Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

slow pc, strange applications running [RESOLVED]

Started by clearasmud , Jul 12 2005 05:57 PM

This topic is locked

#1
clearasmud

Posted 12 July 2005 - 05:57 PM

New Member

Member
5 posts

I am trying to figure out where unknown programs are coming from...deleting them from the task manger seems to work for a while, but they re-appear. I have tracked down the files and deleted them, only to have them come back upon reboot. Here's what I have done so far (in order):

1. ran CleanUp!
2. ran Ad-aware
3. ran CWShredder
4. ran Spybot S&D
5. ran Trend Housecall's virus scan
6. ran Windows update
7. ran Hijack This

All were the most current version available, and with all updates installed.

I am still experiencing the odd programs running (and hogging the cpu). Here are the results of Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 6:44:41 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ewbuo\wxdnfodt.exe
C:\WINDOWS\system32\alwr\spsdstj.exe
C:\WINDOWS\system32\ajuxwwhg\mdke.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\r?gedit.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\temp - John\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: US Class - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - C:\WINDOWS\mscore.dll (file missing)
O2 - BHO: (no name) - {1069B4EA-0155-048D-27E7-0495B9A5DC94} - C:\WINDOWS\system32\gxaevu.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {F2056663-25FF-68CF-BA71-6A97F8FBF269} - C:\DOCUME~1\RUSSVO~1\APPLIC~1\BENDKI~1\BagsPhone.exe (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [wxdnfodt] C:\WINDOWS\system32\ewbuo\wxdnfodt.exe
O4 - HKLM\..\Run: [spsdstj] C:\WINDOWS\system32\alwr\spsdstj.exe
O4 - HKLM\..\Run: [hhef] C:\WINDOWS\system32\plkuddim\hhef.exe
O4 - HKLM\..\Run: [pegrcnc] C:\WINDOWS\system32\qrjpohul\pegrcnc.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [wgnww] C:\WINDOWS\system32\ulmykvp\wgnww.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.0.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [uupsdpg] C:\WINDOWS\system32\kguynw\uupsdpg.exe
O4 - HKLM\..\Run: [tpdrcpo] C:\WINDOWS\system32\kiuibqc\tpdrcpo.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qpwxx] C:\WINDOWS\system32\xoae\qpwxx.exe
O4 - HKLM\..\Run: [Pollsupportoozevc] C:\Documents and Settings\All Users\Application Data\Flag Load Poll Support\OozeKnob.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [oxmorhhl] C:\WINDOWS\system32\vvkkver\oxmorhhl.exe
O4 - HKLM\..\Run: [o] C:\documents and settings\russ vollmer\local settings\temp\o.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MW655I] C:\documents and settings\russ vollmer\local settings\temp\MW655I.exe
O4 - HKLM\..\Run: [muryg] C:\WINDOWS\System32\vlbbqkk\muryg.exe
O4 - HKLM\..\Run: [MP6eL] C:\documents and settings\russ vollmer\local settings\temp\MP6eL.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mdke] C:\WINDOWS\system32\ajuxwwhg\mdke.exe
O4 - HKLM\..\Run: [Makarzy] C:\WINDOWS\nyei.exe
O4 - HKLM\..\Run: [lkevmgi] C:\WINDOWS\system32\tncryam\lkevmgi.exe
O4 - HKLM\..\Run: [lfdjdebs] C:\WINDOWS\System32\anxojwxx\lfdjdebs.exe
O4 - HKLM\..\Run: [jncyu] C:\WINDOWS\system32\gtpjkciy\jncyu.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.0.0\HbInst.exe /Upgrade
O4 - HKLM\..\Run: [fnxpx] C:\WINDOWS\system32\dvjxgw\fnxpx.exe
O4 - HKLM\..\Run: [evmjuph] C:\WINDOWS\system32\rbmtjwuq\evmjuph.exe
O4 - HKLM\..\Run: [ehkoxdb] C:\WINDOWS\system32\rmerjc\ehkoxdb.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dtaq] C:\WINDOWS\system32\ekpki\dtaq.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [djhvoacj] C:\WINDOWS\system32\obyko\djhvoacj.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [cnosxb] C:\WINDOWS\system32\fcemjhru\cnosxb.exe
O4 - HKLM\..\Run: [CAKETYPE] C:\PROGRA~1\JUMPMO~1\Inter Bold Bore.exe
O4 - HKLM\..\Run: [BPT] "c:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [basswnvh] C:\WINDOWS\System32\enobvujo\basswnvh.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [Xyedbpbh] C:\WINDOWS\system32\r?gedit.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [gB2pRhbmX] renex.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Startup: MyWebSearch Email Plugin.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.s...stemsoappro.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097198749203
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.../dwnldr_ext.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...350/mcfscan.cab
O23 - Service: dgschuagxhgopg - Unknown owner - C:\WINDOWS\system32\gxhgopg\dgschua.exe (file missing)
O23 - Service: jncyugtpjkciy - Unknown owner - C:\WINDOWS\system32\gtpjkciy\jncyu.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: pegrcncqrjpohul - Unknown owner - C:\WINDOWS\system32\qrjpohul\pegrcnc.exe

Any help would be much appreciated! :tazz:

#2
Armodeluxe

Posted 15 July 2005 - 11:28 PM

Member 2k

Retired Staff
2,744 posts

Hi clearasmud,

I'm working on your log, as soon as another staff member reviews it I'll post a reply. :tazz:

Thank you for your patience.

Regards,

Armodeluxe

#3
Armodeluxe

Posted 16 July 2005 - 07:27 AM

Member 2k

Retired Staff
2,744 posts

Hi clearasmud, welcome to GeeksToGo

You are running HijackThis from a temporary folder. HijackThis should be placed in a permanent folder to save its backups. Please do this:

Now double-click on the temp folder containing the HijackThis.exe file. Select the HijackThis.exe, and hit the combination “Ctrl + C”.
Go back to C:/, then double-click on Program Files.
In the menu bar you’ll find “File”. Click it, then choose “New”, and then “Folder”.
Call this folder HijackThis. Double-click to open this – new – folder.
Now use the combination “Ctrl + V” to paste the HijackThis.exe into this folder. Now when needed you can run HijackThis from there.

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make. Please keep it disabled until we are entirely finished with the cleanup. You can reenable it once your log is clean.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

You may wish to print these instructions or copy and save them on notepad because part of this fix will be made in safe mode and you won't have access to this page.

Please run HijackThis and click Scan.Put a check next to all these:

R3 - URLSearchHook: US Class - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - C:\WINDOWS\mscore.dll (file missing)
O2 - BHO: (no name) - {1069B4EA-0155-048D-27E7-0495B9A5DC94} - C:\WINDOWS\system32\gxaevu.dll (file missing)
O2 - BHO: (no name) - {F2056663-25FF-68CF-BA71-6A97F8FBF269} - C:\DOCUME~1\RUSSVO~1\APPLIC~1\BENDKI~1\BagsPhone.exe (file missing)
O4 - HKLM\..\Run: [wxdnfodt] C:\WINDOWS\system32\ewbuo\wxdnfodt.exe
O4 - HKLM\..\Run: [spsdstj] C:\WINDOWS\system32\alwr\spsdstj.exe
O4 - HKLM\..\Run: [hhef] C:\WINDOWS\system32\plkuddim\hhef.exe
O4 - HKLM\..\Run: [pegrcnc] C:\WINDOWS\system32\qrjpohul\pegrcnc.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [wgnww] C:\WINDOWS\system32\ulmykvp\wgnww.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.0.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [uupsdpg] C:\WINDOWS\system32\kguynw\uupsdpg.exe
O4 - HKLM\..\Run: [tpdrcpo] C:\WINDOWS\system32\kiuibqc\tpdrcpo.exe
O4 - HKLM\..\Run: [qpwxx] C:\WINDOWS\system32\xoae\qpwxx.exe
O4 - HKLM\..\Run: [Pollsupportoozevc] C:\Documents and Settings\All Users\Application Data\Flag Load Poll Support\OozeKnob.exe
O4 - HKLM\..\Run: [oxmorhhl] C:\WINDOWS\system32\vvkkver\oxmorhhl.exe
O4 - HKLM\..\Run: [o] C:\documents and settings\russ vollmer\local settings\temp\o.exe
O4 - HKLM\..\Run: [MW655I] C:\documents and settings\russ vollmer\local settings\temp\MW655I.exe
O4 - HKLM\..\Run: [muryg] C:\WINDOWS\System32\vlbbqkk\muryg.exe
O4 - HKLM\..\Run: [MP6eL] C:\documents and settings\russ vollmer\local settings\temp\MP6eL.exe
O4 - HKLM\..\Run: [mdke] C:\WINDOWS\system32\ajuxwwhg\mdke.exe
O4 - HKLM\..\Run: [Makarzy] C:\WINDOWS\nyei.exe
O4 - HKLM\..\Run: [lkevmgi] C:\WINDOWS\system32\tncryam\lkevmgi.exe
O4 - HKLM\..\Run: [lfdjdebs] C:\WINDOWS\System32\anxojwxx\lfdjdebs.exe
O4 - HKLM\..\Run: [jncyu] C:\WINDOWS\system32\gtpjkciy\jncyu.exe
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.0.0\HbInst.exe /Upgrade
O4 - HKLM\..\Run: [fnxpx] C:\WINDOWS\system32\dvjxgw\fnxpx.exe
O4 - HKLM\..\Run: [evmjuph] C:\WINDOWS\system32\rbmtjwuq\evmjuph.exe
O4 - HKLM\..\Run: [ehkoxdb] C:\WINDOWS\system32\rmerjc\ehkoxdb.exe
O4 - HKLM\..\Run: [dtaq] C:\WINDOWS\system32\ekpki\dtaq.exe
O4 - HKLM\..\Run: [djhvoacj] C:\WINDOWS\system32\obyko\djhvoacj.exe
O4 - HKLM\..\Run: [cnosxb] C:\WINDOWS\system32\fcemjhru\cnosxb.exe
O4 - HKLM\..\Run: [CAKETYPE] C:\PROGRA~1\JUMPMO~1\Inter Bold Bore.exe
O4 - HKLM\..\Run: [BPT] "c:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [basswnvh] C:\WINDOWS\System32\enobvujo\basswnvh.exe
O4 - HKCU\..\Run: [Xyedbpbh] C:\WINDOWS\system32\r?gedit.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [gB2pRhbmX] renex.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Startup: MyWebSearch Email Plugin.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = ?
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.s...stemsoappro.cab
O23 - Service: dgschuagxhgopg - Unknown owner - C:\WINDOWS\system32\gxhgopg\dgschua.exe (file missing)
O23 - Service: jncyugtpjkciy - Unknown owner - C:\WINDOWS\system32\gtpjkciy\jncyu.exe
O23 - Service: pegrcncqrjpohul - Unknown owner - C:\WINDOWS\system32\qrjpohul\pegrcnc.exe

Now,close all other windows except HijackThis and click Fix Checked.

Boot to safe mode:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Make sure you can view hidden files and folders:

Next click on My Computer.
Go to Tools > Folder Options.
Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and "Hide extensions for known file types."
Now click "Apply to all folders"
Click "Apply" then "OK"

Go to Start > Run and type: cmd
In the command window that opens type these lines hitting Enter after each line:

sc stop dgschuagxhgopg
sc delete dgschuagxhgopg
sc stop jncyugtpjkciy
sc delete jncyugtpjkciy
sc stop pegrcncqrjpohul
sc delete pegrcncqrjpohul
exit

Go to Control Panel > Add/Remove Programs and uninstall these if found:
Note the entries which have 6 letters ending with ~1, there will be more to the names after the 6 letters, but the first 6 letters of the name will be those. The same applies to folders and files too.

Wintools
WhenUSearch
Save or WhenUSave
Hotbar
JUMPMO~1
Bpt
System Soap Pro
ClockSync
MyWebSearch

Delete these files and folders in bold if found:

C:\documents and settings\russ vollmer\application data\BENDKI~1
C:\WINDOWS\system32\ewbuo
C:\WINDOWS\system32\alwr
C:\WINDOWS\system32\plkuddim
C:\WINDOWS\system32\qrjpohul
C:\Program Files\Common Files\WinTools
C:\Program Files\WhenUSearch
C:\Program Files\Save
C:\WINDOWS\system32\ulmykvp
C:\Program Files\Hotbar
C:\WINDOWS\system32\kguynw
C:\WINDOWS\system32\kiuibqc
C:\WINDOWS\system32\xoae
C:\Documents and Settings\All Users\Application Data\Flag Load Poll Support
C:\WINDOWS\system32\vvkkver
C:\WINDOWS\System32\vlbbqkk
C:\WINDOWS\system32\ajuxwwhg
C:\WINDOWS\nyei.exe
C:\WINDOWS\system32\tncryam
C:\WINDOWS\System32\anxojwxx
C:\WINDOWS\system32\gtpjkciy
C:\WINDOWS\system32\dvjxgw
C:\WINDOWS\system32\rbmtjwuq
C:\WINDOWS\system32\rmerjc
C:\WINDOWS\system32\ekpki
C:\WINDOWS\system32\obyko
C:\WINDOWS\system32\fcemjhru
C:\PROGRAM FILES\JUMPMO~1
c:\Program Files\Bpt
C:\WINDOWS\System32\enobvujo
C:\WINDOWS\system32\r?gedit.exe
C:\PROGRAM FILES\System Soap Pro
C:\PROGRAM FILES\CLOCKSYNC
C:\PROGRAM FILES\ MyWebSearch
C:\WINDOWS\system32\gxhgopg
C:\WINDOWS\system32\gtpjkciy
C:\WINDOWS\system32\qrjpohul
renex.exe <-- look for this file in C:\WINDOWS\system32 or C:\WINDOWS, if not there make a search.

Next, run Cleanup to delete all temporary files.

Reboot to normal mode.

Go here and do an online trojan scan:

http://www.windowsec...com/trojanscan/

Go here and do an online virus scan:

http://www.pandasoft...com/activescan/

Save the results of both scans and post them along with a new HijackThis log in this thread by using the Add Reply button at the top.

Regards,

Armodeluxe

#4
clearasmud

Posted 18 July 2005 - 07:17 AM

New Member

Topic Starter
Member
5 posts

Armodeluxe, thank you for the reply. I will do follow your directions this evening. :tazz:

#5
clearasmud

Posted 19 July 2005 - 05:37 PM

New Member

Topic Starter
Member
5 posts

Greetings Armodelux, here are my results, the format may or may not be very readable, if you prefer the .txt files, I'll gladly attach them. :tazz:

Once again, THANK YOU VERY MUCH for your assistance!!!!

Windowsecurity scan:

C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\0D592666-ECFE-4674-841E-D7F16F Adware.ToolBar.MyWebSearch
C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\4496A983-EC5E-45C2-A1E7-1477E3 Adware.ToolBar.MyWebSearch
C:\System Volume INformation\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP91\A0004292.exe Adware.PurityScan.bs
C:\WINDOWS\SYSTEM32\mysysapps\surfsidekick.exe
C:\WINDOWS\SYSTEM32\surfsidekick.exe
C:\WINDOWS\wt\wtupdates\webbd\4.1.1\files\wtvh.dll
C:\WINDOWS\wt\wtvh.dll

Panda scan:

