Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Free baked goods in exchange for help! [RESOLVED]

Started by meghani , Jun 16 2005 11:38 PM

  • This topic is locked This topic is locked

#16
Excal
Posted 28 June 2005 - 07:03 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi meghani,

DO NOT TRY TO DELETE WININET.DLL

This is a very important File. Granted yours might be infected, but there are a few copies of it located on your system and we wouldnt want you to delete the wrong one, if you happen to, you would most lilely would have lost internet connection and internet explorer!


;) There we got that out of the way....lol

Sorry I didn't get a fix to you last nite, I lost internet connection due to a storm ;)

Will have something up for you in the hour :help:

:tazz:

Excal
  • 0

Advertisements

#17
Excal
Posted 28 June 2005 - 09:06 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi meghani,

Hi

Please go here and upload

C:\Windows\System32\wininet.dll

then please post the results in your next reply.





DOWNLOAD PROGRAMS

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Download file delete.rtf and save it to your desktop for now


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {70AB6A13-94F0-513A-F548-18F7897AEA93} - C:\WINDOWS\system32\appsd.dll
O4 - HKLM\..\Run: [ntsg32.exe] C:\WINDOWS\ntsg32.exe

7. click the Fix Checked box


8. Please run Killbox.
  • Select "Delete on Reboot".
  • Open the Delete.rtf file, and copy the file names from it to the clipboard by highlighting them and pressing Control-C:
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
9. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

10. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.

Edited by Excal, 28 June 2005 - 09:34 AM.

  • 0

#18
meghani
Posted 28 June 2005 - 09:51 AM

meghani

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thanks for the response. I'm back at work today, so it will be past 6PM Pacific time before I have a chance to try these steps.

I'll let you know the results once I get a chance tonight, but I'm assuming you're on Eastern time?

I'm getting to the point where I wonder if reformatting/reinstalling everything isn't just the best option, but there's so much on this computer that I just REALLY don't want to do that, if I can avoid it. Plus, I have no idea where half of my original installation media is, etc.

In the meantime, can you suggest what might have cause this infection? I can't get past the fact that it seems as though things got markedly worse just after I switched out my wired modem for a wireless one, although the affected computer was never connecting wireless.

Thanks again for all your help!
  • 0

#19
Excal
Posted 28 June 2005 - 10:37 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

I'm getting to the point where I wonder if reformatting/reinstalling


ACK!!! Never say the "R" word at GeeksToGo!!!!!! You may not believe this, but we are almost done. I bet after you finish this fix and post a fresh HJT and Active scan logs, you will be suprised on what you see! Don't give up on me!!! we can do it ;)

As far as how you got infected. There are a number of ways that someone can get infected. Opening an email attachemnt someone sends you who is infected, surfing the web and going to naughty sites. Sometimes even the most innocent sites will get you infected. You might find this article good reading How I got Infected

When we finish cleaning you up, I am going to give u a list of FREE programs that are safe and will help you keep malware off your system. After I post that, feel free to ask me any questions about it that you may have :help: But until then, lets clean you up ;)



Thanks,

:tazz:
Excal
  • 0

#20
meghani
Posted 28 June 2005 - 10:46 PM

meghani

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Sorry for mentioning the R word earlier - it wasn't a lack of confidence, just frustration on my part. I place myself (and this infernal computer) in your capable hands, at least until you tell me it's ok to convince my husband that the ONLY possible solution is a new computer! ;-)

OK, here's what I did and how it went:

I couldn't upload wininet.dll. I got a message on the site that the file I was uploading had a size of 0 so something was preventing me from uploading it.

Ran HiJack in Safe mode and Normal mode, deleted indicated items. New HiJack log below.

Ran Killbox per your instructions.

Ran ActiveScan. New log attached.

Norton is still reporting wininet.dll infected with w32.desktophijack (unfixable, access denied) and oleadm.dll infected with trojan.desktophijack.B (unfixable, access denied).

Many thanks for your continued assistance. I await further direction (though given the time difference, I understand it will likely be tomorrow.)

Logfile of HijackThis v1.99.1
Scan saved at 9:39:34 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Meghan\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nguak.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...55/sdcregie.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://ak.imgag.com/...stall/AxCtp.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://64.143.186.13...Q/bin/WebIQ.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend...ets/msie40x.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.del...t/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.14...geWell-ipix.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Attached Files


  • 0

#21
meghani
Posted 28 June 2005 - 10:50 PM

meghani

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
One more question - given the current state of this computer, is it safe to do things like online banking, updating my financial records in Quicken, etc.? I mean, is this stuff just pure nuisance (which it is) or is it genuinely dangerous from a security perspective?

I have been avoiding doing any household business on this computer while it has been afflicted, but if I don't balance the checkbook soon, I'm going to have some problems, especially given last week's vacation!

Thanks again,
meghani
  • 0

#22
Excal
Posted 28 June 2005 - 11:32 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi meghani,

Well some how you got another infections :tazz:, I would suggest that you do nothing online until we get you cleaned and protected. I don't think we are that far away from being clean ;)
We will deal with the wininet problem when we finish this ;)




DOWNLOAD PROGRAMS

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save programs to your desktop for easy access, Please do not run any of the programs unless told to do so.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)


Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder

THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nguak.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nguak.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nguak.dll/sp.html#37049

8. click the Fix Checked box

9. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\nguak.dll

10. Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • It will begin to check your computer for malicious files.
  • AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
  • Shut down AboutBuster. A log should have been created.Please Save this log and copy it in your next post.
11. Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

12. Run the program CleanUp!

13. Please run this online scan and save the log. Kaspersky

14. Post all logs that you ran here please :help:
  • 0

#23
meghani
Posted 29 June 2005 - 01:39 AM

meghani

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
OK, here are the results:

CWShredder: nothing found to fix

HiJack: Found most, but not all, of the items you wanted removed, removed them. New log follows.

About:buster: Log follows.

Spsehjfix: Log follows.

CleanUp!: Holy cow, it deleted a LOT!

Kapersky: Scanning now, will post results later.

Thanks AGAIN for all your help and patience. Are we getting there?

Logfile of HijackThis v1.99.1
Scan saved at 12:29:27 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Meghan\Desktop\New Folder\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...55/sdcregie.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://ak.imgag.com/...stall/AxCtp.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://64.143.186.13...Q/bin/WebIQ.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend...ets/msie40x.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.del...t/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.14...geWell-ipix.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#24
meghani
Posted 29 June 2005 - 01:40 AM

meghani

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
AboutBuster 5.0 reference file 30
Scan started on [6/29/2005] at [12:11:17 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\cdplayer.ini:fnqxlj
Removed Stream! C:\WINDOWS\COMSETUP.LOG:glrjje
Removed Stream! C:\WINDOWS\Cook'n99.ini:qhuqiw
Removed Stream! C:\WINDOWS\COOKN.REG:sfknqa
Removed Stream! C:\WINDOWS\dahotfix.log:bixbej
Removed Stream! C:\WINDOWS\dahotfix.log:jonhi
Removed Stream! C:\WINDOWS\dasetup.log:mpfst
Removed Stream! C:\WINDOWS\EXPLORER.SCF:xrqkp
Removed Stream! C:\WINDOWS\Greenstone.bmp:zpavc
Removed Stream! C:\WINDOWS\hpfsched.ini:tsxzt
Removed Stream! C:\WINDOWS\ipixActivex.ini:shqxb
Removed Stream! C:\WINDOWS\KB823559.log:hnlcm
Removed Stream! C:\WINDOWS\KB828028.log:vbmvz
Removed Stream! C:\WINDOWS\ODBC.INI:vjjyv
Removed Stream! C:\WINDOWS\Q323255.log:ylfnm
Removed Stream! C:\WINDOWS\Q329115.log:lmdjex
Removed Stream! C:\WINDOWS\Q329170.log:myjex
Removed Stream! C:\WINDOWS\Q817287.log:ibppq
Removed Stream! C:\WINDOWS\REGLOCS.OLD:hzsvil
Removed Stream! C:\WINDOWS\REGOPT.LOG:avqozf
Removed Stream! C:\WINDOWS\River Sumida.bmp:azdadv
Removed Stream! C:\WINDOWS\sessmgr.setup.log:lwbzva
Removed Stream! C:\WINDOWS\SETUPERR.LOG:dxmmpc
Removed Stream! C:\WINDOWS\SND531unin.txt:tfleqd
Removed Stream! C:\WINDOWS\SND531unin.txt:wyerjn
Removed Stream! C:\WINDOWS\wmsetup.log:nmbolu
Removed Stream! C:\WINDOWS\{00000002-00000000-00000009-00001102-00000004-10031102}.BAK:qneghh
------------------------------------------------
Removed File! : C:\Windows\appnr32.exe
Removed File! : C:\Windows\atlea.exe
Removed File! : C:\Windows\atljr32.exe
Removed File! : C:\Windows\atlub.exe
Removed File! : C:\Windows\d3nx32.exe
Removed File! : C:\Windows\d3ui32.exe
Removed File! : C:\Windows\d3us.exe
Removed File! : C:\Windows\d3xh32.exe
Removed File! : C:\Windows\d3xq.exe
Removed File! : C:\Windows\d3yv.exe
Removed File! : C:\Windows\ieam.exe
Removed File! : C:\Windows\iebq.exe
Removed File! : C:\Windows\iecj.exe
Removed File! : C:\Windows\iedx32.exe
Removed File! : C:\Windows\ieek32.exe
Removed File! : C:\Windows\iegf.exe
Removed File! : C:\Windows\iehu32.exe
Removed File! : C:\Windows\ieio.exe
Removed File! : C:\Windows\ieis.exe
Removed File! : C:\Windows\iekb32.exe
Removed File! : C:\Windows\iekj32.exe
Removed File! : C:\Windows\iels.exe
Removed File! : C:\Windows\iemc.exe
Removed File! : C:\Windows\ienu.exe
Removed File! : C:\Windows\ieqe.exe
Removed File! : C:\Windows\ieqn32.exe
Removed File! : C:\Windows\ierw.exe
Removed File! : C:\Windows\ietz32.exe
Removed File! : C:\Windows\ievp32.exe
Removed File! : C:\Windows\iewa.exe
Removed File! : C:\Windows\iezo32.exe
Removed File! : C:\Windows\ipab32.exe
Removed File! : C:\Windows\ipcy32.exe
Removed File! : C:\Windows\ipdc.exe
Removed File! : C:\Windows\ipjj32.exe
Removed File! : C:\Windows\ipkq.exe
Removed File! : C:\Windows\ipkr.exe
Removed File! : C:\Windows\ipkv.exe
Removed File! : C:\Windows\ipky.exe
Removed File! : C:\Windows\ipln.exe
Removed File! : C:\Windows\ippp.exe
Removed File! : C:\Windows\ippu.exe
Removed File! : C:\Windows\iprl32.exe
Removed File! : C:\Windows\iptk.exe
Removed File! : C:\Windows\ipxo.exe
Removed File! : C:\Windows\javabi32.exe
Removed File! : C:\Windows\javadc32.exe
Removed File! : C:\Windows\javaiw.exe
Removed File! : C:\Windows\javajl32.exe
Removed File! : C:\Windows\javana32.exe
Removed File! : C:\Windows\javaoj.exe
Removed File! : C:\Windows\javauc.exe
Removed File! : C:\Windows\javawm.exe
Removed File! : C:\Windows\javaxp32.exe
Removed File! : C:\Windows\javaxt32.exe
Removed File! : C:\Windows\javayf.exe
Removed File! : C:\Windows\mfcak32.exe
Removed File! : C:\Windows\mfcas32.exe
Removed File! : C:\Windows\mfcck.exe
Removed File! : C:\Windows\mfcew.exe
Removed File! : C:\Windows\mfcim32.exe
Removed File! : C:\Windows\mfctw.exe
Removed File! : C:\Windows\mfctz.exe
Removed File! : C:\Windows\mfcuc.exe
Removed File! : C:\Windows\mfcvx32.exe
Removed File! : C:\Windows\msau32.exe
Removed File! : C:\Windows\msby32.exe
Removed File! : C:\Windows\msgd.exe
Removed File! : C:\Windows\msgn.exe
Removed File! : C:\Windows\msit.exe
Removed File! : C:\Windows\msiv32.exe
Removed File! : C:\Windows\msiy32.exe
Removed File! : C:\Windows\mslr32.exe
Removed File! : C:\Windows\msmt32.exe
Removed File! : C:\Windows\msmy.exe
Removed File! : C:\Windows\msnr.exe
Removed File! : C:\Windows\msod.exe
Removed File! : C:\Windows\msph.exe
Removed File! : C:\Windows\mspi32.exe
Removed File! : C:\Windows\msqb32.exe
Removed File! : C:\Windows\mssb.exe
Removed File! : C:\Windows\msue32.exe
Removed File! : C:\Windows\msvp.exe
Removed File! : C:\Windows\netai32.exe
Removed File! : C:\Windows\netbf.exe
Removed File! : C:\Windows\netbs.exe
Removed File! : C:\Windows\netex32.exe
Removed File! : C:\Windows\netiz.exe
Removed File! : C:\Windows\netjl.exe
Removed File! : C:\Windows\netld.exe
Removed File! : C:\Windows\netmp.exe
Removed File! : C:\Windows\netnb32.exe
Removed File! : C:\Windows\nettc32.exe
Removed File! : C:\Windows\netvn.exe
Removed File! : C:\Windows\netzj32.exe
Removed File! : C:\Windows\ntcr.exe
Removed File! : C:\Windows\ntdg.exe
Removed File! : C:\Windows\ntfb32.exe
Removed File! : C:\Windows\ntip32.exe
Removed File! : C:\Windows\ntiw32.exe
Removed File! : C:\Windows\ntjh.exe
Removed File! : C:\Windows\ntmm.exe
Removed File! : C:\Windows\ntne32.exe
Removed File! : C:\Windows\ntok.exe
Removed File! : C:\Windows\ntpa32.exe
Removed File! : C:\Windows\ntuc.exe
Removed File! : C:\Windows\ntut.exe
Removed File! : C:\Windows\ntvb.exe
Removed File! : C:\Windows\sdkbk32.exe
Removed File! : C:\Windows\sdkfb.exe
Removed File! : C:\Windows\sdkhj32.exe
Removed File! : C:\Windows\sdklw32.exe
Removed File! : C:\Windows\sdkmi.exe
Removed File! : C:\Windows\sdkqe32.exe
Removed File! : C:\Windows\sdkql32.exe
Removed File! : C:\Windows\sdksl32.exe
Removed File! : C:\Windows\sdkso.exe
Removed File! : C:\Windows\sdkuh32.exe
Removed File! : C:\Windows\sdkvg.exe
Removed File! : C:\Windows\sdkws32.exe
Removed File! : C:\Windows\sysaf32.exe
Removed File! : C:\Windows\sysfr32.exe
Removed File! : C:\Windows\sysgy32.exe
Removed File! : C:\Windows\syshl.exe
Removed File! : C:\Windows\sysjv.exe
Removed File! : C:\Windows\syslv.exe
Removed File! : C:\Windows\sysnp.exe
Removed File! : C:\Windows\syspr32.exe
Removed File! : C:\Windows\sysqi32.exe
Removed File! : C:\Windows\sysqm.exe
Removed File! : C:\Windows\sysvs.exe
Removed File! : C:\Windows\sysym32.exe
Removed File! : C:\Windows\sysyn32.exe
Removed File! : C:\Windows\syszw.exe
Removed File! : C:\Windows\vyeph.dat
Removed File! : C:\Windows\winak32.exe
Removed File! : C:\Windows\winao32.exe
Removed File! : C:\Windows\winbm.exe
Removed File! : C:\Windows\winbw32.exe
Removed File! : C:\Windows\wincd.exe
Removed File! : C:\Windows\wingk32.exe
Removed File! : C:\Windows\winim32.exe
Removed File! : C:\Windows\winpl.exe
Removed File! : C:\Windows\winpt.exe
Removed File! : C:\Windows\winvj32.exe
Removed File! : C:\Windows\winwc32.exe
Removed File! : C:\Windows\winwj.exe
Removed File! : C:\Windows\winxy.exe
Removed File! : C:\Windows\System32\addag32.exe
Removed File! : C:\Windows\System32\addaj32.exe
Removed File! : C:\Windows\System32\addck32.exe
Removed File! : C:\Windows\System32\addcs32.exe
Removed File! : C:\Windows\System32\adddv.exe
Removed File! : C:\Windows\System32\addfq32.exe
Removed File! : C:\Windows\System32\addgf.exe
Removed File! : C:\Windows\System32\addgx.exe
Removed File! : C:\Windows\System32\addhr32.exe
Removed File! : C:\Windows\System32\addhw.exe
Removed File! : C:\Windows\System32\addik.exe
Removed File! : C:\Windows\System32\addno.exe
Removed File! : C:\Windows\System32\addog.exe
Removed File! : C:\Windows\System32\addon32.exe
Removed File! : C:\Windows\System32\addop.exe
Removed File! : C:\Windows\System32\addph32.exe
Removed File! : C:\Windows\System32\addrz.exe
Removed File! : C:\Windows\System32\addti.exe
Removed File! : C:\Windows\System32\addtt.exe
Removed File! : C:\Windows\System32\addul.exe
Removed File! : C:\Windows\System32\addyc32.exe
Removed File! : C:\Windows\System32\apidv32.exe
Removed File! : C:\Windows\System32\apieo.exe
Removed File! : C:\Windows\System32\apiep32.exe
Removed File! : C:\Windows\System32\apigk32.exe
Removed File! : C:\Windows\System32\apiht.exe
Removed File! : C:\Windows\System32\apiix.exe
Removed File! : C:\Windows\System32\apikk.exe
Removed File! : C:\Windows\System32\apikp.exe
Removed File! : C:\Windows\System32\apikq32.exe
Removed File! : C:\Windows\System32\apilp32.exe
Removed File! : C:\Windows\System32\apimp.exe
Removed File! : C:\Windows\System32\apipb32.exe
Removed File! : C:\Windows\System32\apipv.exe
Removed File! : C:\Windows\System32\apiqe32.exe
Removed File! : C:\Windows\System32\apirc32.exe
Removed File! : C:\Windows\System32\apisg32.exe
Removed File! : C:\Windows\System32\apivc.exe
Removed File! : C:\Windows\System32\apivk.exe
Removed File! : C:\Windows\System32\apiyf.exe
Removed File! : C:\Windows\System32\apize32.exe
Removed File! : C:\Windows\System32\appau.exe
Removed File! : C:\Windows\System32\appet.exe
Removed File! : C:\Windows\System32\appey.exe
Removed File! : C:\Windows\System32\appfj32.exe
Removed File! : C:\Windows\System32\appgd.exe
Removed File! : C:\Windows\System32\appgf32.exe
Removed File! : C:\Windows\System32\apphn.exe
Removed File! : C:\Windows\System32\appkn32.exe
Removed File! : C:\Windows\System32\applo.exe
Removed File! : C:\Windows\System32\appne.exe
Removed File! : C:\Windows\System32\appnr32.exe
Removed File! : C:\Windows\System32\appoi32.exe
Removed File! : C:\Windows\System32\apppo.exe
Removed File! : C:\Windows\System32\apprq32.exe
Removed File! : C:\Windows\System32\appsf32.exe
Removed File! : C:\Windows\System32\apptr32.exe
Removed File! : C:\Windows\System32\appva32.exe
Removed File! : C:\Windows\System32\appvn.exe
Removed File! : C:\Windows\System32\appxp32.exe
Removed File! : C:\Windows\System32\appxv32.exe
Removed File! : C:\Windows\System32\appzr.exe
Removed File! : C:\Windows\System32\atlai.exe
Removed File! : C:\Windows\System32\atlbj32.exe
Removed File! : C:\Windows\System32\atlbn32.exe
Removed File! : C:\Windows\System32\atlcp.exe
Removed File! : C:\Windows\System32\atlcv32.exe
Removed File! : C:\Windows\System32\atlej32.exe
Removed File! : C:\Windows\System32\atlfv.exe
Removed File! : C:\Windows\System32\atlhe.exe
Removed File! : C:\Windows\System32\atlhp.exe
Removed File! : C:\Windows\System32\atlkf32.exe
Removed File! : C:\Windows\System32\atlkm32.exe
Removed File! : C:\Windows\System32\atlnc32.exe
Removed File! : C:\Windows\System32\atlni.exe
Removed File! : C:\Windows\System32\atlod32.exe
Removed File! : C:\Windows\System32\atlpi32.exe
Removed File! : C:\Windows\System32\atltg.exe
Removed File! : C:\Windows\System32\atluo.exe
Removed File! : C:\Windows\System32\atlwg32.exe
Removed File! : C:\Windows\System32\atlxf.exe
Removed File! : C:\Windows\System32\atlxw.exe
Removed File! : C:\Windows\System32\atlzm.exe
Removed File! : C:\Windows\System32\atlzr.exe
Removed File! : C:\Windows\System32\crbn.exe
Removed File! : C:\Windows\System32\crdq32.exe
Removed File! : C:\Windows\System32\crfx32.exe
Removed File! : C:\Windows\System32\crld.exe
Removed File! : C:\Windows\System32\crmm.exe
Removed File! : C:\Windows\System32\crmr.exe
Removed File! : C:\Windows\System32\crpc.exe
Removed File! : C:\Windows\System32\crpz.exe
Removed File! : C:\Windows\System32\crqm.exe
Removed File! : C:\Windows\System32\crra.exe
Removed File! : C:\Windows\System32\crru.exe
Removed File! : C:\Windows\System32\cruw32.exe
Removed File! : C:\Windows\System32\crvm32.exe
Removed File! : C:\Windows\System32\crwf.exe
Removed File! : C:\Windows\System32\crwg32.exe
Removed File! : C:\Windows\System32\crxd.exe
Removed File! : C:\Windows\System32\crxe.exe
Removed File! : C:\Windows\System32\cryy32.exe
Removed File! : C:\Windows\System32\d3aw32.exe
Removed File! : C:\Windows\System32\d3cn32.exe
Removed File! : C:\Windows\System32\d3db.exe
Removed File! : C:\Windows\System32\d3do.exe
Removed File! : C:\Windows\System32\d3fg32.exe
Removed File! : C:\Windows\System32\d3gp32.exe
Removed File! : C:\Windows\System32\d3im.exe
Removed File! : C:\Windows\System32\d3jw.exe
Removed File! : C:\Windows\System32\d3kf32.exe
Removed File! : C:\Windows\System32\d3lm.exe
Removed File! : C:\Windows\System32\d3lp32.exe
Removed File! : C:\Windows\System32\d3mp32.exe
Removed File! : C:\Windows\System32\d3nf.exe
Removed File! : C:\Windows\System32\d3oa.exe
Removed File! : C:\Windows\System32\d3ou32.exe
Removed File! : C:\Windows\System32\d3pc.exe
Removed File! : C:\Windows\System32\d3rj.exe
Removed File! : C:\Windows\System32\d3rl.exe
Removed File! : C:\Windows\System32\d3rn.exe
Removed File! : C:\Windows\System32\d3ru32.exe
Removed File! : C:\Windows\System32\d3tf.exe
Removed File! : C:\Windows\System32\d3wp32.exe
Removed File! : C:\Windows\System32\d3zf.exe
Removed File! : C:\Windows\System32\d3zx32.exe
Removed File! : C:\Windows\System32\iecg.exe
Removed File! : C:\Windows\System32\iedv32.exe
Removed File! : C:\Windows\System32\ieef32.exe
Removed File! : C:\Windows\System32\ieeg.exe
Removed File! : C:\Windows\System32\ieeq32.exe
Removed File! : C:\Windows\System32\iefg32.exe
Removed File! : C:\Windows\System32\iehi32.exe
Removed File! : C:\Windows\System32\iemp32.exe
Removed File! : C:\Windows\System32\iemx32.exe
Removed File! : C:\Windows\System32\ienv32.exe
Removed File! : C:\Windows\System32\ieob32.exe
Removed File! : C:\Windows\System32\iepm32.exe
Removed File! : C:\Windows\System32\ieqp.exe
Removed File! : C:\Windows\System32\ierf32.exe
Removed File! : C:\Windows\System32\ieri32.exe
Removed File! : C:\Windows\System32\iesw32.exe
Removed File! : C:\Windows\System32\ieur32.exe
Removed File! : C:\Windows\System32\iewa32.exe
Removed File! : C:\Windows\System32\iewn32.exe
Removed File! : C:\Windows\System32\ipaa32.exe
Removed File! : C:\Windows\System32\ipbm32.exe
Removed File! : C:\Windows\System32\ipbx.exe
Removed File! : C:\Windows\System32\ipgh32.exe
Removed File! : C:\Windows\System32\ipia.exe
Removed File! : C:\Windows\System32\ipid.exe
Removed File! : C:\Windows\System32\ipje32.exe
Removed File! : C:\Windows\System32\ipkl.exe
Removed File! : C:\Windows\System32\ipmu32.exe
Removed File! : C:\Windows\System32\iprp32.exe
Removed File! : C:\Windows\System32\ipth.exe
Removed File! : C:\Windows\System32\iptk.exe
Removed File! : C:\Windows\System32\iptt.exe
Removed File! : C:\Windows\System32\ipvr32.exe
Removed File! : C:\Windows\System32\ipwf32.exe
Removed File! : C:\Windows\System32\ipzz.exe
Removed File! : C:\Windows\System32\javacb.exe
Removed File! : C:\Windows\System32\javacr32.exe
Removed File! : C:\Windows\System32\javadx32.exe
Removed File! : C:\Windows\System32\javaes.exe
Removed File! : C:\Windows\System32\javafl32.exe
Removed File! : C:\Windows\System32\javajh.exe
Removed File! : C:\Windows\System32\javakm32.exe
Removed File! : C:\Windows\System32\javamh32.exe
Removed File! : C:\Windows\System32\javaok.exe
Removed File! : C:\Windows\System32\javaqi.exe
Removed File! : C:\Windows\System32\javasj32.exe
Removed File! : C:\Windows\System32\javauk.exe
Removed File! : C:\Windows\System32\javauy.exe
Removed File! : C:\Windows\System32\javavb32.exe
Removed File! : C:\Windows\System32\javavh32.exe
Removed File! : C:\Windows\System32\javavq.exe
Removed File! : C:\Windows\System32\javaza.exe
Removed File! : C:\Windows\System32\mfcak.exe
Removed File! : C:\Windows\System32\mfcav.exe
Removed File! : C:\Windows\System32\mfcaw32.exe
Removed File! : C:\Windows\System32\mfcax32.exe
Removed File! : C:\Windows\System32\mfchc32.exe
Removed File! : C:\Windows\System32\mfcif.exe
Removed File! : C:\Windows\System32\mfcif32.exe
Removed File! : C:\Windows\System32\mfckb32.exe
Removed File! : C:\Windows\System32\mfcmw32.exe
Removed File! : C:\Windows\System32\mfcmz.exe
Removed File! : C:\Windows\System32\mfcnd.exe
Removed File! : C:\Windows\System32\mfcpm32.exe
Removed File! : C:\Windows\System32\mfcre.exe
Removed File! : C:\Windows\System32\mfcsn32.exe
Removed File! : C:\Windows\System32\mfcvg.exe
Removed File! : C:\Windows\System32\mfcwe.exe
Removed File! : C:\Windows\System32\mfcxe32.exe
Removed File! : C:\Windows\System32\mfczs.exe
Removed File! : C:\Windows\System32\msbw32.exe
Removed File! : C:\Windows\System32\mscf32.exe
Removed File! : C:\Windows\System32\msem.exe
Removed File! : C:\Windows\System32\msgg32.exe
Removed File! : C:\Windows\System32\mshw.exe
Removed File! : C:\Windows\System32\msib.exe
Removed File! : C:\Windows\System32\msjb32.exe
Removed File! : C:\Windows\System32\msjf.exe
Removed File! : C:\Windows\System32\msks.exe
Removed File! : C:\Windows\System32\mskv.exe
Removed File! : C:\Windows\System32\msoi.exe
Removed File! : C:\Windows\System32\msps.exe
Removed File! : C:\Windows\System32\mstl32.exe
Removed File! : C:\Windows\System32\msuv32.exe
Removed File! : C:\Windows\System32\msvb.exe
Removed File! : C:\Windows\System32\msvt.exe
Removed File! : C:\Windows\System32\netav.exe
Removed File! : C:\Windows\System32\netbz.exe
Removed File! : C:\Windows\System32\neteb.exe
Removed File! : C:\Windows\System32\netfq.exe
Removed File! : C:\Windows\System32\netle.exe
Removed File! : C:\Windows\System32\netlw.exe
Removed File! : C:\Windows\System32\netmt.exe
Removed File! : C:\Windows\System32\netnj.exe
Removed File! : C:\Windows\System32\netsv.exe
Removed File! : C:\Windows\System32\nettc.exe
Removed File! : C:\Windows\System32\nettv32.exe
Removed File! : C:\Windows\System32\netur32.exe
Removed File! : C:\Windows\System32\netwx32.exe
Removed File! : C:\Windows\System32\netzf.exe
Removed File! : C:\Windows\System32\ntav.exe
Removed File! : C:\Windows\System32\ntav32.exe
Removed File! : C:\Windows\System32\ntkb32.exe
Removed File! : C:\Windows\System32\ntpq32.exe
Removed File! : C:\Windows\System32\ntqh.exe
Removed File! : C:\Windows\System32\ntta32.exe
Removed File! : C:\Windows\System32\ntus.exe
Removed File! : C:\Windows\System32\ntws.exe
Removed File! : C:\Windows\System32\ntyu32.exe
Removed File! : C:\Windows\System32\pohia.dat
Removed File! : C:\Windows\System32\sdkcw32.exe
Removed File! : C:\Windows\System32\sdkds.exe
Removed File! : C:\Windows\System32\sdkfb.exe
Removed File! : C:\Windows\System32\sdkgj.exe
Removed File! : C:\Windows\System32\sdkie32.exe
Removed File! : C:\Windows\System32\sdkje.exe
Removed File! : C:\Windows\System32\sdkky32.exe
Removed File! : C:\Windows\System32\sdkng32.exe
Removed File! : C:\Windows\System32\sdkqb.exe
Removed File! : C:\Windows\System32\sdksp.exe
Removed File! : C:\Windows\System32\sdkyb.exe
Removed File! : C:\Windows\System32\sdkyu.exe
Removed File! : C:\Windows\System32\sysar.exe
Removed File! : C:\Windows\System32\sysfe32.exe
Removed File! : C:\Windows\System32\sysft32.exe
Removed File! : C:\Windows\System32\sysgu32.exe
Removed File! : C:\Windows\System32\syshd32.exe
Removed File! : C:\Windows\System32\syskj32.exe
Removed File! : C:\Windows\System32\sysmh32.exe
Removed File! : C:\Windows\System32\sysmv32.exe
Removed File! : C:\Windows\System32\sysoc.exe
Removed File! : C:\Windows\System32\sysoo.exe
Removed File! : C:\Windows\System32\sysrx32.exe
Removed File! : C:\Windows\System32\syswd.exe
Removed File! : C:\Windows\System32\syswz32.exe
Removed File! : C:\Windows\System32\sysxg.exe
Removed File! : C:\Windows\System32\sysxg32.exe
Removed File! : C:\Windows\System32\sysze.exe
Removed File! : C:\Windows\System32\syszj.exe
Removed File! : C:\Windows\System32\syszy32.exe
Removed File! : C:\Windows\System32\winao.exe
Removed File! : C:\Windows\System32\winap.exe
Removed File! : C:\Windows\System32\winbk.exe
Removed File! : C:\Windows\System32\wingo.exe
Removed File! : C:\Windows\System32\winif32.exe
Removed File! : C:\Windows\System32\winns32.exe
Removed File! : C:\Windows\System32\winpl32.exe
Removed File! : C:\Windows\System32\winrm.exe
Removed File! : C:\Windows\System32\winrp.exe
Removed File! : C:\Windows\System32\wintc32.exe
Removed File! : C:\Windows\System32\wintg32.exe
Removed File! : C:\Windows\System32\winvg32.exe
Removed File! : C:\Windows\System32\winzt.exe
Removed File! : C:\Windows\System32\ybjvd.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:12:36 AM
  • 0

#25
meghani
Posted 29 June 2005 - 01:41 AM

meghani

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
(6/29/05 12:13:28 AM) SPSeHjFix started v1.1.2
(6/29/05 12:13:28 AM) OS: WinXP Service Pack 1 (5.1.2600)
(6/29/05 12:13:28 AM) Language: english
(6/29/05 12:13:28 AM) Win-Path: C:\WINDOWS
(6/29/05 12:13:28 AM) System-Path: C:\WINDOWS\System32
(6/29/05 12:13:28 AM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(6/29/05 12:13:46 AM) Disinfection started
(6/29/05 12:13:46 AM) Bad-Dll(IEP): (not found)
(6/29/05 12:13:46 AM) Bad-Dll(IEP) in BHO: (not found)
(6/29/05 12:13:46 AM) UBF: 4 - UBB: 1 - UBR: 22
(6/29/05 12:13:46 AM) UBF: 4 - UBB: 1 - UBR: 22
(6/29/05 12:13:46 AM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:
(6/29/05 12:13:46 AM) Stealth-String not found
(6/29/05 12:13:46 AM) Not infected->END
  • 0

Advertisements

#26
Excal
Posted 29 June 2005 - 01:50 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
We should be done, well unless u got infected since the last time u posted your log....lol :tazz:


I have added a few things to make your computer boot up faster. This does not delete the program, it only excludes it from initial startup and u can start them manually at any time.

Open Hijackthis

Check the following, then click fixed check:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Reboot


;)



Excal
  • 0

#27
meghani
Posted 29 June 2005 - 02:00 AM

meghani

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Wow, don't you EVER sleep?

I removed what you suggested. Kaspersky is still running (66% complete, but one virus, one infected object), so I didn't reboot yet.

New HiJack log follows. Am I clean? How do I know it's safe, and how do I stay clean/safe? How do we resolve the virus that Kaspersky found - I'm assuming it's the same stuff Norton keeps whining about, but cannot fix?

Thanks again. I need to get to bed because I work tomorrow and it's 1:00 here, but I'll check and post the Kaspersky results in the AM and will check for additional instructions then.

Thanks again,
Meghani

Logfile of HijackThis v1.99.1
Scan saved at 12:55:50 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Meghan\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...55/sdcregie.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print ActiveX Plug-in) - http://ak.imgag.com/...stall/AxCtp.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://64.143.186.13...Q/bin/WebIQ.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend...ets/msie40x.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.del...t/TLIEFlash.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.co...file=stamps.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.crtvg.es/camweb/camera.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.14...geWell-ipix.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#28
Excal
Posted 29 June 2005 - 02:03 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Meg,


Your log looks really good. I will give u a whole list of free goodies when we are done cleaning you up ;)

Just need to take care of that wininet thing. I guess we can prepare ;)


Copy everything in the code box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt


Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here


Please go here and upload

C:\Windows\System32\wininet.dll

then please post the results in your next reply.


Thanks,

:tazz:

Excal
  • 0

#29
meghani
Posted 29 June 2005 - 02:48 AM

meghani

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Results from running batch file:

Volume in drive C has no label.
Volume Serial Number is B89D-B35B

Directory of C:\I386

08/29/2002 04:00 AM 599,040 WININET.DLL
1 File(s) 599,040 bytes

Directory of C:\Program Files\Common Files\Adaptec Shared\System

04/23/1999 09:22 PM 459,024 Wininet.dll
1 File(s) 459,024 bytes

Directory of C:\WINDOWS\SYSTEM32

01/21/2004 04:16 PM 588,288 wininet.dll
1 File(s) 588,288 bytes

Directory of C:\WINDOWS\SYSTEM32\DLLCACHE

02/06/2004 06:05 PM 588,288 WININET.DLL
1 File(s) 588,288 bytes


Results from trying to upload c:\windows\system32\wininet.dll:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Kaspersky results:

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Wednesday, June 29, 2005 01:46:15
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/06/2005
Kaspersky Anti-Virus database records: 128192
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 47525
Number of viruses found: 2
Number of infected objects: 50
Number of suspicious objects: 0
Duration of the scan process: 4090 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Meghan\Desktop\New Folder\backups\backup-20050628-201005-513.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\Program Files\Norton AntiVirus\Quarantine\158F1440.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\173E3CE5.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\176E32AF.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\177830A4.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\177F049D.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\178C2C8F.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17962A84.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\179F2879.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17A35276.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17A67C72.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17A9266F.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17AD506B.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17B64E60.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17C04C55.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17C7204E.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17E17031.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17F46C1C.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\17FE6A11.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\18086806.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\180B1203.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\180F3BFF.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\181265FC.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\18150FF8.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\181C63F1.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\181F0DED.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\18290BE2.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\182F5FDB.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\183209D8.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\18395DD0.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\183C07CD.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\18435BC6.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\184D59BB.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\185A01AD.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\185D2BA9.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\186A539B.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\20B95A37.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\2B7D2A27.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\2BE3202F.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\2CAF0C3E.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\3C53539D.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\4E2E5E23.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\4F60403A.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\5B577240.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\67B41A4D.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\71450826.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\72DE6044.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\7E08263C.exe Infected: Trojan.Win32.Agent.em
C:\Program Files\Norton AntiVirus\Quarantine\7FA07E5A.exe Infected: Trojan.Win32.Agent.em
C:\WINDOWS\{00000002-00000000-00000009-00001102-00000004-10031102}.CDF:iobxaw:$DATA Infected: Trojan-Downloader.Win32.Agent.bc

Scan process completed.


OK, now I'm REALLY going to bed.
Thanks,
Meghani
  • 0

#30
Excal
Posted 29 June 2005 - 09:10 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi,


Now comes the tricky part. Make sure you follow these instructions to a T. Do not deviate from them at all, if you do, bad things may happen. If you have any questions, feel free to ask them before you start the fix ;)

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Please go to start>my computer then navigate to this file:

C:\Windows\System32\wininet.dll

right click on it and rename it to wininet.old

go to your C:\windows\system32\dllcache-folder, rightclick on the wininet.dll present there, choose copy and paste it in your system32-folder.
(If there is no wininet.dll present in your dllcache, look to see if there is one in this folder: C:\WINDOWS\ServicePackFiles\i386 if so, copy that one to the system32-folder.

*Note - It could be possible you'll will get an error saying the file already exists when you try to paste the good one in your system32-folder.
If it gives an error, just reboot

Reboot

Please remove just the files from the following paths using Windows Explorer (if present):

C:\Windows\System32\wininet.old
C:\Windows\System32\oleadm.dll

please post and let me know the results.


Thanks,

:tazz:

Excal
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP