Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Pop-Ups, Crashes and Error Messages


  • Please log in to reply

#16
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Take this one step at a time. Reboot into safe mode and make sure all files are showing. Using explorer, navigate to these files and delete them.

C:\WINDOWS\SYSTEM\SUPDATE.DLL
C:\WINDOWS\UNUVMZ.EXE
C:\WINDOWS\SYSTEM\TUAE.EXE
C:\WINDOWS\SYSTEM\SUPDATE.DLL
C:\WINDOWS\UNUVMZ.EXE
C:\WINDOWS\Start Menu\Programs\StartUp\rtrn.exe
C:\WINDOWS\SYSTEM\msbe.dll
C:\WINDOWS\Start Menu\Programs\GAIN Publishing
C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTEM\stlb2.xml
C:\WINDOWS\SYSTEM\UpdInst.exe
C:\WINDOWS\SYSTEM\msbe.dll
C:\WINDOWS\SYSTEM\tuae.exe
C:\WINDOWS\SYSTEM\redit.cpl
C:\WINDOWS\SYSTEM\sdkga.exe
C:\WINDOWS\SYSTEM\sdkok.exe
C:\WINDOWS\SYSTEM\stlb2.xml
C:\WINDOWS\SYSTEM\crub32.exe
C:\WINDOWS\INF\banner.inf
C:\WINDOWS\TEMP\backups\backup-20050710-213205-512-rtrn.exe
C:\WINDOWS\TEMP\backups\backup-20050710-213210-573.dll
C:\WINDOWS\TEMP\upd206.exe
C:\WINDOWS\TEMP\upd207.exe
C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
C:\WINDOWS\CERES.DLL
C:\WINDOWS\Start Menu\Programs\StartUp\rtrn.exe
C:\WINDOWS\GatorHDPlugin.log
C:\WINDOWS\GatorHDPlugin.log-old.log
C:\WINDOWS\unuvmz.exe
C:\WINDOWS\addlx.dll
C:\WINDOWS\addsz32.dll
C:\WINDOWS\d3gh.dll
C:\WINDOWS\ru.exe
C:\WINDOWS\wvwpb.dat
C:\WINDOWS\nunrokk.dll
C:\WINDOWS\hmhrna.exe
C:\WINDOWS\iniuq.dll
C:\RECYCLED\DC4.EXE
  • 0

Advertisements


#17
drb0605

drb0605

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Finished with deletions - 6 were repeated elsewhere in the list, 5 weren't found - see below for exceptions:

DUPLICATE - C:\WINDOWS\SYSTEM\SUPDATE.DLL

DUPLICATE - C:\WINDOWS\UNUVMZ.EXE

CAN'T LOCATE - C:\WINDOWS\SYSTEM\msbe.dll

CAN'T LoCATE - C:\WINDOWS\SYSTEM\tuae.exe (although I've seen tuae somewhere in my travels over the last few days)

DELETED - C:\WINDOWS\Start Menu\Programs\GAIN Publishing
ALSO DELETED GAIN PUBLISHING WEBSITE SHORTCUT

DUPLICATE - C:\WINDOWS\SYSTEM\stlb2.xml

DUPLICATE - C:\WINDOWS\CERES.DLL

CAN'T LOCATE - (ALTHOUGH I DID FIND WITHOUT "-RTRN.EXE")
C:\WINDOWS\TEMP\backups\backup-20050710-213205-512-rtrn.exe

CAN'T LOCATE -
C:\WINDOWS\TEMP\backups\backup-20050710-213210-573.dll

CAN'T LOCATE - C:\WINDOWS\Downloaded Program Files\ysbactivex.inf

DUPLICATE - C:\WINDOWS\Start Menu\Programs\StartUp\rtrn.exe

DUPLICATE - C:\WINDOWS\unuvmz.exe

CAN'T LOCATE - C:\WINDOWS\hmhrna.exe

CAN'T LOCATE - C:\RECYCLED\DC4.EXE

Received rundll error message upon startup: error loading .... can't find "supdate.dll". Said "OK" and proceeded to here.