Incident Status Location

Adware:adware/delfinmedia No disinfected C:\WINDOWS\SYSTEM32\vmss
Adware:adware/savenow No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vmss
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Adware:adware/mywebsearch No disinfected HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/funweb No disinfected HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Adware:adware/virtualbouncer No disinfected HKEY_CLASSES_ROOT\Interface\{8DD9B882-0041-449D-A0BD-77A87119AD90}
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:adware/myway No disinfected HKEY_LOCAL_MACHINE\software\classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Adware:Adware/VirtualBouncer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3AECAFA5-6400-4649-A0A0-888B68\8B495966-2788-4FDA-BBC2-7D99A1
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\008A9F5E-C5A9-408E-9A26-91B590
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\0D592666-ECFE-4674-841E-D7F16F
Adware:Adware/FunWeb No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\1B5B6C95-A2BC-4D97-BBEF-9E06CF
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\338E4516-D19A-41EA-B252-28A365
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\4496A983-EC5E-45C2-A1E7-1477E3
Adware:Adware/FunWeb No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\540D9B15-9907-4362-ABE6-6570F3
Adware:Adware/FunWeb No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\E9CEB517-CAA7-4772-A0B9-9FD7E6
Adware:Adware/MyWebSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\F527067B-2CD8-49CD-ADA1-CDB22D
Adware:Adware/FunWeb No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\F73253C5-8439-4BE7-AE7F-BE437D
Adware:Adware/FunWeb No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\FA590E45-95C5-40E4-97C9-910F47
Adware:Adware/FunWeb No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\3B7CD5C0-0E41-4B68-9539-7F6259\FF8F0AF5-4130-4851-8AB8-6C08EB
Adware:Adware/TopRebates No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\6E1CF322-BCF7-4F0D-907E-079337\A5C769CB-615E-4B5C-8D0A-54E265
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\satmat.inf
Adware:Adware/PortalScan No disinfected C:\WINDOWS\mscore.dll.tcf
Virus:Trj/Prockill.G Disinfected C:\WINDOWS\SYSTEM32\augre.exe.tcf

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:32:53 PM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097198749203
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.../dwnldr_ext.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...350/mcfscan.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#6
Armodeluxe

Posted 19 July 2005 - 07:29 PM

Member 2k

Retired Staff
2,744 posts

Hi clearasmud

Wow, I wasn't expecting this at all :tazz:

..your log looks clean now

..great job you did there!

We have some final cleaning to do. First, please delete everything in the Microsoft Antispyware Quarantine folder.

You may wish to print these instructions or copy and save them on notepad because this fix will be made in safe mode and you won't have access to this page.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as Cleanup.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC]

[-HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}]

[-HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}]

[-HKEY_CLASSES_ROOT\Interface\{8DD9B882-0041-449D-A0BD-77A87119AD90}]

[-HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]

[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}]

Boot to safe mode:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Make sure you can view hidden files and folders:

Next click on My Computer.
Go to Tools > Folder Options.
Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and "Hide extensions for known file types."
Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files and folders in bold if found:

C:\WINDOWS\SYSTEM32\mysysapps
C:\WINDOWS\SYSTEM32\surfsidekick.exe
C:\WINDOWS\wt\wtupdates\webbd\4.1.1\files\wtvh.dll
C:\WINDOWS\wt\wtvh.dll
C:\WINDOWS\SYSTEM32\vmss
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vmss
C:\WINDOWS\INF\satmat.inf
C:\WINDOWS\mscore.dll

Now Locate and DoubleClick Cleanup.reg-> Allow it to merge into the Registry!

Reboot to normal mode and post a final Hijackthis log, just to make sure nothing is coming back.

Regards,

Armodeluxe

#7
clearasmud

Posted 20 July 2005 - 01:06 PM

New Member

Topic Starter
Member
5 posts

Hi Armodeluxe,
all has gone well so far, thanks to your expert advice! :tazz:

After deleting files and running the registry update, here is the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:18:31 PM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097198749203
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.../dwnldr_ext.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...350/mcfscan.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Once again - THANK YOU, THANK YOU, THANK YOU!!!

#8
Armodeluxe

Posted 21 July 2005 - 05:29 PM

Member 2k

Retired Staff
2,744 posts

Congratulations!!!

Your log is clean!!! :tazz:

Don't forget to reenable the protection features of MSAS. You should also rehide the hidden files by reversing the changes you made to view them.

Now let's reset your restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Please take the following into consideration to maintain a clean computer.

Does your McAfee Internet Security suite include a firewall? If not, choose one of these, they're free.

Kerio
Zonealarm
Sygate
. Visit Windows Update regularly to get the latest security updates. You can also enable automatic updates. Your antivirus software and antispyware programs should also be updated regularly and make a habit of running scans on a timely basis.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe

#9
therock247uk

Posted 23 July 2005 - 08:22 PM

Expert

Expert
14,672 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.