[ukn0hs729f]

hi guys, i'm really hoping you can help me out.

i have the "startpage.19.j" malware and i followed your instructions on malware removal but wasn't successful in eliminating it. i should note that while steps 1 on spyware removal and step 3 on downloading the windows patch sp1a went fine (i downloaded all the necessary utility programs and ran them successfully), i had trouble with step 2 b/c my avg antivirus detected "startpage.19.j", but failed to remove it even when i clicked to delete it or quarantine it.. moreover, i wasn't able to run any of the online virus scanners (panda antivirus or housecall) b/c everytime i attempted to, it would bring up error messages about my security settings prohibiting active x, even though i had gone into internet options and specifically enabled it. at any rate, it'd be much appreciated if you could lend some of your expertise.


here's the hijackthis logfile:


Logfile of HijackThis v1.99.1
Scan saved at 8:50:01 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Family\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Family\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17AE44D5-5BEF-4122-9511-DFDA3694BB68} - C:\WINDOWS\System32\hbmk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Family\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Family\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://209.190.137.3...chm::/win32.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{253EBB2F-045F-4A42-87F2-9593917C5AED}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{253EBB2F-045F-4A42-87F2-9593917C5AED}: NameServer = 205.188.146.145
O18 - Filter: text/html - {ED910916-8B5A-4DF1-A277-38E320986EC3} - C:\WINDOWS\System32\hbmk.dll
O18 - Filter: text/plain - {ED910916-8B5A-4DF1-A277-38E320986EC3} - C:\WINDOWS\System32\hbmk.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Advertisements]

Hi ukn0hs729f and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. You have at the least a variant of the About:Blank infection on your system. I will be able to tell more once this is removed.

1. Download CWShredder

If you are using anything other than Windows xp you may need a zip program.
Please download the evaluation version of Winzip.


2. Download SpSeHjfix.zip to the desktop.

• Then right click on the desktop and select new >folder, name it spfix
• Unzip SpSeHjfix.zip into the new folder.

3. Disconnect from the net and Close ALL OPEN PROGRAMS.

• Run 'SpSeHjfix'. and click on "Start Disinfection".
• When it's finished it will reboot your machine to finish the cleaning process.
• The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

4. Once it is finished, run CWShredder - Hit The FIX button!

5. Reboot and post a new HJT log and the log that was created by 'SpSeHjfix'.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Regards,

Trevuren

[Trevuren]

Hi ukn0hs729f and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. You have at the least a variant of the About:Blank infection on your system. I will be able to tell more once this is removed.

1. Download CWShredder

If you are using anything other than Windows xp you may need a zip program.
Please download the evaluation version of Winzip.


2. Download SpSeHjfix.zip to the desktop.

• Then right click on the desktop and select new >folder, name it spfix
• Unzip SpSeHjfix.zip into the new folder.

3. Disconnect from the net and Close ALL OPEN PROGRAMS.

• Run 'SpSeHjfix'. and click on "Start Disinfection".
• When it's finished it will reboot your machine to finish the cleaning process.
• The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

4. Once it is finished, run CWShredder - Hit The FIX button!

5. Reboot and post a new HJT log and the log that was created by 'SpSeHjfix'.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Regards,

Trevuren

[ukn0hs729f]

hi trevuren, followed your instructions, (sorry about sending two msgs, but realized that i didn't post the last response). didn't know if that would make it harder to follow.

here are the two logfiles:



(7/12/05 11:36:17 PM) SPSeHjFix started v1.1.2
(7/12/05 11:36:17 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/12/05 11:36:17 PM) Language: english
(7/12/05 11:36:17 PM) Win-Path: C:\WINDOWS
(7/12/05 11:36:17 PM) System-Path: C:\WINDOWS\System32
(7/12/05 11:36:17 PM) Temp-Path: C:\DOCUME~1\Family\LOCALS~1\Temp\
(7/12/05 11:36:21 PM) Disinfection started
(7/12/05 11:36:21 PM) Bad-Dll(IEP): c:\docume~1\family\locals~1\temp\se.dll
(7/12/05 11:36:21 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\hbmk.dll
(7/12/05 11:36:21 PM) Searchassistant Uninstaller - Keys Deleted
(7/12/05 11:36:21 PM) UBF: 6 - UBB: 4 - UBR: 8
(7/12/05 11:36:21 PM) FilterKey: HKCR\text/html (deleted)
(7/12/05 11:36:21 PM) FilterKey: HKCR\CLSID\{ED910916-8B5A-4DF1-A277-38E320986EC3} (deleted)
(7/12/05 11:36:21 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/12/05 11:36:21 PM) FilterKey: HKCR\text/plain (deleted)
(7/12/05 11:36:21 PM) FilterKey: HKCR\CLSID\{ED910916-8B5A-4DF1-A277-38E320986EC3} (error while deleting)
(7/12/05 11:36:21 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/12/05 11:36:21 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17AE44D5-5BEF-4122-9511-DFDA3694BB68} (deleted)
(7/12/05 11:36:21 PM) BHO-Key: HKCR\CLSID\{17AE44D5-5BEF-4122-9511-DFDA3694BB68} (deleted)
(7/12/05 11:36:21 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\Family\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(7/12/05 11:36:21 PM) UBF: 4 - UBB: 3 - UBR: 7
(7/12/05 11:36:21 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\family\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\family\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/12/05 11:36:21 PM) Stealth-String not found
(7/12/05 11:36:21 PM) File added to delete: c:\windows\system32\hbmk.dll
(7/12/05 11:36:21 PM) File added to delete: c:\docume~1\family\locals~1\temp\se.dll
(7/12/05 11:36:21 PM) Reboot


(7/12/05 11:38:49 PM) SPSeHjFix started v1.1.2
(7/12/05 11:38:49 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/12/05 11:38:49 PM) Language: english
(7/12/05 11:38:49 PM) Win-Path: C:\WINDOWS
(7/12/05 11:38:49 PM) System-Path: C:\WINDOWS\System32
(7/12/05 11:38:49 PM) Temp-Path: C:\DOCUME~1\Family\LOCALS~1\Temp\
(7/12/05 11:40:18 PM) Disinfection started
(7/12/05 11:40:18 PM) Bad-Dll(IEP): c:\docume~1\family\locals~1\temp\se.dll
(7/12/05 11:40:18 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\hbmk.dll
(7/12/05 11:40:18 PM) Searchassistant Uninstaller - Keys Deleted
(7/12/05 11:40:18 PM) UBF: 6 - UBB: 4 - UBR: 7
(7/12/05 11:40:18 PM) FilterKey: HKCR\text/html (deleted)
(7/12/05 11:40:18 PM) FilterKey: HKCR\CLSID\{F9AD25F8-CA1F-4B5D-ABF3-DA7A24F49F71} (deleted)
(7/12/05 11:40:18 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/12/05 11:40:18 PM) FilterKey: HKCR\text/plain (deleted)
(7/12/05 11:40:18 PM) FilterKey: HKCR\CLSID\{F9AD25F8-CA1F-4B5D-ABF3-DA7A24F49F71} (error while deleting)
(7/12/05 11:40:18 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/12/05 11:40:18 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BC6AB255-78FF-4FA6-BBA5-2039E7DECDEE} (deleted)
(7/12/05 11:40:18 PM) BHO-Key: HKCR\CLSID\{BC6AB255-78FF-4FA6-BBA5-2039E7DECDEE} (deleted)
(7/12/05 11:40:18 PM) UBF: 4 - UBB: 3 - UBR: 7
(7/12/05 11:40:18 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\family\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\family\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/12/05 11:40:18 PM) Stealth-String not found
(7/12/05 11:40:18 PM) File added to delete: c:\windows\system32\hbmk.dll
(7/12/05 11:40:18 PM) Reboot


(7/12/05 11:42:17 PM) SPSeHjFix started v1.1.2
(7/12/05 11:42:17 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/12/05 11:42:17 PM) Language: english
(7/12/05 11:42:17 PM) Win-Path: C:\WINDOWS
(7/12/05 11:42:17 PM) System-Path: C:\WINDOWS\System32
(7/12/05 11:42:17 PM) Temp-Path: C:\DOCUME~1\Family\LOCALS~1\Temp\


Logfile of HijackThis v1.99.1
Scan saved at 11:50:48 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Family\LOCALS~1\Temp\sysnet.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://209.190.137.3...chm::/win32.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{253EBB2F-045F-4A42-87F2-9593917C5AED}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{253EBB2F-045F-4A42-87F2-9593917C5AED}: NameServer = 205.188.146.145
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Trevuren]

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Family\LOCALS~1\Temp\sysnet.exe
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)

Now, using Windows Explorer, DELETE the following files/folders (with all their content), if they still exist:

C:\Program Files\Viewpoint<===Folder
C:\Program Files\AOL\AOL Toolbar 2.0
C:\WINDOWS\System32\richedtr.dll
C:\WINDOWS\System32\intel32.exe
C:\WINDOWS\System32\richup.exe
C:\DOCUME~1\Family\LOCALS~1\Temp\sysnet.exe
c:\ex.cab
C:\WINDOWS\System32\vbsys2.dll

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan it will prompt you to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[ukn0hs729f]

hi trevuren, it seems like the virus/trojan is removed, but panda active scan seemed to indicate a couple spyware programs remaining. i'll wait a day or two to reconfirm. but here are all the logs you asked for. Thank you very much thus far though, you've been prompt and extremely helpful.


Logfile of HijackThis v1.99.1
Scan saved at 2:13:34 PM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{253EBB2F-045F-4A42-87F2-9593917C5AED}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{253EBB2F-045F-4A42-87F2-9593917C5AED}: NameServer = 205.188.146.145
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:16:58 PM, 7/13/2005
+ Report-Checksum: 65BBF26B

+ Scan result:

HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11010101-1001-1111-1000-110112345678} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\8n2zvppk.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\8n2zvppk.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\8n2zvppk.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\8n2zvppk.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\internt.exe -> TrojanDownloader.Agent.ec : Cleaned with backup
C:\WINDOWS\system32\nsh2C.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\nsh3.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\nsk4.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\nsl17.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\nsm1D.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\nsp4E.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\nsu4.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\nsy3.dll -> Spyware.HotSearchBar : Cleaned with backup


::Report End



Smitfiles.txt log


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Not Infected!


Panda Activescan Log

Incident Status Location

Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Family\Favorites\1111\1111.url
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Family\Desktop\HJT\backups\backup-20050713-113454-598.inf
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Family\Favorites\1111\1111.url
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\eied.inf
Adware:Adware/Mirar No disinfected C:\WINDOWS\Downloaded Program Files\MirarSetup.exe
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\InstallerV3.exe
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\system32\wininet.old

[Trevuren]

1. Still a few items to remove and 1 program to run

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab


Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files, and DELETE tehm (if tey are still present):

C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
c:\eied_s7.cab


Exit Explorer, and REBOOT BACK INTO NORMAL MODE

2.

• Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
  • Download Ad-Aware SE Personal 1.06:
    • Download Ad-Aware SE Personal 1.05.
    • Save aawsepersonal.exe to a convenient location.
  • Install Ad-Aware SE Personal 1.06:
    • Double-click on aawsepersonal.exe to install the program.
    • Follow the default settings for installation.
    • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  • Update Ad-Aware SE Personal 1.06:
    • Double-click the Ad-Aware SE Personal icon on your desktop.
    • Click "Check for updates now" then click "Connect".
    • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Automatically save logfile"
      • "Automatically quarantine objects prior to removal"
      • "Safe Mode (always request confirmation)"
      • "Prompt to update outdated definitions" - change to 7 days from the default 14.
  • Click "Scanning" on the left hand side to display the Scan Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Scan within archives"
    • "Select drives & folders to scan" - select your hard drive(s).
    • "Scan active processes"
    • "Scan registry"
    • "Deep-scan registry"
    • "Scan my IE favorites for banned URLs"
    • "Scan my Hosts file"
  • Click "Advanced" on the left hand side to display the Advanced Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Move deleted files to Recycle Bin"
    • "Include additional object information"
    • "Include negligible objects information"
    • "Include environment information"
  • Click "Defaults" on the left hand side to display the Default Settings box.
    • Make sure these items have your preferred settings in them.:
    • "Default homepage"
    • "Default searchpage"
  • Click "Tweak" on the left hand side to display the Tweak Settings box.
    • Click the + (plus) sign next to the Log Files section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Include basic Ad-Aware settings in log file"
      • "Include additional Ad-Aware settings in log file"
      • "Include reference summary in log file"
      • "Include alternate data stream details in log file"
    • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Unload recognized processes & modules during scan"
      • "Scan registry for all users instead of current user only"
      • "Obtain command line of scanned processes"
    • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Always try to unload modules before deletion"
      • "During removal, unload Explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot"
      • "Delete quarantined objects after restoring"
  • Once you are done with these settings, click "Proceed" to save them.
  • This will take you back to the main screen.
• Run Ad-Aware SE Personal 1.06:
  • Click the "Start" button.
  • Uncheck the "Search for negligible risk entries" entry.
  • Choose the "Use custom scanning options" scan mode.
  • Click the "Next" button.
  • Ad-Aware will begin to scan for malware residing on your computer.
  • Allow the scan to finish.
  • Right-click on any entry in the list and click "Select All" to select the whole list.
  • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

3. REBOOT your system

4. Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks.

Regards,

Trevuren

[ukn0hs729f]

Logfile of HijackThis v1.99.1
Scan saved at 1:30:40 PM, on 7/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\shellmon.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Family\Desktop\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{253EBB2F-045F-4A42-87F2-9593917C5AED}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{253EBB2F-045F-4A42-87F2-9593917C5AED}: NameServer = 205.188.146.145
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Trevuren]

Your log looks good. If you are no longer experiencing any malware-related problems, please give me the OK and we will commence the final but essential cleanup procedures.


Trevuren

[Trevuren]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.