Now what? :tazz:

I'm off to work, so will get back on when I'm home tonight. Still rainy here, but that's OK today. Have a good one, and thank you very much. ;)

Debbie
  • 0

#18
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
1. . Run CleanUp! Here is the download location.

http://www.stevengou...ftware/cleanup/
2. Try to run adaware again.
3. Run panda again and give me the log.
4. run hijack this again and give me the log.

I hope you stay dry today. I think we are going swimming.
  • 0

#19
drb0605

drb0605

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Good morning! ;)

All done as requested. A few things before I add the logs you asked for .....

1 - Shutting down seems OK
2 - Always get error message - RUNDLL - on startup: Error loading, can't find SUPDATE.DLL. I hit OK, and everything seems OK.
3 - Occasionally get error message - MICROSOFT VISUAL C++ on startup: Runtime has requested an unusual way to terminate C\WINDOWS\EXPLORER. If I hit OK on this one, everything freezes. This didn't happen this morning, but did several times last night.
4 - Right after startup, ZoneAlarm (my Yahoo firewall) almost always tells me that RUNDLL32.EXE is asking for access to the internet. I deny it. I've also gotten MARKETING58.EXE (CoolWeb) asking for access. I also deny it.

That being said ... here are the logs you've asked for:

Panda (found 40, disinfected 4)

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Search the web.url
Adware:Adware/Comet No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Broadband comparison.url
Virus:Trj/Downloader.DMC Disinfected C:\WINDOWS\SYSTEM\crmp32.exe
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\SEARCH THE WEB.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Broadband comparison.url
Virus:Trj/Qoologic.E Disinfected C:\WINDOWS\dodbraa.exe
Virus:Trj/Qoologic.D Disinfected C:\WINDOWS\ogozhxx.dll
Virus:Trj/Qoologic.F Disinfected C:\WINDOWS\odopp.dll
Adware:Adware/BookedSpace No disinfected C:\RECYCLED\DC4.EXE
Adware:Adware/AdBehavior No disinfected C:\RECYCLED\DC27.DLL
Adware:Adware/Midaddle No disinfected C:\RECYCLED\DC29.EXE
Spyware:Spyware/BetterInet No disinfected C:\RECYCLED\DC34.DLL
Adware:Adware/Look2Me No disinfected C:\RECYCLED\DC36.EXE
Adware:Adware/AdBehavior No disinfected C:\RECYCLED\DC37.CPL
Adware:Adware/SearchAid No disinfected C:\RECYCLED\DC38.EXE
Adware:Adware/SearchAid No disinfected C:\RECYCLED\DC39.EXE
Adware:Adware/SearchAid No disinfected C:\RECYCLED\DC40.EXE
Spyware:Spyware/BetterInet No disinfected C:\RECYCLED\DC41.INF
Adware:Adware/Coupons No disinfected C:\RECYCLED\DC42.DLL
Adware:Adware/Look2Me No disinfected C:\RECYCLED\DC43.EXE
Adware:Adware/Look2Me No disinfected C:\RECYCLED\DC44.EXE
Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLED\DC47.DLL
Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLED\DC48.DLL
Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLED\DC49.DLL
Adware:Adware/Midaddle No disinfected C:\RECYCLED\DC50.EXE
Adware:Adware/AdBehavior No disinfected C:\RECYCLED\DC52.DLL
Adware:Adware/AdBehavior No disinfected C:\RECYCLED\DC53.DLL
Spyware:Spyware/BargainBuddy No disinfected C:\installer_MARKETING58.exe :tazz:
HiJack This

Logfile of HijackThis v1.99.1
Scan saved at 11:45:26 PM, on 7/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\ZONEALARM FIREWALL\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm Firewall\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .gov/FOTWWebApp/StudentAccessServlet;jsessionid=000244XWKXDHJCKEFBCX5DYG5EA?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&faamode=undefined: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sbcglobal.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12 ;)

Now what??

Hope you had fun swimming yesterday. We're going to get hot and humid (think Houston) .... and hotter as we get into the weekend.

Thanks for your time, and I'll look for your reply. Have a good day! :help:

Debbie
  • 0

#20
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
1. Error loading, can't find SUPDATE.DLL

go to start>>run>>type in msconfig Look for the start-up key and look for supdate.dll. Uncheck it.

2. Have you gone to add/remove programs and deleted:
Bargain Buddy
Save Now
Search Aid
PetroLine

3. Clean out your favorites!

4. Clean out:

C:\RECYCLED<<everything in this folder. Go through windows explorer (right click on start>>go to explorer and find the C:/Recycled folder. Click on that and look at everything on the right-hand side. Go to edit --across the top--click select all and right-click and hit delete. There may be some files that need to stay. Windows will prompt you.)

5. Find this folder and get rid of it:

C:\installer_MARKETING58.exe


6. Did you run adaware?

7. Are you running firewalls from Norton and Zone Alarm?

You're doing a great job. Keep up the good work, but don't rush. Enjoy your family. We will get this worked out. :tazz:
  • 0

#21
drb0605

drb0605

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I'm baaaaaack ...............

First good stuff - When we started, my machine was running with about 7% systems free; now I'm up to between 63-75% free. Also, when we started, I was running 38 processes; now I'm running 21. I think all of this is good!

[COLOR=blue]Question: Is it OK for me to allow "rundll32" internet access? Zone Alarm always alerts me to this after start-up and I'm currently denying access.


I copied your to-do list from 7/14 with my responses to your instructions:


SuperMod


Group: Global Moderator
Posts: 5,221
Joined: 12-August 04
From: God's Country - Texas, but always a Jersey Girl
Member No.: 3,602
Operating System:
xp home, 98SE, xp pro


1. Error loading, can't find SUPDATE.DLL

go to start>>run>>type in msconfig Look for the start-up key and look for supdate.dll. Uncheck it.[COLOR=blue] I found "... supdate.dll,shstart" and deleted it.

2. Have you gone to add/remove programs and deleted:
Bargain Buddy
Save Now
Search Aid
PetroLine
[COLOR=blue]Can't find any of these with add/remove programs, or just using find. Nothing deleted.

3. Clean out your favorites! [COLOR=blue]What exactly do you mean by this?? I went through my "Favorites" folder and deleted a lot of bookmarks, but I have a lot of bookmarks that don't show up in "Favorites". Do you want me to find all my bookmarks/favorites and delete them? If so, where might I find the rest of them?

4. Clean out:

C:\RECYCLED<<everything in this folder. Go through windows explorer (right click on start>>go to explorer and find the C:/Recycled folder. Click on that and look at everything on the right-hand side. Go to edit --across the top--click select all and right-click and hit delete. There may be some files that need to stay. Windows will prompt you.)[COLOR=blue]Had to select all and delete several times. There are now 10 files remaining in this folder.

5. Find this folder and get rid of it:

C:\installer_MARKETING58.exe [COLOR=blue]I can't find this anywhere.

6. Did you run adaware? [COLOR=blue]Yes, I've run it several times, and nothing is showing up bad as of an hour ago. P.S. I also downloaded Yahoo's Anti-Spy software and it found 8 things which I deleted. Did a rescan and it's coming up clean.

7. Are you running firewalls from Norton and Zone Alarm? [COLOR=blue]Only Zone Alarm basic firewall. Norton is Anti-Virus only. Should I purchase another firewall in addition to using the free SBC Zone Alarm? If so, which one?

Can't wait for you to send me another note! I worked on this a bit Thursday night, but took Friday and Saturday "off" - good suggestion. Hope you had a good weekend, too!

Let me know how you want me to proceed .... Do you think I'm almost finished?

Thanks again for your help,

Debbie
  • 0

#22
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
allow rundll32.exe.

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
(Description: Only appears in MSCONFIG if you have a Display Settings icon in the System Tray allowing resolution changes on the fly. Can also be disabled under Control Panel -> Display -> Settings -> Advanced -> General. Also appears if you have Win95 with the QuickRes "Powertoy" installed. This is unnecessary and can be removed to free up system resources.)

How is it running?
  • 0

#23
drb0605

drb0605

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Morning!

If I didn't know I still had a few bugs, I'd be pretty happy with how I'm running right now ..... all thanks to you! ;)

Could you please give me guidance on two final questions before we consider this situation fixed? ;)

Two files ask for internet access at startup:
- casstub.exe (found CasStub folder in C:\Program Files)
- M190309.exe (found using regedit in "Run" folder)

Internet research tells me casstub is bad, and I can find no information on M190309.

What should I do with these two? I feel like booting up in safe mode and just deleting the folder and file, but wanted to ask you first. :tazz:

I'll wait to hear back, and thank you very much again!

Debbie
  • 0

#24
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.


Go to start, run and type in msconfig

Look for this in the start-up tab if it's there:

casstub.exe

Let me know if it isn't. If it is, uncheck it

Give me the exact location of the other exe

M190309.exe


'right-click on it and tell me it's properties.

Reboot into safe mode and find casstub.exe and delete it.

Use CleanUp! again.

Please give me a new

panda scan
silent runners
hijack this log


along with the other information I asked for. :tazz:
  • 0

#25
drb0605

drb0605

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi again from Wisconsin ... we're nearing 100 today and it's humid. My husband is still thinking of mowing the lawn, and I'm trying to convince him it's a bad idea! Well, on to the computer ......

Ran Silent Runner (had to download WMI), and here's the log:

2005-07-23 13.25.05
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"CriticalUpdate" = "c:\windows\SYSTEM\wucrtupd.exe -startup" [MS]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"Zone Labs Client" = "C:\Program Files\ZoneAlarm Firewall\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer" ["Symantec Corporation"]
"RegistryMechanic" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"ccEvtMgr" = ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
"ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"]
"Hidserv" = "Hidserv.exe run" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\DirectCD\shellex.dll" ["Adaptec"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "c:\PROGRA~1\MICROS~4\OFFICE\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "c:\PROGRA~1\MICROS~4\OFFICE\OLKFSTUB.DLL" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {CLSID}\InProcServer32\(Default) = "c:\WINDOWS\SYSTEM\VisShe.dll" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {CLSID}\InProcServer32\(Default) = "c:\WINDOWS\SYSTEM\VisShe.dll" [null data]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SSHOOK.DLL" ["InterMute, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\wzshlext.dll" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "c:\windows\Clouds.bmp"


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\MYSTIF~1.SCR" (Mystify Your Mind.scr) [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"SpySubtract" -> shortcut to: "C:\Program Files\interMute\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\WINDOWS\ALLUSE~1\APPLIC~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" ["Symantec Corporation"]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found]
"Windows Critical Update Notification" -> launches: "C:\WINDOWS\SYSTEM\WUCRTUPD.EXE" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4D5C8C2A-D075-11D0-B416-00C04FB90376}" = "Microsoft CommBand" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\BROWSEUI.DLL" [MS]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL" ["Yahoo! Inc."]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL" ["Yahoo! Inc."]

{2499216C-4BA5-11D5-BD9C-000103C116D5}\
"ButtonText" = "Yahoo! Login"
"MenuText" = "Yahoo! Login"
"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL" ["Yahoo! Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 31 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 21 seconds.
---------- (total run time: 89 seconds)

I then unchecked casstub.exe in the start-up tab of msconfig.

I also unchecked M190309 because I found it there, too.

As for the exact location of M190309, I find it using regedit in:
hkey_local_machine
software
microsoft
windows
current version
run- (folder)

Properties of M190309:
Application
Size: 76.0kb, 81,920 bytes used
MSDOS name: M190309.exe
Created: 7/20/05 8:24:07
Modified: 7/20/04 8:24:08
Accessed: Saturday, 7/23/05
Archive
Version 2.0.000

I have not deleted M190309 yet.

I deleted cass.tub while in safe mode, and also found "Install_Marketing 58", which I also deleted, and ran Clean-Up again.

Here are the three additional scans/logs you'd requested:

Panda Scan (reported 244 infections not fixed)
PandaActivescan 072305 2200 hrs

Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MKJET35.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RXCLTC3.DLL
Spyware:spyware/yoursitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ysbactivex.inf
Adware:adware/transponder No disinfected C:\WINDOWS\abiuninst.htm
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Spyware:spyware/searchcentrix No disinfected HKEY_CURRENT_USER\SOFTWARE\DYNAMIC TOOLBAR
Adware:adware/consumeralertsystemNo disinfected HKEY_CURRENT_USER\SOFTWARE\CAS
Adware:adware/comet No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\USERKEYS\COMETKEY
Spyware:spyware/istbar No disinfected HKEY_CLASSES_ROOT\YSBACTIVEX.INSTALLER
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MVU
Adware:adware/gator No disinfected HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLS
Adware:adware/powerscan No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST
Adware:adware/ncase No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\SEARCH BAR_BAK
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MFFMIG32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MNJAVA.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\APIDIAG.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\FZAMEBUF.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MRDCTRL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IWMUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SAI_CI32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\LLRT.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\WMASPI32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\NMNDS.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\TGD32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DPKAPI32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RZANP.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MCXML3.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VSHELPER.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RZGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\SJVRTGUI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\TBP3216S.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OATLCOMM.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\OJPRT400.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\swkoy.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\DCSERIAL.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\GNI32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CAL3D32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MTHTMLER.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\HQFCSA.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VGB32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MGCUIA32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\aripk32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wcv8dmod.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\domap.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\pbbole32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ggcwb.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\dWdref.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\HMFecp11.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ivoi.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mpvcp71.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ootext32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\dzmsgnet.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\nytha32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\CJMPPL32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\Shorts.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\cptb.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\aapwv.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM\winxm.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mbcbh.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\SYSTEM\craw32.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\nztel.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mgay32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ovdbse32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\awpoy.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\aklpk.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\stsgw.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\irsg32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\aditz.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\nhtvg32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\nmtup.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\jhpl400.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\axdzh32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\nrttg.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\dFil.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ibbd.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\iwbd.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\RXCLTC3.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\TKAPI.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\IWM32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\akibt.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\axikr.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MKJET35.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wwnetmgr.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\sjsml.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\mpcxr.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\wanqg32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\dknlobby.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\menv.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9364.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav93A0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav32E3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav3323.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4020.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav4025.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav40D2.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav40F1.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav41F0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav50F4.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav5104.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav52C3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav5301.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav5336.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav5384.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav60B2.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6172.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav6182.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav62C3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7025.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7035.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7075.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7083.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7235.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7295.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav72D0.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav72E1.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav72F3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7303.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7331.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7343.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7345.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8031.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8043.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8060.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8082.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav80A2.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8141.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8164.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8172.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8182.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8194.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav81A5.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav81B3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav81E1.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav81F3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8212.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8230.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8233.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8243.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav82A3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav82E4.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav82F3.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8302.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8315.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8322.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8325.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8331.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP�
  • 0

Advertisements


#26
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Through windows explorer (right click on start, go to explore and find this (don't do a search, but look for it):

C:\WINDOWS\ru.exe<<delete this (if it's there).

Also,

C:\WINDOWS\TEMP<<clean out all of these contents in the temp folder.

Please back up your registry. Read

this.

1. Click Start > Run.
2. Type regedit

Then click OK.

3. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

4. In the right pane, delete the value:

"SSPY"="%Windir%\SSYTEM.EXE"

5. Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion

6. In the right pane, set the value:

"load"=""

7. Exit the Registry Editor.

8. Restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document, "How to start the computer in Safe Mode."

This is not the entire fix, but I have to go now. Do all the above and then give me a panda scan and a hijack this log.
  • 0

#27
drb0605

drb0605

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I'm trying here, but I'm getting nervous and feeling kinda stupid ....

Here's your directions with my actions, all done in Safe Mode:

Through windows explorer (right click on start, go to explore and find this (don't do a search, but look for it):

C:\WINDOWS\ru.exe<<delete this (if it's there).

Can't find this anywhere, even through a search. Should it be all by itself in c:/windows, or in a folder? And if a folder, which one?
Also,

C:\WINDOWS\TEMP<<clean out all of these contents in the temp folder.

Deleted over 10,000 files; only files remaining were two folders: "History" and "Temporary Internet Files" which it warned me against deleting.

Please back up your registry. Never did this before, but I exported "My Computer" and all branches to a file, now stored in My Documents.

Read

this.

1. Click Start > Run.
2. Type regedit

Then click OK.

3. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

4. In the right pane, delete the value:

"SSPY"="%Windir%\SSYTEM.EXE"

Can't find this value to delete. Note: I also have a "RunServices-" folder, but can't find it there, either. No action taken.

5. Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion

Was confused by the "Windows NT" reference above. I only have a "Windows" folder in Current User (however, I do have a Windows NT folder in Local Machine). Do you want me to modify the Default (now set at "") in the Current User\Windows\CurrentVersion folder? This is the "making me nervous" part.

6. In the right pane, set the value:

"load"=""

7. Exit the Registry Editor.

8. Restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document, "How to start the computer in Safe Mode."
==================================

I seem to have failed dismally :tazz: ! Can you still help?

Talk to you tomorrow. Thank you for your patience and help. I'm off to bed soon, myself.

Debbie
  • 0

#28
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts

Can't find this anywhere, even through a search. Should it be all by itself in c:/windows, or in a folder? And if a folder, which one?


Wasn't sure it would be there. So, cross this off your list of worries. :tazz:

C:\WINDOWS\TEMP


They have needed to be cleaned out for a long time. A lot of bad stuff was starting there.

Please download CleanUp! Don't run it yet.

Please download CleanUp! - Download - HomePage
Install and run. Click on the button labeled CleanUp!.

When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.

**********

I want you to delete the following files with a program called pocket killbox. Here is a link that shows you how to run it.

http://forum.malware...topic.php?t=320

C:\WINDOWS\SYSTEM\MKJET35.DLL
C:\WINDOWS\SYSTEM\RXCLTC3.DLL
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ysbactivex.inf
C:\WINDOWS\abiuninst.htm
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\SYSTEM\MFFMIG32.DLL
C:\WINDOWS\SYSTEM\MNJAVA.DLL
C:\WINDOWS\SYSTEM\APIDIAG.DLL
C:\WINDOWS\SYSTEM\FZAMEBUF.DLL
C:\WINDOWS\SYSTEM\MRDCTRL.DLL
C:\WINDOWS\SYSTEM\IWMUI.DLL
C:\WINDOWS\SYSTEM\SAI_CI32.DLL
C:\WINDOWS\SYSTEM\LLRT.DLL
C:\WINDOWS\SYSTEM\WMASPI32.DLL
C:\WINDOWS\SYSTEM\NMNDS.DLL
C:\WINDOWS\SYSTEM\TGD32.DLL
C:\WINDOWS\SYSTEM\DPKAPI32.DLL
C:\WINDOWS\SYSTEM\RZANP.DLL
C:\WINDOWS\SYSTEM\MCXML3.DLL
C:\WINDOWS\SYSTEM\VSHELPER.DLL
C:\WINDOWS\SYSTEM\RZGWIZC.DLL
C:\WINDOWS\SYSTEM\SJVRTGUI.DLL
C:\WINDOWS\SYSTEM\TBP3216S.DLL
C:\WINDOWS\SYSTEM\OATLCOMM.DLL
C:\WINDOWS\SYSTEM\OJPRT400.DLL
C:\WINDOWS\SYSTEM\swkoy.dll
C:\WINDOWS\SYSTEM\DCSERIAL.DLL
C:\WINDOWS\SYSTEM\GNI32.DLL
C:\WINDOWS\SYSTEM\CAL3D32.DLL
C:\WINDOWS\SYSTEM\MTHTMLER.DLL
C:\WINDOWS\SYSTEM\HQFCSA.DLL
C:\WINDOWS\SYSTEM\VGB32.DLL
C:\WINDOWS\SYSTEM\MGCUIA32.DLL
C:\WINDOWS\SYSTEM\aripk32.dll
C:\WINDOWS\SYSTEM\wcv8dmod.dll
C:\WINDOWS\SYSTEM\domap.dll
C:\WINDOWS\SYSTEM\pbbole32.dll
C:\WINDOWS\SYSTEM\ggcwb.dll
C:\WINDOWS\SYSTEM\dWdref.dll
C:\WINDOWS\SYSTEM\HMFecp11.dll
C:\WINDOWS\SYSTEM\ivoi.dll
C:\WINDOWS\SYSTEM\mpvcp71.dll
C:\WINDOWS\SYSTEM\ootext32.dll
C:\WINDOWS\SYSTEM\dzmsgnet.dll
C:\WINDOWS\SYSTEM\nytha32.dll
C:\WINDOWS\SYSTEM\CJMPPL32.DLL
C:\WINDOWS\SYSTEM\Shorts.dll
C:\WINDOWS\SYSTEM\cptb.dll
C:\WINDOWS\SYSTEM\aapwv.dll
C:\WINDOWS\SYSTEM\winxm.exe
C:\WINDOWS\SYSTEM\mbcbh.dll
C:\WINDOWS\SYSTEM\craw32.exe
C:\WINDOWS\SYSTEM\nztel.dll
C:\WINDOWS\SYSTEM\mgay32.dll
C:\WINDOWS\SYSTEM\ovdbse32.dll
C:\WINDOWS\SYSTEM\awpoy.dll
C:\WINDOWS\SYSTEM\aklpk.dll
C:\WINDOWS\SYSTEM\stsgw.dll
C:\WINDOWS\SYSTEM\irsg32.dll
C:\WINDOWS\SYSTEM\aditz.dll
C:\WINDOWS\SYSTEM\nhtvg32.dll
C:\WINDOWS\SYSTEM\nmtup.dll
C:\WINDOWS\SYSTEM\jhpl400.dll
C:\WINDOWS\SYSTEM\axdzh32.dll
C:\WINDOWS\SYSTEM\nrttg.dll
C:\WINDOWS\SYSTEM\dFil.dll
C:\WINDOWS\SYSTEM\ibbd.dll
C:\WINDOWS\SYSTEM\iwbd.dll
C:\WINDOWS\SYSTEM\RXCLTC3.DLL
C:\WINDOWS\SYSTEM\TKAPI.DLL
C:\WINDOWS\SYSTEM\IWM32.DLL
C:\WINDOWS\SYSTEM\akibt.dll
C:\WINDOWS\SYSTEM\axikr.dll
C:\WINDOWS\SYSTEM\MKJET35.DLL
C:\WINDOWS\SYSTEM\wwnetmgr.dll
C:\WINDOWS\SYSTEM\sjsml.dll
C:/WINDOWS\SYSTEM\mpcxr.dll
C:\WINDOWS\SYSTEM\wanqg32.dll
C:\WINDOWS\SYSTEM\dknlobby.dll
C:\WINDOWS\SYSTEM\menv.dll
C:\WINDOWS\TEMP\pav93A0.TMP

Run CleanUp!

Please Run Adaware again.

Give me another hijack this log and a panda scan. ;) You're doing great.
  • 0

#29
drb0605

drb0605

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Morning!

I'm feeling quite successful this go-round! :)

Successfully used Pocked Killbox, and found and deleted all but 3 files - I couldn't find these (and "find" didn't find them, either):

1 - C:\WINDOWS\SYSTEM\MKJET35.DLL (this was listed twice in the list you sent)
2 - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YSBACTIVES.INF
3 - C:\WINDOWS\TEMP\pav93A0.TMP

I ran "CleanUp!; I think it removed about 1,200 files.

I ran AdAware SE Plus again - still using Custom settings. It found one thing - WhenU.Desktop Toolbar - and said it removed it.

And finall, I ran HiJack and a Panda scan; the Panda scan is still showing 86 infected, but didn't the last one show 288? All Good! ;)

Following is the HiJack log and report from the Panda scan. I'm on a roll! :tazz: What now? THANKS! Have a great day!

Logfile of HijackThis v1.99.1
Scan saved at 10:51:35 PM, on 7/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\ZONEALARM FIREWALL\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm Firewall\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .gov/FOTWWebApp/StudentAccessServlet;jsessionid=000244XWKXDHJCKEFBCX5DYG5EA?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&faamode=undefined: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...ntr_current.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sbcglobal.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12

=================================================

PandaActivescan 072705 2300 hrs
Incident Status Location

Spyware:spyware/yoursitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ysbactivex.inf
Spyware:spyware/searchcentrix No disinfected HKEY_CURRENT_USER\SOFTWARE\DYNAMIC TOOLBAR
Adware:adware/consumeralertsystemNo disinfected HKEY_CURRENT_USER\SOFTWARE\CAS
Adware:adware/comet No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\USERKEYS\COMETKEY
Spyware:spyware/istbar No disinfected HKEY_CLASSES_ROOT\YSBACTIVEX.INSTALLER
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MVU
Adware:adware/gator No disinfected HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLS
Adware:adware/powerscan No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST
Adware:adware/ncase No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\SEARCH BAR_BAK
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/Look2Me No disinfected C:\!Submit\RXCLTC3.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\MFFMIG32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\MNJAVA.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\APIDIAG.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\FZAMEBUF.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\MRDCTRL.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\IWMUI.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\SAI_CI32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\LLRT.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\NMNDS.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\WMASPI32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\TGD32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\DPKAPI32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\RZANP.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\MCXML3.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\VSHELPER.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\RZGWIZC.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\SJVRTGUI.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\TBP3216S.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\OATLCOMM.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\OJPRT400.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\swkoy.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\DCSERIAL.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\GNI32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\CAL3D32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\MTHTMLER.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\HQFCSA.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\VGB32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\MGCUIA32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\aripk32.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\wcv8dmod.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\domap.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\pbbole32.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\ggcwb.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\dWdref.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\HMFecp11.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\ivoi.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\mpvcp71.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\ootext32.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\dzmsgnet.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\nytha32.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\CJMPPL32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\Shorts.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\cptb.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\aapwv.dll
Adware:Adware/SuperSpider No disinfected C:\!Submit\winxm.exe
Adware:Adware/Look2Me No disinfected C:\!Submit\mbcbh.dll
Adware:Adware/SuperSpider No disinfected C:\!Submit\craw32.exe
Adware:Adware/Look2Me No disinfected C:\!Submit\nztel.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\mgay32.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\ovdbse32.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\awpoy.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\aklpk.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\stsgw.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\irsg32.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\aditz.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\nhtvg32.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\nmtup.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\jhpl400.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\axdzh32.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\nrttg.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\dFil.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\ibbd.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\iwbd.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\TKAPI.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\IWM32.DLL
Adware:Adware/Look2Me No disinfected C:\!Submit\akibt.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\axikr.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\wwnetmgr.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\sjsml.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\mpcxr.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\wanqg32.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\dknlobby.dll
Adware:Adware/Look2Me No disinfected C:\!Submit\menv.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\dist006.exe
=================================================

Hope to hear from you soon - can't believe you're still with me on this! Thank you!

Debbie
  • 0

#30
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Where else would I go? :tazz:

Download the following file:

http://castlecops.co.../FindIt9xME.zip

and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP