This entry is the problem. Still nothing new on fixing it with SP2 I'm afraid.O20 - AppInit_DLLs: C:\WINDOWS\System32\KBDPO813n.dll
Help
Started by
Gunnie
, Aug 18 2004 08:43 PM
#16
Posted 29 August 2004 - 11:29 PM
#17
Posted 13 September 2004 - 06:26 AM
Have you heard anything? I am still having problems.
#18
Posted 13 September 2004 - 03:00 PM
Let's see a fresh Hijack This log.
#19
Posted 13 September 2004 - 08:14 PM
Okay guys, here it is:
Logfile of HijackThis v1.98.2
Scan saved at 10:12:21 PM, on 9/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Office mouse\1.1\moffice.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\Kimberly Angel\Start Menu\Programs\Startup\mprocessor.exe
C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\United Devices\ud_7174683.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D6F5-F66EA787AD2D} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [lexlmpm339p.exe] "C:\WINDOWS\System32\lexlmpm339p.exe"
O4 - HKCU\..\Run: [dsprpres954b.exe] "C:\WINDOWS\system32\dsprpres954b.exe"
O4 - Startup: data.dat
O4 - Startup: first.awp
O4 - Startup: initial.cfg
O4 - Startup: main.cfg
O4 - Startup: mprocessor.exe
O4 - Startup: second.awp
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {2D16FCD6-5320-4F0D-941B-F9D02E8D6CD9} - (no file) (HKCU)
O9 - Extra button: (no name) - {3B00D678-1840-41BF-B965-B216941B58C0} - (no file) (HKCU)
O9 - Extra button: (no name) - {4D264F09-53D9-41BE-8DE9-09412209A237} - (no file) (HKCU)
O9 - Extra button: (no name) - {662984D5-39E1-47C2-B833-37185608720C} - (no file) (HKCU)
O9 - Extra button: (no name) - {BB397663-56E1-49B4-80D5-8E6E348BF19A} - (no file) (HKCU)
O9 - Extra button: (no name) - {C467EAE0-DACF-4813-BC4C-2CCBAB82B30B} - (no file) (HKCU)
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O20 - AppInit_DLLs: C:\WINDOWS\System32\KBDPO813n.dll
Logfile of HijackThis v1.98.2
Scan saved at 10:12:21 PM, on 9/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Office mouse\1.1\moffice.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\Kimberly Angel\Start Menu\Programs\Startup\mprocessor.exe
C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\United Devices\ud_7174683.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D6F5-F66EA787AD2D} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [lexlmpm339p.exe] "C:\WINDOWS\System32\lexlmpm339p.exe"
O4 - HKCU\..\Run: [dsprpres954b.exe] "C:\WINDOWS\system32\dsprpres954b.exe"
O4 - Startup: data.dat
O4 - Startup: first.awp
O4 - Startup: initial.cfg
O4 - Startup: main.cfg
O4 - Startup: mprocessor.exe
O4 - Startup: second.awp
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {2D16FCD6-5320-4F0D-941B-F9D02E8D6CD9} - (no file) (HKCU)
O9 - Extra button: (no name) - {3B00D678-1840-41BF-B965-B216941B58C0} - (no file) (HKCU)
O9 - Extra button: (no name) - {4D264F09-53D9-41BE-8DE9-09412209A237} - (no file) (HKCU)
O9 - Extra button: (no name) - {662984D5-39E1-47C2-B833-37185608720C} - (no file) (HKCU)
O9 - Extra button: (no name) - {BB397663-56E1-49B4-80D5-8E6E348BF19A} - (no file) (HKCU)
O9 - Extra button: (no name) - {C467EAE0-DACF-4813-BC4C-2CCBAB82B30B} - (no file) (HKCU)
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O20 - AppInit_DLLs: C:\WINDOWS\System32\KBDPO813n.dll
#20
Posted 14 September 2004 - 09:25 AM
First download the latest Visual Basic Runtime: http://www.microsoft...&displaylang=en
Next, let's try this again... Mosaic1 has created a bat file that should help us, download it from here.
http://www.geekstogo...=download&id=34
A few setup items first we need to do, make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.n...1916458,00.html
Next, review this article How to take ownership of a file or folder in Windows XP
Sign Off the Internet and Stay Off Until All Steps Are Finished
Extract the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box. Double click on the batch to run it. After a reboot the super hidden nasty file will no longer be loaded and will be visible.
Restart into Safe mode and find this file:
C:\WINDOWS\System32\KBDPO813n.dll
Right click on the file and choose properties.
Use the security tab on .dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
ctl.dll>bleh.txt
bleh.txt > badfile.111
Once you have successfully deleted the file restart into Regular Windows mode.
Run CWShredder immediately. Press the 'Fix' button to clean.
Run Ad-aware
Restart.
Report back if you're successful or not.
Next, let's try this again... Mosaic1 has created a bat file that should help us, download it from here.
http://www.geekstogo...=download&id=34
A few setup items first we need to do, make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.n...1916458,00.html
Next, review this article How to take ownership of a file or folder in Windows XP
Sign Off the Internet and Stay Off Until All Steps Are Finished
Extract the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box. Double click on the batch to run it. After a reboot the super hidden nasty file will no longer be loaded and will be visible.
Restart into Safe mode and find this file:
C:\WINDOWS\System32\KBDPO813n.dll
Right click on the file and choose properties.
Use the security tab on .dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
ctl.dll>bleh.txt
bleh.txt > badfile.111
Once you have successfully deleted the file restart into Regular Windows mode.
Run CWShredder immediately. Press the 'Fix' button to clean.
Run Ad-aware
Restart.
Report back if you're successful or not.
#21
Posted 16 September 2004 - 12:42 PM
Okay, I think I was successful. I did everything according to your instructions (I think) and here is a fresh hijackthis log:
Logfile of HijackThis v1.98.2
Scan saved at 2:37:29 PM, on 9/16/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Office mouse\1.1\moffice.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\United Devices\ud_7174683.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uchase.co...php?ask=&a=1367
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D6F5-F66EA787AD2D} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [lexlmpm339p.exe] "C:\WINDOWS\System32\lexlmpm339p.exe"
O4 - HKCU\..\Run: [dsprpres954b.exe] "C:\WINDOWS\system32\dsprpres954b.exe"
O4 - Startup: data.dat
O4 - Startup: first.awp
O4 - Startup: initial.cfg
O4 - Startup: main.cfg
O4 - Startup: mprocessor.exe
O4 - Startup: replacer.exe
O4 - Startup: second.awp
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {2D16FCD6-5320-4F0D-941B-F9D02E8D6CD9} - (no file) (HKCU)
O9 - Extra button: (no name) - {3B00D678-1840-41BF-B965-B216941B58C0} - (no file) (HKCU)
O9 - Extra button: (no name) - {4D264F09-53D9-41BE-8DE9-09412209A237} - (no file) (HKCU)
O9 - Extra button: (no name) - {662984D5-39E1-47C2-B833-37185608720C} - (no file) (HKCU)
O9 - Extra button: (no name) - {7CA97BBE-FD18-4B8D-8469-AFC727749B50} - (no file) (HKCU)
O9 - Extra button: (no name) - {A38C9E3C-C1D2-4E20-8C80-79546D2F6681} - (no file) (HKCU)
O9 - Extra button: (no name) - {B6B0437E-FDAD-49FF-80DC-11AC73EFA136} - (no file) (HKCU)
O9 - Extra button: (no name) - {BB397663-56E1-49B4-80D5-8E6E348BF19A} - (no file) (HKCU)
O9 - Extra button: (no name) - {C467EAE0-DACF-4813-BC4C-2CCBAB82B30B} - (no file) (HKCU)
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O20 - AppInit_DLLs: C:\WINDOWS\system32\igfxres597u.dll
When I was taking ownership of the KBDPO813N.DLL, there were other users that also looked like they had access. I don't know if that makes any difference but wanted you to know that. Also, my pc shows 3 administrators, and one of them mysteriously showed up about the time all this **** started happening called special experiment. Can you walk me through deleting this stuff or should I start a new thread? Thanks for all your help so far. You guys are the best!
Logfile of HijackThis v1.98.2
Scan saved at 2:37:29 PM, on 9/16/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Office mouse\1.1\moffice.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\United Devices\ud_7174683.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uchase.co...php?ask=&a=1367
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D6F5-F66EA787AD2D} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [lexlmpm339p.exe] "C:\WINDOWS\System32\lexlmpm339p.exe"
O4 - HKCU\..\Run: [dsprpres954b.exe] "C:\WINDOWS\system32\dsprpres954b.exe"
O4 - Startup: data.dat
O4 - Startup: first.awp
O4 - Startup: initial.cfg
O4 - Startup: main.cfg
O4 - Startup: mprocessor.exe
O4 - Startup: replacer.exe
O4 - Startup: second.awp
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {2D16FCD6-5320-4F0D-941B-F9D02E8D6CD9} - (no file) (HKCU)
O9 - Extra button: (no name) - {3B00D678-1840-41BF-B965-B216941B58C0} - (no file) (HKCU)
O9 - Extra button: (no name) - {4D264F09-53D9-41BE-8DE9-09412209A237} - (no file) (HKCU)
O9 - Extra button: (no name) - {662984D5-39E1-47C2-B833-37185608720C} - (no file) (HKCU)
O9 - Extra button: (no name) - {7CA97BBE-FD18-4B8D-8469-AFC727749B50} - (no file) (HKCU)
O9 - Extra button: (no name) - {A38C9E3C-C1D2-4E20-8C80-79546D2F6681} - (no file) (HKCU)
O9 - Extra button: (no name) - {B6B0437E-FDAD-49FF-80DC-11AC73EFA136} - (no file) (HKCU)
O9 - Extra button: (no name) - {BB397663-56E1-49B4-80D5-8E6E348BF19A} - (no file) (HKCU)
O9 - Extra button: (no name) - {C467EAE0-DACF-4813-BC4C-2CCBAB82B30B} - (no file) (HKCU)
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O20 - AppInit_DLLs: C:\WINDOWS\system32\igfxres597u.dll
When I was taking ownership of the KBDPO813N.DLL, there were other users that also looked like they had access. I don't know if that makes any difference but wanted you to know that. Also, my pc shows 3 administrators, and one of them mysteriously showed up about the time all this **** started happening called special experiment. Can you walk me through deleting this stuff or should I start a new thread? Thanks for all your help so far. You guys are the best!
#22
Posted 16 September 2004 - 12:46 PM
Also, all the files in the log at 04 startup show up at start up as not accessible.
#23
Posted 16 September 2004 - 01:19 PM
The file name changed, so let's try this again.
Mosaic1 has created a bat file that should help us, download it from here.
http://www.geekstogo...=download&id=34
A few setup items first we need to do, make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.n...1916458,00.html
Next, review this article How to take ownership of a file or folder in Windows XP
Sign Off the Internet and Stay Off Until All Steps Are Finished
Extract the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box. Double click on the batch to run it. After a reboot the super hidden nasty file will no longer be loaded and will be visible.
Restart into Safe mode and find this file:
C:\WINDOWS\System32\igfxres597u.dll
Right click on the file and choose properties.
Use the security tab on .dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
ctl.dll>bleh.txt
bleh.txt > badfile.111
Once you have successfully deleted the file restart into Regular Windows mode.
Run CWShredder immediately. Press the 'Fix' button to clean.
Run Ad-aware
Restart.
Report back if you're successful or not.
Mosaic1 has created a bat file that should help us, download it from here.
http://www.geekstogo...=download&id=34
A few setup items first we need to do, make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.n...1916458,00.html
Next, review this article How to take ownership of a file or folder in Windows XP
Sign Off the Internet and Stay Off Until All Steps Are Finished
Extract the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box. Double click on the batch to run it. After a reboot the super hidden nasty file will no longer be loaded and will be visible.
Restart into Safe mode and find this file:
C:\WINDOWS\System32\igfxres597u.dll
Right click on the file and choose properties.
Use the security tab on .dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
ctl.dll>bleh.txt
bleh.txt > badfile.111
Once you have successfully deleted the file restart into Regular Windows mode.
Run CWShredder immediately. Press the 'Fix' button to clean.
Run Ad-aware
Restart.
Report back if you're successful or not.
#24
Posted 16 September 2004 - 01:42 PM
Before I proceed, when I go to take ownership, these 3 names all show ownership, Administrators, Kimberly Angel, and System. Should all 3 have ownership?
#25
Posted 16 September 2004 - 01:47 PM
Just take ownership for the login that you're currently signed in with.
#26
Posted 19 September 2004 - 11:52 AM
Okay, when I went into safe mode and took ownership for the administrator since that is what I logged in as, and denied the others since they all had full control. I deleted the file, ran CWShredder & Ad-aware, then restarted. Here is my new HiJackThis log:
Logfile of HijackThis v1.98.2
Scan saved at 1:49:05 PM, on 9/19/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Office mouse\1.1\moffice.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
C:\Program Files\United Devices\UD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe
C:\Program Files\United Devices\ud_7174683.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uchase.co...php?ask=&a=1367
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D6F5-F66EA787AD2D} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [lexlmpm339p.exe] "C:\WINDOWS\System32\lexlmpm339p.exe"
O4 - HKCU\..\Run: [dsprpres954b.exe] "C:\WINDOWS\system32\dsprpres954b.exe"
O4 - Startup: data.dat
O4 - Startup: first.awp
O4 - Startup: initial.cfg
O4 - Startup: main.cfg
O4 - Startup: mprocessor.exe
O4 - Startup: replacer.exe
O4 - Startup: second.awp
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {2D16FCD6-5320-4F0D-941B-F9D02E8D6CD9} - (no file) (HKCU)
O9 - Extra button: (no name) - {3B00D678-1840-41BF-B965-B216941B58C0} - (no file) (HKCU)
O9 - Extra button: (no name) - {4D264F09-53D9-41BE-8DE9-09412209A237} - (no file) (HKCU)
O9 - Extra button: (no name) - {662984D5-39E1-47C2-B833-37185608720C} - (no file) (HKCU)
O9 - Extra button: (no name) - {7CA97BBE-FD18-4B8D-8469-AFC727749B50} - (no file) (HKCU)
O9 - Extra button: (no name) - {A38C9E3C-C1D2-4E20-8C80-79546D2F6681} - (no file) (HKCU)
O9 - Extra button: (no name) - {B6B0437E-FDAD-49FF-80DC-11AC73EFA136} - (no file) (HKCU)
O9 - Extra button: (no name) - {BB397663-56E1-49B4-80D5-8E6E348BF19A} - (no file) (HKCU)
O9 - Extra button: (no name) - {C467EAE0-DACF-4813-BC4C-2CCBAB82B30B} - (no file) (HKCU)
O9 - Extra button: (no name) - {CFEF1098-0874-48C9-819C-D53F13359377} - (no file) (HKCU)
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O20 - AppInit_DLLs: C:\WINDOWS\system32\msconf979t.dll
Logfile of HijackThis v1.98.2
Scan saved at 1:49:05 PM, on 9/19/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Office mouse\1.1\moffice.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Office mouse\1.1\MOUSE32A.DAT
C:\Program Files\United Devices\UD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe
C:\Program Files\United Devices\ud_7174683.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\KIMBER~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uchase.co...php?ask=&a=1367
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D6F5-F66EA787AD2D} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office mouse\1.1\moffice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [lexlmpm339p.exe] "C:\WINDOWS\System32\lexlmpm339p.exe"
O4 - HKCU\..\Run: [dsprpres954b.exe] "C:\WINDOWS\system32\dsprpres954b.exe"
O4 - Startup: data.dat
O4 - Startup: first.awp
O4 - Startup: initial.cfg
O4 - Startup: main.cfg
O4 - Startup: mprocessor.exe
O4 - Startup: replacer.exe
O4 - Startup: second.awp
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {2D16FCD6-5320-4F0D-941B-F9D02E8D6CD9} - (no file) (HKCU)
O9 - Extra button: (no name) - {3B00D678-1840-41BF-B965-B216941B58C0} - (no file) (HKCU)
O9 - Extra button: (no name) - {4D264F09-53D9-41BE-8DE9-09412209A237} - (no file) (HKCU)
O9 - Extra button: (no name) - {662984D5-39E1-47C2-B833-37185608720C} - (no file) (HKCU)
O9 - Extra button: (no name) - {7CA97BBE-FD18-4B8D-8469-AFC727749B50} - (no file) (HKCU)
O9 - Extra button: (no name) - {A38C9E3C-C1D2-4E20-8C80-79546D2F6681} - (no file) (HKCU)
O9 - Extra button: (no name) - {B6B0437E-FDAD-49FF-80DC-11AC73EFA136} - (no file) (HKCU)
O9 - Extra button: (no name) - {BB397663-56E1-49B4-80D5-8E6E348BF19A} - (no file) (HKCU)
O9 - Extra button: (no name) - {C467EAE0-DACF-4813-BC4C-2CCBAB82B30B} - (no file) (HKCU)
O9 - Extra button: (no name) - {CFEF1098-0874-48C9-819C-D53F13359377} - (no file) (HKCU)
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestat...ab?ver=1,1,0,32
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.side...00719/sb028.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D0D0DA9-20C8-4B9F-8DAB-010E8F89A158}: NameServer = 204.117.214.10,199.2.252.10
O20 - AppInit_DLLs: C:\WINDOWS\system32\msconf979t.dll
#27
Posted 20 September 2004 - 07:31 AM
Something seems to be interfering. Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/
And a free trojan scan here:
http://www.moosoft.com/
http://housecall.antivirus.com/
And a free trojan scan here:
http://www.moosoft.com/
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users