Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

fltmgr.dll not a vlaid window image [CLOSED]

Started by sops16 , Jul 09 2005 11:01 AM

  • This topic is locked This topic is locked

#1
sops16
Posted 09 July 2005 - 11:01 AM

sops16

    New Member

  • Member
  • Pip
  • 5 posts
I'm working on a friends PC. Basically everything that i do gets this error:
Bad image. c:\windows\system32\fltmgr.dll

Here is my hijack log

Logfile of HijackThis v1.99.1
Scan saved at 12:55:31 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\combo.exe
C:\WINDOWS\deobodol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Documents and Settings\Nic\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...&c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: - {4D8079C3-78F3-49F1-A8E2-A9A29CF4C4BA} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot13\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [CpPucgC] C:\WINDOWS\deobodol.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [Á³#  K"h'þ9Óœ÷3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\deobodol.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {EDF35C6E-B830-449B-BDE6-0F09CEB9E913} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {020685D1-19B7-52EC-FF68-038335B7FCEC} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {1FBBE6D8-67B4-55CB-D15E-6CE65B47DEF3} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {2232779D-FAB5-144B-30DD-078A67D9DBC8} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {3D6DDB1B-5FB3-6306-530B-37F7137BE12A} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {3E1F7E55-4189-46F6-D03C-142111D889C4} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {58A6BC96-A1FD-3FB7-3E8B-700652330B40} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {599F61F9-A6B9-30CE-2C01-05032742C228} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {5E16B1D3-CEB3-5A99-566A-0E7761CA0E56} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {62C6A0F4-F0AD-6439-649D-292B3A7F87CB} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7FC71948-7443-2CE6-9488-35CC38D07580} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FBE046E-5472-44AB-8B82-8DE37A5A322A}: NameServer = 160.10.4.9,160.10.2.5
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Can anyone help me with this?
  • 0

Advertisements

#2
Guest_thatman_*
Posted 09 July 2005 - 11:39 AM

Guest_thatman_*
  • Guest
Hi sops16

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html Update the program then run it.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Use add remove program file's uninstall the following:
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\Program Files\SideFind\sfbho.dll
C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
C:\program files\180solutions\sais.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll


Reboot into Safe Mode: please see here if you are not sure how to do this.

Run LSPfix and place a check against the I know what I am doing checkbox.
Highlight every instance of the following names and move them from the Keep to the Remove panel. Be sure to move nothing other than the files listed below!
fltmgr.dll
fltmgr.dll
fltmgr.dll
When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!


Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: - {4D8079C3-78F3-49F1-A8E2-A9A29CF4C4BA} - C:\WINDOWS\lbbho.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [CpPucgC] C:\WINDOWS\deobodol.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [Á³# K"h'þ9Óœ÷3rÅW C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\deobodol.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\system32\combo.exe
C:\windows\system32\ combop.exe
C:\WINDOWS\deobodol.exe
C:\WINDOWS\DOWNLO~1\ipreg32.dll
C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\lbbho.dll
c:\windows\system\BHOmod.dll
C:\WINDOWS\winsx.dll
C:\WINDOWS\system32\msbe.dll
C:\PROGRA~1\YOURSI~1\ysb.dll
C:\windows\system32\gclib.exe
C:\windows\system32\msxct.exe
C:\windows\system32\rlvknlg.exe
Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
sops16
Posted 12 July 2005 - 08:33 AM

sops16

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I cann't connect to the internet using that PC. I could transfer the programs over using a usb drive. But i would not be able to update them... Any suggestions?
  • 0

#4
Guest_thatman_*
Posted 12 July 2005 - 12:14 PM

Guest_thatman_*
  • Guest
Hi sops16

There is a freeware application called WinSock XP Fix 1.2 that will create a backup of your registry and then repair any Registry entries that may have been affected by the adware removal tools. This does NOT remove the stack and force you to reload Winsock, which is what the Microsoft solution above does.

Winsock XP fix 1.2 can be found at freeware sites, as well as http://www.spychecke...nsockxpfix.html

Kc :tazz:
  • 0

#5
sops16
Posted 14 July 2005 - 09:27 AM

sops16

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
When running ewido it hangs up scanning the memory. memory section [120] VM_7FFEE0000. Should i just skip this step?
  • 0

#6
Guest_thatman_*
Posted 14 July 2005 - 12:17 PM

Guest_thatman_*
  • Guest
Hi sops16

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#7
sops16
Posted 14 July 2005 - 08:18 PM

sops16

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I can't seem to find the free online virus scan on that site...
  • 0

#8
Guest_thatman_*
Posted 15 July 2005 - 03:21 AM

Guest_thatman_*
  • Guest
Hi sops16

You need to use internet explorer to do the panda scan.
You will find the free scan at the bottom of the page left hand side.

http://www.pandasoft...ome/default.asp

Kc :tazz:
  • 0

#9
sops16
Posted 16 July 2005 - 08:22 PM

sops16

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
ok, i ran the scan...

Logfile of HijackThis v1.99.1
Scan saved at 10:18:54 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Nic\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...&c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: - {4D8079C3-78F3-49F1-A8E2-A9A29CF4C4BA} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot13\SDHelper.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [CpPucgC] C:\WINDOWS\deobodol.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {EDF35C6E-B830-449B-BDE6-0F09CEB9E913} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {020685D1-19B7-52EC-FF68-038335B7FCEC} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {1FBBE6D8-67B4-55CB-D15E-6CE65B47DEF3} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {2232779D-FAB5-144B-30DD-078A67D9DBC8} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {3D6DDB1B-5FB3-6306-530B-37F7137BE12A} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {3E1F7E55-4189-46F6-D03C-142111D889C4} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {58A6BC96-A1FD-3FB7-3E8B-700652330B40} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {599F61F9-A6B9-30CE-2C01-05032742C228} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {5E16B1D3-CEB3-5A99-566A-0E7761CA0E56} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {62C6A0F4-F0AD-6439-649D-292B3A7F87CB} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7FC71948-7443-2CE6-9488-35CC38D07580} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




Here is the other log...

Incident Status Location

Adware:Adware/Puper No disinfected C:\WINDOWS\winsx.dll
Virus:Bck/Azirdep.A Disinfected Operating system
Spyware:spyware/istbar No disinfected C:\DOCUMENTS AND SETTINGS\NIC\START MENU\WEB-Search.url
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\NIC\FAVORITES\GOING PLACES\Air Tickets.lnk
Adware:adware/gigabar No disinfected C:\DOCUMENTS AND SETTINGS\NIC\DESKTOP\Adware Remover.url
Adware:adware/look2me No disinfected C:\DOCUMENTS AND SETTINGS\NIC\DESKTOP\Online Dating.url
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM32\bbchk.exe
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\SYSTEM32\dsmanager.dll
Adware:adware/exactsearch No disinfected C:\WINDOWS\SYSTEM32\exdl.exe
Spyware:spyware/marketscore No disinfected C:\WINDOWS\SYSTEM32\rk.bin
Adware:adware/sbsoft No disinfected C:\WINDOWS\SYSTEM32\winsx.dll
Spyware:spyware/yoursitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ysbactivex.dll
Adware:adware/sidefind No disinfected C:\DOCUMENTS AND SETTINGS\NIC\LOCAL SETTINGS\TEMP\sidefind.exe
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\alchem.inf
Adware:adware/azesearch No disinfected C:\DOCUMENTS AND SETTINGS\NIC\FAVORITES\PHARMACY\[bleep] Enlargement.url
Adware:adware/twain-tech No disinfected C:\WINDOWS\mxTarget.dll
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall4_85.exe
Spyware:spyware/dyfuca No disinfected C:\WINDOWS\nem220.dll
Spyware:spyware/altnet No disinfected C:\PROGRAM FILES\Altnet
Adware:adware/navhelper No disinfected C:\PROGRAM FILES\Ares
Adware:adware/myway No disinfected C:\PROGRAM FILES\MyWay
Adware:adware/keenvalue No disinfected C:\PROGRAM FILES\PerfectNav
Adware:adware/powerscan No disinfected C:\PROGRAM FILES\Power Scan
Adware:adware/ncase No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SAIS
Adware:adware/apropos No disinfected HKEY_CURRENT_USER\SOFTWARE\POP
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Spyware:spyware/iehelp No disinfected HKEY_CLASSES_ROOT\CLSID\{031B6D43-CBC4-46A5-8E46-CF8B407C1A33}
Adware:adware/wupd No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\AMEOPT
Adware:adware/looksmart No disinfected HKEY_CLASSES_ROOT\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}
Adware:adware/activesearch No disinfected HKEY_CLASSES_ROOT\Interface\{cabbb49a-4d7b-415b-8250-15c3b854e9ff}
Adware:adware/superspider No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Spyware:Spyware/Iehelp No disinfected C:\Documents and Settings\Nic\Application Data\SysDown\sys01940.exe
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Nic\Local Settings\Temp\1DAbdJ.exe
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\Nic\Local Settings\Temp\4CNGvW.exe
Virus:Bck/Azirdep.A Disinfected C:\Documents and Settings\Nic\Local Settings\Temp\61.tmp
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Nic\Local Settings\Temp\bybcaoe.exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Nic\Local Settings\Temp\istsvc.exe
Adware:Adware/SideFind No disinfected C:\Documents and Settings\Nic\Local Settings\Temp\sidefind.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network\bin\adv.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network\bin\adx.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network\Uninstall.exe
Adware:Adware/TopRebates No disinfected C:\Program Files\Lime_Shop\Limeshop0.exe
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHelper.dll
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHUninstaller.exe
Possible Virus. No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHUpdater.exe
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4d\v2.0.4d.cab[NHelper.dll]
Adware:Adware/NavHelper No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4d\v2.0.4d.cab[NHUninstaller.exe]
Possible Virus. No disinfected C:\Program Files\NavExcel\NavHelper\v2.0.4d\v2.0.4d.cab[NHUpdater.exe]
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\uninstall6_38.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\__delete_on_reboot__newdotnet6_38.dll
Adware:Adware/KeenValue No disinfected C:\Program Files\PerfectNav\BHO\PerfectNav150c.dll
Adware:Adware/PowerScan No disinfected C:\Program Files\Power Scan\uninstall.exe
Adware:Adware/SideFind No disinfected C:\Program Files\SideFind\sfbho.dll
Spyware:Spyware/YourSiteBar No disinfected C:\Program Files\YourSiteBar\ysb.dll
Virus:Trj/Lowzones.GG Disinfected C:\web.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\bybcaoe.exe
Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\__delete_on_reboot__ipreg32.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Possible Virus. No disinfected C:\WINDOWS\mxTarget.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_85.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_30.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\nem220.dll
Virus:Bck/Azirdep.A Disinfected C:\WINDOWS\system32\down0.exe
Virus:Bck/Combo.B Disinfected C:\WINDOWS\system32\down2.exe
Adware:Adware/Searcher No disinfected C:\WINDOWS\system32\down3.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\exdl.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\exdl0.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\exdl1.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\exul.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\exul1.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\javexulm.vxd
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mqexdlm.srg
Adware:Adware/SBSoft No disinfected C:\WINDOWS\system32\webdlg32.dll
Adware:Adware/SBSoft No disinfected C:\WINDOWS\system32\webdlg32.inf
Adware:Adware/Puper No disinfected C:\WINDOWS\system32\winsx.dll
Adware:Adware/Popup.pop No disinfected C:\WINDOWS\system32\winsx.inf
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\__delete_on_reboot__msbe.dll
Adware:Adware/SBSoft No disinfected C:\WINDOWS\webdlg32.dll
Adware:Adware/SBSoft No disinfected C:\WINDOWS\webdlg32.inf
Adware:Adware/Puper No disinfected C:\WINDOWS\winsx.dll
Adware:Adware/Popup.pop No disinfected C:\WINDOWS\winsx.inf
Adware:Adware/RelatedLinks No disinfected C:\WINDOWS\__delete_on_reboot__lbbho.dll
Whats next...
  • 0

#10
Guest_thatman_*
Posted 17 July 2005 - 03:50 AM

Guest_thatman_*
  • Guest
Hi sops16

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware se.
Click Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Use windows add remove programs uninstall the following:
c:\program files\180solutions
C:\Program Files\BullsEye Network
C:\Program Files\Lime_Shop
C:\Program Files\NavExcel\NavHelper
C:\Program Files\NewDotNet
C:\Program Files\PerfectNav
C:\Program Files\Power Scan
C:\Program Files\SideFind
C:\Program Files\YourSiteBar
C:\PROGRAM FILES
C:\PROGRAM FILES\Ares
C:\PROGRAM FILES\MyWay
exit add remove

Now delete the following folders:
c:\program files\180solutions[/b]<--Delete the whole folder
C:\Program Files\BullsEye Network[/b]<--Delete the whole folder
C:\Program Files\Lime_Shop[/b]<--Delete the whole folder
C:\Program Files\NavExcel[/b]<--Delete the whole folder
C:\Program Files\PerfectNav[/b]<--Delete the whole folder
C:\Program Files\Power Scan[/b]<--Delete the whole folder
C:\Program Files\SideFind[/b]<--Delete the whole folder
C:\Program Files\YourSiteBar[/b]<--Delete the whole folder
C:\PROGRAM FILES\Altnet[/b]<--Delete the whole folder
C:\PROGRAM FILES\Ares[/b]<--Delete the whole folder
C:\PROGRAM FILES\MyWay[/b]<--Delete the whole folder
C:\web.exe<--Delete the whole folder


Reboot into Safe Mode: URL=http://www.xtra.co.nz/help/0,,6156-1377929,00.html#4]Please see here if you are not sure how to do this.[/URL

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll (file missing)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: - {4D8079C3-78F3-49F1-A8E2-A9A29CF4C4BA} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [CpPucgC] C:\WINDOWS\deobodol.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
O16 - DPF: {020685D1-19B7-52EC-FF68-038335B7FCEC} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {1FBBE6D8-67B4-55CB-D15E-6CE65B47DEF3} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {2232779D-FAB5-144B-30DD-078A67D9DBC8} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {3D6DDB1B-5FB3-6306-530B-37F7137BE12A} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {3E1F7E55-4189-46F6-D03C-142111D889C4} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {58A6BC96-A1FD-3FB7-3E8B-700652330B40} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {599F61F9-A6B9-30CE-2C01-05032742C228} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {5E16B1D3-CEB3-5A99-566A-0E7761CA0E56} - http://205.252.161.238/1/gdnUS1859.exe
O16 - DPF: {62C6A0F4-F0AD-6439-649D-292B3A7F87CB} - http://205.252.161.238/1/gdnUS1859.exe
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\deobodol.exe
C:\windows\system32\msxct.exe
C:\windows\system32\rlvknlg.exe
C:\WINDOWS\system32\combo.exe
C:\windows\system32\ combop.exe
C:\WINDOWS\winsx.dll
C:\DOCUMENTS AND SETTINGS\NIC\START MENU\WEB-Search.url
C:\DOCUMENTS AND SETTINGS\NIC\FAVORITES\GOING PLACES\Air Tickets.lnk
C:\DOCUMENTS AND SETTINGS\NIC\DESKTOP\Adware Remover.url
C:\DOCUMENTS AND SETTINGS\NIC\DESKTOP\Online Dating.url
C:\WINDOWS\SYSTEM32\bbchk.exe
C:\WINDOWS\SYSTEM32\dsmanager.dll
C:\WINDOWS\SYSTEM32\exdl.exe
C:\WINDOWS\SYSTEM32\rk.bin
C:\WINDOWS\SYSTEM32\winsx.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ysbactivex.dll
C:\DOCUMENTS AND SETTINGS\NIC\LOCAL SETTINGS\TEMP\sidefind.exe
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\mxTarget.dll
C:\WINDOWS\NDNuninstall4_85.exe
C:\WINDOWS\nem220.dll
C:\Documents and Settings\Nic\Application Data\SysDown\sys01940.exe
C:\Documents and Settings\Nic\Local Settings\Temp\1DAbdJ.exe
C:\Documents and Settings\Nic\Local Settings\Temp\4CNGvW.exe
C:\Documents and Settings\Nic\Local Settings\Temp\61.tmp
C:\Documents and Settings\Nic\Local Settings\Temp\bybcaoe.exe
C:\Documents and Settings\Nic\Local Settings\Temp\istsvc.exe
C:\Documents and Settings\Nic\Local Settings\Temp\sidefind.exe
C:\WINDOWS\bybcaoe.exe
C:\WINDOWS\Downloaded Program Files\__delete_on_reboot__ipreg32.dll
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\mxTarget.dll
C:\WINDOWS\NDNuninstall4_85.exe
C:\WINDOWS\NDNuninstall6_30.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\system32\down0.exe
C:\WINDOWS\system32\down2.exe
C:\WINDOWS\system32\down3.exe
C:\WINDOWS\system32\exdl.exe
C:\WINDOWS\system32\exdl0.exe
C:\WINDOWS\system32\exdl1.exe
C:\WINDOWS\system32\exul.exe
C:\WINDOWS\system32\exul1.exe
C:\WINDOWS\system32\javexulm.vxd
C:\WINDOWS\system32\mqexdlm.srg
C:\WINDOWS\system32\webdlg32.dll
C:\WINDOWS\system32\webdlg32.inf
C:\WINDOWS\system32\winsx.dll
C:\WINDOWS\system32\winsx.inf
C:\WINDOWS\system32\__delete_on_reboot__msbe.dll
C:\WINDOWS\webdlg32.dll
C:\WINDOWS\webdlg32.inf
C:\WINDOWS\winsx.dll
C:\WINDOWS\winsx.inf
C:\WINDOWS\__delete_on_reboot__lbbho.dll
Let the system reboot.

Now try and run ewido

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, and HJT.log We will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#11
Guest_thatman_*
Posted 30 July 2005 - 09:01 AM

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP