser\aol_MT.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.char...oad/tgctlcm.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/do...ommon/ieell.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FC89F9FA-0FEF-43DA-AE71-5C7897DC000D} (XLiteInstall Class) - http://www.cabcconne...nstall_Full.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\mfcea.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Sorry for the inconvience and multiple posts, but I didn't know where to turn
  • 0

#4
klockdoc

klockdoc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
couldnot get ewido log. I have been having multiple problems even getting logged on the forum. Please read post on May 29, 12:0 CST

Anyway here are the results

AboutBlaster
Scanned at: 2:54:06 AM on: 5/29/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

HighJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 3:01:17 AM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\Documents and Settings\All Users\Desktop\All The Games\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AOL MessageTosser.LNK = C:\Program Files\AOL MessageTosser\aol_MT.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.char...oad/tgctlcm.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/do...ommon/ieell.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FC89F9FA-0FEF-43DA-AE71-5C7897DC000D} (XLiteInstall Class) - http://www.cabcconne...nstall_Full.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\mfcea.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thank you
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I merged your two posts. You should be able to find your topic by logging in and then going to My Posts (top right corner) and then scroll down a little and look for View Topic (under Subscriptions) on the left pane. Click on that and look for your topic.

OK, I don't know why this is showing up multiple times, so upload this file (C:\WINDOWS\System32\SNDVOL32.EXE) to this site and submit it. Wait for the analysis and post it here.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service (NSS) ( 11F#`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\mfcea.exe" /s (file missing)

Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#6
klockdoc

klockdoc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
Here is the new changes you requested. Read about the file attached attached at the end of this message before downloading

AboutBlaster
Scanned at: 2:54:06 AM on: 5/29/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 7:13:42 PM on: 5/29/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

HighJackThis file

Logfile of HijackThis v1.99.1
Scan saved at 8:01:08 PM, on 5/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\All Users\Desktop\All The Games\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AOL MessageTosser.LNK = C:\Program Files\AOL MessageTosser\aol_MT.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.char...oad/tgctlcm.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/do...ommon/ieell.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FC89F9FA-0FEF-43DA-AE71-5C7897DC000D} (XLiteInstall Class) - http://www.cabcconne...nstall_Full.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I have attached the file you requested. But I changed the extention because it would not allow an .exe file

Also, I keep getting a homepage request to change to google, even after we have used all the requested programs?
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you want Google to be your homepage? If not, set it to remember that setting and deny the change.

What attachment? I don't see it here. I suggest uploading that file to the site I gave you earlier instead of attaching it here. It should tell you if it's a good or bad file. Just copy the report you get from that site and paste it here.
  • 0

#8
klockdoc

klockdoc

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
Jotti's malware scan 2.99-TRANSITION_TO_3.00

File to upload & scan:
Service
Service load: 0% 100%

File: sndvol32.exe
Status: OK
MD5 7df33946b5911e75320cca9ac1a3492b
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing


I have a lot of static in the speakers.

MicroSoft, Spyware betea, also found a virus UCmore atached to this file. I deleted it but it still has static.
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you see UCmore listed in the Add/Remove panel? If so, uninstall it there. Then go to C:\Program Files\ and delete the UCmore folder if it exists.

For the sound problem, try reinstalling the drivers for the sound card if they require drivers. Right click on My Computer->Properties->Hardware->Device Manager and look for the Sound/Audio entry for your sound card. Delete/Remove it. Restart and reinstall the drivers.

I would also check to make sure you didn't adjust any sound settings before this problem occurred.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP