Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan.desktophijack.B

Started by tony howes , Jul 01 2005 06:17 AM

This topic is locked

#1
tony howes

Posted 01 July 2005 - 06:17 AM

Member

Member
11 posts

Logfile of HijackThis v1.99.1
Scan saved at 19:11:43, on 30/06/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\DJSNETCN.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\ADBLOCKING\NSMDTR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: WaveHelper Class - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {27BCD704-EDB0-4CEF-8345-EF42661A2D47} - C:\WINDOWS\SYSTEM\EBOD.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\SYSTEM\Restore\StateMgr.exe
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {59CFB01E-8F2F-427E-B6E3-BEA288308696} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59CFB01E-8F2F-427E-B6E3-BEA288308696} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband

#2
tony howes

Posted 02 July 2005 - 03:41 AM

Member

Topic Starter
Member
11 posts

Logfile of HijackThis v1.99.1
Scan saved at 10:35:18, on 02/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\DJSNETCN.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: WaveHelper Class - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {27BCD704-EDB0-4CEF-8345-EF42661A2D47} - C:\WINDOWS\SYSTEM\EBOD.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\SYSTEM\Restore\StateMgr.exe
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {59CFB01E-8F2F-427E-B6E3-BEA288308696} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59CFB01E-8F2F-427E-B6E3-BEA288308696} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband

#3
g2i2r4

Posted 02 July 2005 - 06:17 AM

retired HiJack Helper

Retired Staff
5,080 posts

Welcome tony howes to Geeks to Go!

I've merged your topics, please stick to this topic from now on.

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder.

***

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

***

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box and/or Uncheck Resident.
Click Allow Change box.

***

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

First we will need to download a few tools that will help us in the removal of your problem.

***

Download SmitRem or
SmitRem and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

***

Place a shortcut to Panda ActiveScan on your desktop.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Download about:buster by RubbeRDuckY Here.

Download CWShredder Here.

Download SpSeHjfix Here.

Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

***

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

***

Run the CleanUp! installer. You dont need to do anything with it right now.

***

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

***

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Please run About:Buster:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end.

***

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

***

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {27BCD704-EDB0-4CEF-8345-EF42661A2D47} - C:\WINDOWS\SYSTEM\EBOD.DLL (file missing)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {59CFB01E-8F2F-427E-B6E3-BEA288308696} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {59CFB01E-8F2F-427E-B6E3-BEA288308696} - (no file) (HKCU)

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

***

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it’s done, press Close.
Reboot your computer into normal windows.

***

Click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log.

***

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log by using Add Reply.

#4
tony howes

Posted 03 July 2005 - 04:13 AM

Member

Topic Starter
Member
11 posts

Thank you for the Comprehensive instructions, which I have followed to the best of my ability. Unfortunately all attempts to "update" in accordance with your instructions failed. None the less I continued with what I had. When I opened HijackThis again the first two R1 lines that you asked to be checked did not appear and therefore I was only able to check and fix the other five. I have run Norton AntiVirus again this morning and it still indicates that the Trojan in Wininet.DLL remains on the system.

The Logs that you requested are as follows:

Logfile of HijackThis v1.99.1
Scan saved at 11:08:33, on 03/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\DJSNETCN.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\ADBLOCKING\NSMDTR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O2 - BHO: WaveHelper Class - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

AboutBuster 5.0 reference file 28
Scan started on [02/07/2005] at [19:06:46]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:06:47

AboutBuster 5.0 reference file 28
Scan started on [02/07/2005] at [19:32:45]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:32:46

AboutBuster 5.0 reference file 28
Scan started on [02/07/2005] at [19:37:22]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:37:22

Incident Status Location

Virus:W32/Smitfraud.A Disinfected Operating system
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Program Files\ErrorGuard
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/PsGuard No disinfected C:\WINDOWS\Application Data\PSGuard.com
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\SYSTEM\WININET.DLL
Tony Howes

1502-4240-1125-0482-1088-9784*

Windows 98 4.10
WinAspi: File 'Wnaspi32.dll': Ver=1, 0, 0, 0, size=36864 bytes, created 23/04/99 22:22:00
Nero Version: 5.5.8.0
Recorder: <LITE-ON LTR-48125W> Version: VS04 - HA 0 TA 1 - 5.5.8.0
Adapter driver: <ESDI_506> HA 0
Drive buffer : 1984kB
Bus Type : default (0) -> ATAPI
CD-ROM: <TOSHIBA DVD-ROM SD-M1402>Version: 1008 - HA 0 TA 0 - 5.5.8.0
Adapter driver: <ESDI_506> HA 0
Bus Type : default (0) -> ATAPI
TOSHIBA DVD-ROM SD-M1402 (Target 0, D:): Autoinsert On, DMA On, Disconnect ?, SyncDataXfer ?
LITE-ON LTR-48125W (Target 1, E:): Autoinsert On, DMA Off, Disconnect ?, SyncDataXfer ?
Excluded drive IDs:
CmdQueuing : 1
CmdNotification: 2
WriteBufferSize: 20971520 (0) Byte
ShowDrvBufStat : 0
EraseSpeed : 0
BUFE : 0
Physical memory : 127MB (130484kB)
Free physical memory: 0MB (28kB)
Memory in use : 84 %
Uncached PFiles: 0x0
Use Static Write Speed Table: 0
Use Inquiry : 1
Global Bus Type: default (0)
Wizard: On

CD-Copy
27.10.2002

12:16:49 #1 Phase 90 File dlgbrnst.cpp, Line 1449
Buffer Underrun Protection activated

12:16:49 #2 Text 0 File Reader.cpp, Line 118
Reader running

12:16:49 #3 Text 0 File Writer.cpp, Line 129
Writer LITE-ON LTR-48125W running

12:16:49 #4 Text 0 File Burncd.cpp, Line 2636
Turn on Disc-At-Once, using CD-R/RW media

12:16:49 #5 Phase 48 File dlgbrnst.cpp, Line 1449
Analyzing CD

12:16:49 #6 CDCOPY -1 File CDCopy.cpp, Line 2462
The CD is copyrighted

12:16:58 #7 Text 0 File CDCopy.cpp, Line 2696
_Index0_ _______Index1_______ PostPause ___LastBlockOfTrack_
Track 1: 0 0 ( 0:02.00) 332483 332632 ( 73:57.07)

12:16:58 #8 Text 0 File CDCopy.cpp, Line 1019
Copy options: read subcode: OFF jitter correction: OFF copy on-the-fly: ON
read ISRC/MCN: ON ignore inv. TOC type: ON ignore audio read error: ON
source disc does not look like CD Extra
01. 0 - 332633 = 332633, data (2)

12:16:58 #9 Text 0 File ThreadedTransferInterface.cpp, Line 684
Setup items (original item values)
0: TRM_DATA_MODE2_FORM1_NOSUB (1 Data (mode 2))
2 indices, index0 (150) not provided
original CD pos #0 + 332633 (332633) = #332633/73:55.8
relocatable, CD pos for caching/writing not required/not required, no patch infos
--------------------------------------------------------------

12:17:00 #10 Text 0 File DlgWaitCD.cpp, Line 199
Last possible write address on media: 359844 (79:59.69)
Last address to be written: 332632 (73:57.07)

12:17:02 #11 Text 0 File DlgWaitCD.cpp, Line 1387
Recorder: LITE-ON LTR-48125W;
CDR code: 00 97 15 17; OSJ entry from: Ritek Co.
ATIP Data:
Special Info [hex] 1: C0 00 90, 2: 61 0F 11 (LI 97:15.17), 3: 4F 3B 46 (LO 79:59.70)
Additional Info [hex] 1: 00 00 80 (invalid), 2: 00 80 00 (invalid), 3: 00 80 80 (invalid)

12:17:02 #12 Text 0 File ThreadedTransferInterface.cpp, Line 834
Prepare recorder LITE-ON LTR-48125W for write in cue-sheet-DAO
DAO infos:
==========
MCN:
TOCTYPE: 0x20 Close CD
Tracks 1 to 1:
TRM_DATA_RAW_MODE2, 2352/0x0, ISRC "", FilePos 0 352800 782705616

12:17:02 #13 Text 0 File ThreadedTransferInterface.cpp, Line 684
Setup items (after recorder preparation)
0: TRM_DATA_MODE2_FORM1_NOSUB (1 Data (mode 2))
2 indices, index0 (150) not provided
original CD pos #0 + 332633 (332633) = #332633/73:55.8
relocatable, CD pos for caching/writing not required/not required, no patch infos
-> TRM_DATA_RAW_MODE2, 2352, config 0, wanted index0 0 blocks, length 332633 blocks [LITE-ON LTR-48125W ]
--------------------------------------------------------------

12:17:02 #14 Phase 36 File dlgbrnst.cpp, Line 1449
Burn process started at 32x (4,800 KB/s)

12:17:02 #15 Text 0 File ThreadedTransferInterface.cpp, Line 1960
Verifying CD position of item 0 (relocatable, no CD pos, no patch infos, orig at #0): write at #0

12:17:02 #16 Text 0 File Mmc.cpp, Line 11267
StartDAO : CD-Text - Off

12:17:02 #17 Text 0 File Mmc.cpp, Line 15521
Set BUFE: supported -> ON

12:17:02 #18 Text 0 File Mmc.cpp, Line 11510
CueData, Len=32
41 00 00 34 00 00 00 00
41 01 00 21 00 00 00 00
41 01 01 21 00 00 02 00
41 aa 01 34 00 49 39 08

12:23:49 #19 TRANSFER -25 File Reader.cpp, Line 349
Error reading Data

12:23:53 #20 Text 0 File ThreadedTransfer.cpp, Line 222
all writers idle, stopping conversion

12:24:02 #21 Phase 38 File dlgbrnst.cpp, Line 1449
Burn process failed at 32x (4,800 KB/s)

12:24:03 #22 Text 0 File Scsicmd.cpp, Line 386
SCSI not using temporary buffers
20 out of 20 temporary buffers allocated

Existing drivers:
File 'IoSubSys\SCSI1HLP.VXD': Ver=4.10.1998, size=19270 bytes, created 23/04/99 22:22:00
File 'IoSubsys\NEROCD95.VXD': Ver=4, 5, 0, 10, size=37493 bytes, created 30/08/01 15:30:04
File 'IoSubsys\CDFS.VXD': Ver=4.10.1998, size=59133 bytes, created 23/04/99 22:22:00
File 'IoSubsys\ESDI_506.PDR': Ver=4.10.2222, size=24406 bytes, created 23/04/99 22:22:00
File '..\System\Vmm32\Ios.vxd': Ver=4.10.2222, size=69570 bytes, created 23/04/99 22:22:00
File 'IoSubsys\Disktsd.vxd': Ver=4.10.2222, size=18809 bytes, created 23/04/99 22:22:00
File 'IoSubsys\BSUDF.VXD': Ver=3.27.1, size=205484 bytes, created 16/04/02 16:46:54
File 'IoSubsys\CDRBSVSD.VXD': Ver=1.1.1, size=8783 bytes, created 20/09/99 01:11:00

I hope that from the above you are able to point me to the final solution.

Thank you for your help to date.

#5
g2i2r4

Posted 03 July 2005 - 04:29 AM

retired HiJack Helper

Retired Staff
5,080 posts

Copy everything in the code box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.

We need to be carefull and do this in a few steps.

#6
tony howes

Posted 03 July 2005 - 05:07 AM

Member

Topic Starter
Member
11 posts

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

#7
g2i2r4

Posted 03 July 2005 - 06:26 AM

retired HiJack Helper

Retired Staff
5,080 posts

Copy everything in the code box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

You need to make the wininet.bat this way.

Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.

I need to see the content of the files.txt

It will take some time before it's ready. We cannot move on till we have that info.

#8
tony howes

Posted 03 July 2005 - 07:29 AM

Member

Topic Starter
Member
11 posts

Sorry, I realised what I had done wrong, however, I was not able to do a copy and paste from the TXT box that appeared.

The content of that box however was as follows:

C:\Windows\Desktop>dir \wininet.dll /a h/s > files.txt
Too many parameters - h

C:\WINDOWS\Desktop>start notepad files.txt

C:\ Windows\Desktop>

I hope that this time I have managed to answer the question.

#9
g2i2r4

Posted 03 July 2005 - 08:41 AM

retired HiJack Helper

Retired Staff
5,080 posts

Not yet, but we will get there :tazz:

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

open notepad to an empty file.

Move to this screen

select the purple textlines. Go to "edit" - "copy".

Move to notepad
Go to "edit" - "paste"

Go up to "File > Save As..."

click the drop-down box to change the "Save As Type" to "All Files".

Save it as wininet.bat on your desktop.

Close Notepad.

Doubleclick the file winninet.bat we just made and wait till it is all done.

Then copy the text that appeared to your reply here.

Edited by g2i2r4, 03 July 2005 - 08:41 AM.

#10
tony howes

Posted 03 July 2005 - 08:53 AM

Member

Topic Starter
Member
11 posts

Again the response would not let me copy and paste.

The content this time was as follows:

C:\WINDOWS\Desktop>dir \wininet.dll \a h /s > files.txt
Too many parameters - h

C:\Windows\Desktop>start notepad files.txt

#11
g2i2r4

Posted 03 July 2005 - 09:28 AM

retired HiJack Helper

Retired Staff
5,080 posts

C:\WINDOWS\Desktop>dir \wininet.dll \a h /s > files.txt

This cannot possibly be done with copy and paste.

Note the difference:
\wininet.dll \a h /s > files.txt <yours
\wininet.dll /a h /s > files.txt <mine

#12
tony howes

Posted 03 July 2005 - 09:50 AM

Member

Topic Starter
Member
11 posts

Sorry, My Typo! Correct version as follows:

C:\Windows\Desktop>dir \wininet.dll /a h/s > files.txt
Too many parameters - h

C:\WINDOWS\Desktop>start notepad files.txt

#13
g2i2r4

Posted 03 July 2005 - 10:33 AM

retired HiJack Helper

Retired Staff
5,080 posts

This is the correct way to type it:
\wininet.dll /a h /s

note the space before slash+a
note the space before h
note the space before slash+s

Please try again. If you copy and paste the text nothing can go wrong there.

Copy everything in the box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.

#14
tony howes

Posted 03 July 2005 - 10:49 AM

Member

Topic Starter
Member
11 posts

I have copied and Pasted the text again and saved to the Desktop as wininet.bat

The text in the box that results is as follows, but this does not look to me to be any different from before:

C:\WINDOWS\Desktop>dir \wininet.dll /a h /s > files.txt
Too many parameters - h

C:\WINDOWS\Desktop>start notepad files.txt

C:\WINDOWS\Desktop>

Sorry but I know not what else I can do as I believe that I am following your instructions/guidance to the letter.