Meanwhile this is my first time posting. I dont know what "Hijack This" is. Please help!
Unwanted Toolbar [CLOSED]
Started by
reynolds0889
, Jul 29 2005 12:41 PM
-
This topic is locked
#1
Posted 29 July 2005 - 12:41 PM
reynolds0889
-
- Member
-
- 29 posts
Member
Meanwhile this is my first time posting. I dont know what "Hijack This" is. Please help!
#2
Posted 29 July 2005 - 08:14 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Welcome to GTG.
Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.
Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.
#3
Posted 31 July 2005 - 06:59 PM
reynolds0889
- Topic Starter
-
- Member
-
- 29 posts
Member
Okay I followed all of the instructions, but I did run into one problem: In Ad Aware, one of the selections I was supposed to make was "During Removal, unload Explorer and IE if necessary." There was a gray X there and it would not let me change it to a check so that it would be included.
Beyond that all went well.
Before I post the Hijack this, I would like to mention two things (well, three if you count THANK YOU).
Every time I turn on my computer, I get an "Error Starting Program" dialogue box that says, "A required .DLL file, DHCPSRV.DLL, was not found." Do you know what I should do about that? I haven't noticed any issues. It's been that way for a couple months - ever since I reloaded everything onto my computer because of some problems I was having.
ALMOST every time I turn on the computer (I don't think it's every time I have the internet one), I get a message that says, "Iexplore has caused an error in <unknown>. Iexplore will now close." This happened ever since I got that toolbar that ultimatly sent me to you.
Okay. Now that I've written you a little novel, here's my Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 6:36:12 PM, on 7/31/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBN.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBMENU.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\READER\ACRORD32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ppccinst.net/
R3 - URLSearchHook: (no name) - {8F3A23C6-8BA1-F71F-B073-60826844722F} - sysconf16.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\NHOZY.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\NHOZY.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SyGateManager] C:\PROGRAM FILES\SYGATE\SYGATE\SyGate.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM\usbn.exe -go -c200 -w4
O4 - HKLM\..\Run: [RtlFindVal] qwe.exe
O4 - HKLM\..\Run: [iesetupdll] Serviceprocess.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [nmdllw] xxtoolbar.exe
O4 - HKCU\..\Run: [prcmon] slamm.exe
O4 - HKCU\..\Run: [ssweeper] MSTCPDLL.exe
O4 - Startup: GoBack.lnk = C:\Program Files\Adaptec\GoBack\GBMenu.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://206.168.252.2...sCamControl.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.95.218.1,85.255.112.7
Thank you for all that you do.
David
Beyond that all went well.
Before I post the Hijack this, I would like to mention two things (well, three if you count THANK YOU).
Every time I turn on my computer, I get an "Error Starting Program" dialogue box that says, "A required .DLL file, DHCPSRV.DLL, was not found." Do you know what I should do about that? I haven't noticed any issues. It's been that way for a couple months - ever since I reloaded everything onto my computer because of some problems I was having.
ALMOST every time I turn on the computer (I don't think it's every time I have the internet one), I get a message that says, "Iexplore has caused an error in <unknown>. Iexplore will now close." This happened ever since I got that toolbar that ultimatly sent me to you.
Okay. Now that I've written you a little novel, here's my Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 6:36:12 PM, on 7/31/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBN.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBMENU.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\READER\ACRORD32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ppccinst.net/
R3 - URLSearchHook: (no name) - {8F3A23C6-8BA1-F71F-B073-60826844722F} - sysconf16.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\NHOZY.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\NHOZY.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SyGateManager] C:\PROGRAM FILES\SYGATE\SYGATE\SyGate.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM\usbn.exe -go -c200 -w4
O4 - HKLM\..\Run: [RtlFindVal] qwe.exe
O4 - HKLM\..\Run: [iesetupdll] Serviceprocess.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [nmdllw] xxtoolbar.exe
O4 - HKCU\..\Run: [prcmon] slamm.exe
O4 - HKCU\..\Run: [ssweeper] MSTCPDLL.exe
O4 - Startup: GoBack.lnk = C:\Program Files\Adaptec\GoBack\GBMenu.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://206.168.252.2...sCamControl.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.95.218.1,85.255.112.7
Thank you for all that you do.
David
#4
Posted 31 July 2005 - 07:40 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Hi David, regarding that DHCPSRV.DLL file. From what I found, it's related to Sygate, Try uninstalling Sygate firewall and then reinstalling to see if the problem is still there.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
WareOut
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R3 - URLSearchHook: (no name) - {8F3A23C6-8BA1-F71F-B073-60826844722F} - sysconf16.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\NHOZY.DLL
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\NHOZY.DLL
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM\usbn.exe -go -c200 -w4
O4 - HKLM\..\Run: [RtlFindVal] qwe.exe
O4 - HKLM\..\Run: [iesetupdll] Serviceprocess.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [nmdllw] xxtoolbar.exe
O4 - HKCU\..\Run: [prcmon] slamm.exe
O4 - HKCU\..\Run: [ssweeper] MSTCPDLL.exe
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:
C:\WINDOWS\SYSTEM\USBN.EXE
sysconf16.dll
C:\WINDOWS\SYSTEM\NHOZY.DLL
C:\WINDOWS\SYSTEM\NHOZY.DLL
qwe.exe
Serviceprocess.exe
xxtoolbar.exe
slamm.exe
MSTCPDLL.exe
C:\Program Files\WareOut\
c:\eied_s7.cab
c:\ex.cab
C:\WINDOWS\SYSTEM\USBN.EXE
Restart and run a new HijackThis scan. Save the log file and post it here.
Give me this log also:
Right click on http://www.silentrun...ent Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
WareOut
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R3 - URLSearchHook: (no name) - {8F3A23C6-8BA1-F71F-B073-60826844722F} - sysconf16.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\NHOZY.DLL
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\NHOZY.DLL
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\SYSTEM\usbn.exe -go -c200 -w4
O4 - HKLM\..\Run: [RtlFindVal] qwe.exe
O4 - HKLM\..\Run: [iesetupdll] Serviceprocess.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [nmdllw] xxtoolbar.exe
O4 - HKCU\..\Run: [prcmon] slamm.exe
O4 - HKCU\..\Run: [ssweeper] MSTCPDLL.exe
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU)
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:
C:\WINDOWS\SYSTEM\USBN.EXE
sysconf16.dll
C:\WINDOWS\SYSTEM\NHOZY.DLL
C:\WINDOWS\SYSTEM\NHOZY.DLL
qwe.exe
Serviceprocess.exe
xxtoolbar.exe
slamm.exe
MSTCPDLL.exe
C:\Program Files\WareOut\
c:\eied_s7.cab
c:\ex.cab
C:\WINDOWS\SYSTEM\USBN.EXE
Restart and run a new HijackThis scan. Save the log file and post it here.
Give me this log also:
Right click on http://www.silentrun...ent Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.
#5
Posted 02 August 2005 - 10:52 AM
reynolds0889
- Topic Starter
-
- Member
-
- 29 posts
Member
Grey Knight,
Okay. Here's where I am at so far...
While deleting files in Safe Mode, most of the stuff wasn't there. I deleted what was. There is one file, "MSTCPDLL.exe" that... while it wasn't there, it looked a lot like "MSTCP.DLL" and I was wondering if that was what you meant to tell me to delete. If so I can go back and do that.
A "Backups" folder appeared - I think when I was in safe mode. It is on my desktop. Can I move it or delete it? I'm assuming it is associated with Hijack This but I could be wrong.
I downloaded AVG while I was doing the "before" process. It keeps telling me that it found a trojan horse, "C:\Windows\System\RDSNDIN.EXE" After that it says, "Trojan Horse Clicker.FR. I've hit "Heal," "Delete," and "Move to Vault," but it keeps telling me that "Requested action is not availible for this object. What should I do?
Also a little sheild keeps popping up on my task bar. It has an exclamation point in the middle and a speach bubble that tells me that "Your virus protection status is bad" and "Spyware Activity Detected." It says "Your computer may be at risk" and then says to click the bubble and that takes me to a spyware advert. Is that part of AVG?
Finally, and I know I seem to ask a lot of questions, you told me to click on that link and post the file, but "Make sure you have disabled any programs that may blopck/disable scripts (ex. Ad-Watch, Tea Timer, Norton, etc.)." - Does AVG? And if so, how do I disable it?
Sorry to ask so much. I'm an admitted ignoramous and I don't want to do anything that will harm the computer or your ability to help me.
Meanwhile, here is my Hijack this log and I'll get the other one to you just as soon as you tell me what to do.
Logfile of HijackThis v1.99.1
Scan saved at 10:28:33 AM, on 8/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBMENU.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ppccinst.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SyGateManager] C:\PROGRAM FILES\SYGATE\SYGATE\SyGate.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: GoBack.lnk = C:\Program Files\Adaptec\GoBack\GBMenu.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://206.168.252.2...sCamControl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.95.218.1,85.255.112.7
-David
Okay. Here's where I am at so far...
While deleting files in Safe Mode, most of the stuff wasn't there. I deleted what was. There is one file, "MSTCPDLL.exe" that... while it wasn't there, it looked a lot like "MSTCP.DLL" and I was wondering if that was what you meant to tell me to delete. If so I can go back and do that.
A "Backups" folder appeared - I think when I was in safe mode. It is on my desktop. Can I move it or delete it? I'm assuming it is associated with Hijack This but I could be wrong.
I downloaded AVG while I was doing the "before" process. It keeps telling me that it found a trojan horse, "C:\Windows\System\RDSNDIN.EXE" After that it says, "Trojan Horse Clicker.FR. I've hit "Heal," "Delete," and "Move to Vault," but it keeps telling me that "Requested action is not availible for this object. What should I do?
Also a little sheild keeps popping up on my task bar. It has an exclamation point in the middle and a speach bubble that tells me that "Your virus protection status is bad" and "Spyware Activity Detected." It says "Your computer may be at risk" and then says to click the bubble and that takes me to a spyware advert. Is that part of AVG?
Finally, and I know I seem to ask a lot of questions, you told me to click on that link and post the file, but "Make sure you have disabled any programs that may blopck/disable scripts (ex. Ad-Watch, Tea Timer, Norton, etc.)." - Does AVG? And if so, how do I disable it?
Sorry to ask so much. I'm an admitted ignoramous and I don't want to do anything that will harm the computer or your ability to help me.
Meanwhile, here is my Hijack this log and I'll get the other one to you just as soon as you tell me what to do.
Logfile of HijackThis v1.99.1
Scan saved at 10:28:33 AM, on 8/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBMENU.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ppccinst.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SyGateManager] C:\PROGRAM FILES\SYGATE\SYGATE\SyGate.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: GoBack.lnk = C:\Program Files\Adaptec\GoBack\GBMenu.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://206.168.252.2...sCamControl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 195.95.218.1,85.255.112.7
-David
#6
Posted 02 August 2005 - 11:28 AM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
No, don't delete that MSTCP.DLL file.
Leave the backup folder. It's created by HijackThis. That's why we usually ask users to create a folder for HijackThis so that the main HijackThis.exe and the backups folder are in the same location
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:
C:\Windows\System\RDSNDIN.EXE
No, I don't think it's AVG at all. Let's see what else is wrong here. Post that Silent Runners log
Don't say that Feel free to ask any questions you may have. We're here to help - even a simple question like your's may be in another user's mind, but they never asked about it 
Don't worry, AVG doesn't have this script protection. You may just run Silent Runners.
While you're at it, run these two scans also:
Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.
Leave the backup folder. It's created by HijackThis. That's why we usually ask users to create a folder for HijackThis so that the main HijackThis.exe and the backups folder are in the same location
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:
C:\Windows\System\RDSNDIN.EXE
No, I don't think it's AVG at all. Let's see what else is wrong here. Post that Silent Runners log
Don't say that
Feel free to ask any questions you may have. We're here to help - even a simple question like your's may be in another user's mind, but they never asked about it Don't worry, AVG doesn't have this script protection. You may just run Silent Runners.While you're at it, run these two scans also:
Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.
#7
Posted 05 August 2005 - 01:38 PM
reynolds0889
- Topic Starter
-
- Member
-
- 29 posts
Member
I replied to this last night but it doesn't seem to have posted for some reason. I'll try to remember everything I said...
I ran the Kill Box, but I'm not sure what that did. Maybe I didn't do it right. I didn't really notice any changes. When you told me to copy the "below files and go back to Killbox," what did you mean? There were 39 files in a scrool bar in Kill Box. When I followed your commands, I did get that RDSNDIN.EXE in the window, but again I didn't really see that anything happened.
I have anothe trojan that won't erase and often times my computer doesn't load up right and I have to restart. Sometimes it just acts strange, like it isn't getting all of the information. Once again I have to reboot and then it is normally fine.
I ran the trendmicro virus scan and it didn't find anything. I ran the Panda Active Scan and it found 2 viruses, but AOL crapped out on me and I didn't get the file you wanted. It said that it deleted the two viruses (or were the trojan horses - or are those the same thing?), but it wasn't done running when the computer quit. ACG keeps finding them, so I don't get the idea it really happened.
I'll try to run Panda again in the next couple of days, but I don't know what good it will do. I decided to post here so you could give me any advice you can and so you could read the silent runner and tell me if I did the Killbox thing wrong.
Thanks once again.
David
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"BCMDMMSG" = "BCMDMMSG.exe" ["BCM"]
"Speed racer" = "C:\Program Files\Creative\PlayCenter\CTSRReg.exe" ["Creative Technology Ltd."]
"AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative Technology Ltd."]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"SyGateManager" = "C:\PROGRAM FILES\SYGATE\SYGATE\SyGate.exe" ["Sybergen Networks, Inc."]
"Adaptec DirectCD" = "C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE" ["Adaptec"]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"AOL Spyware Protection" = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"KodakCCS" = "C:\WINDOWS\System32\Drivers\KodakCCS.exe" ["Eastman Kodak Company"]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" ["Creative Technology Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}
"(Default)" = (empty string)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"GoBack Polling Service" = "C:\Program Files\Adaptec\GoBack\GBPoll.exe" ["Adaptec, Inc."]
"AolAcsDaemon1" = ""C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"" ["America Online, Inc."]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\GoBack\ShellExt.dll" ["Adaptec, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\COMMON FILES\KODAK\IFSCORE\KODAKSHX.DLL" ["Eastman Kodak Company"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\GoBack\ShellExt.dll" ["Adaptec, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
GoBack\(Default) = "{6809e580-a3a7-11d1-9a00-00a0c945b006}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\GoBack\ShellExt.dll" ["Adaptec, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
System Policies [Description]:
------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"
WIN.INI & SYSTEM.INI launch points:
-----------------------------------
SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\YGPSS.SCR" ["America Online Inc"]
Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Start Menu\Programs\StartUp
"GoBack" -> shortcut to: "C:\Program Files\Adaptec\GoBack\GBMenu.exe /t" ["Adaptec, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"America Online 9.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 9.0\aoltray.exe -check" ["America Online, Inc."]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]
"Kodak software updater" -> shortcut to: "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" [null data]
Enabled Scheduled Tasks:
------------------------
"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\msafd.dll [MS], 1 - 3
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 4 - 5
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL" ["IE Toolbar"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL" ["IE Toolbar"]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"
Missing lines (compared with English-language version):
[Strings]: 2 lines
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 22 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 104 seconds.
---------- (total run time: 147 seconds)
I ran the Kill Box, but I'm not sure what that did. Maybe I didn't do it right. I didn't really notice any changes. When you told me to copy the "below files and go back to Killbox," what did you mean? There were 39 files in a scrool bar in Kill Box. When I followed your commands, I did get that RDSNDIN.EXE in the window, but again I didn't really see that anything happened.
I have anothe trojan that won't erase and often times my computer doesn't load up right and I have to restart. Sometimes it just acts strange, like it isn't getting all of the information. Once again I have to reboot and then it is normally fine.
I ran the trendmicro virus scan and it didn't find anything. I ran the Panda Active Scan and it found 2 viruses, but AOL crapped out on me and I didn't get the file you wanted. It said that it deleted the two viruses (or were the trojan horses - or are those the same thing?), but it wasn't done running when the computer quit. ACG keeps finding them, so I don't get the idea it really happened.
I'll try to run Panda again in the next couple of days, but I don't know what good it will do. I decided to post here so you could give me any advice you can and so you could read the silent runner and tell me if I did the Killbox thing wrong.
Thanks once again.
David
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"BCMDMMSG" = "BCMDMMSG.exe" ["BCM"]
"Speed racer" = "C:\Program Files\Creative\PlayCenter\CTSRReg.exe" ["Creative Technology Ltd."]
"AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative Technology Ltd."]
"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]
"SyGateManager" = "C:\PROGRAM FILES\SYGATE\SYGATE\SyGate.exe" ["Sybergen Networks, Inc."]
"Adaptec DirectCD" = "C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE" ["Adaptec"]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"AOL Spyware Protection" = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"KodakCCS" = "C:\WINDOWS\System32\Drivers\KodakCCS.exe" ["Eastman Kodak Company"]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" ["Creative Technology Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}
"(Default)" = (empty string)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"GoBack Polling Service" = "C:\Program Files\Adaptec\GoBack\GBPoll.exe" ["Adaptec, Inc."]
"AolAcsDaemon1" = ""C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"" ["America Online, Inc."]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\GoBack\ShellExt.dll" ["Adaptec, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\COMMON FILES\KODAK\IFSCORE\KODAKSHX.DLL" ["Eastman Kodak Company"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\GoBack\ShellExt.dll" ["Adaptec, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
GoBack\(Default) = "{6809e580-a3a7-11d1-9a00-00a0c945b006}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\GoBack\ShellExt.dll" ["Adaptec, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
System Policies [Description]:
------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"
WIN.INI & SYSTEM.INI launch points:
-----------------------------------
SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\YGPSS.SCR" ["America Online Inc"]
Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Start Menu\Programs\StartUp
"GoBack" -> shortcut to: "C:\Program Files\Adaptec\GoBack\GBMenu.exe /t" ["Adaptec, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"America Online 9.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 9.0\aoltray.exe -check" ["America Online, Inc."]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]
"Kodak software updater" -> shortcut to: "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" [null data]
Enabled Scheduled Tasks:
------------------------
"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\msafd.dll [MS], 1 - 3
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 4 - 5
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL" ["IE Toolbar"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL" ["IE Toolbar"]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{4982D40A-C53B-4615-B15B-B5B5E98D167C}\
"ButtonText" = "AOL Toolbar"
"MenuText" = "AOL Toolbar"
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"
Missing lines (compared with English-language version):
[Strings]: 2 lines
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 22 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 104 seconds.
---------- (total run time: 147 seconds)
#8
Posted 05 August 2005 - 08:07 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Hi David, for KillBox, I just wanted you to copy and paste that one line I highlighted there. I usually ask users to use KillBox to delete a whole bunch of files, and this may come in handy since they don't need to go in manually and delete it one by one. By copying the text and then using KillBox (Paste from Clipboard) it saves the user a lot of time. In your case, all you had to do was copy that one line and just paste it directly into the KillBox field there. Check Delete on Reboot and hit the circled red X button to delete it.
OK, try running this program since Panda/AOL is giving you problems:
Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.
Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)
1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.
Once you copy that to a Notepad file...highlight the text and copy it here.
The Silent Runners log looks ok.
OK, try running this program since Panda/AOL is giving you problems:
Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.
Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)
1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.
Once you copy that to a Notepad file...highlight the text and copy it here.
The Silent Runners log looks ok.
#9
Posted 05 August 2005 - 11:32 PM
reynolds0889
- Topic Starter
-
- Member
-
- 29 posts
Member
I forgot to tell you that the toolbar is gone and I am greatly appreciative for that. Thank you!
I'll get back on all that other stuff ASAP.
David
I'll get back on all that other stuff ASAP.
David
#10
Posted 06 August 2005 - 02:18 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
No problem. I'll take a quick look at that mwav log to make sure nothing else is wrong
#11
Posted 12 August 2005 - 11:28 AM
reynolds0889
- Topic Starter
-
- Member
-
- 29 posts
Member
Sorry I've been so long in posting. I had to focus on finals.
AVG recently ran a scan and found 7 viruses. 5 of them were quarantined. The two that weren't are C:\Windows\System\csgci.exe and C:\Windows\System\hgqhp.exe. The first is labled as "Trojan horse Dropper.Generic.MK" and the second is a "Trojan horse Dropper.Agent.GA".
After these wer found, a ton of error messages came up and eventually threw me into a blue screen that no amount of "press any key" could get me out of. I finally rebooted. Everything was fine so I emptied the quarantine, rebooted again, and hit F8 to get into Safe Mode.
In Safe Mode I ran the Mwav file and here is what it found (it said 8 viruses):
File C:\WINDOWS\SYSTEM\HCLEAN32.EXE infected by "Trojan.Win32.Qhost.qr" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Desktop\Geeks On Call\backups\backup-20050802-101640-978.dll tagged as "not-a-virus:AdWare.ToolBar.SBSoft.h". Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\HELPSP~1.CAB". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CTSVCCDA.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CTSVCCTL.EXE". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "C:\WINDOWS\SYSTEM\disktool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{700B1221-CAFF-11d1-B9DE-000000001B1B}" refers to invalid object "atippaxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E62DCD80-C262-11d1-A419-006097923041}" refers to invalid object "atipdsxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2EADFE65-C751-11D1-A636-0000E8DB1EA2}" refers to invalid object "atipdaxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F2B8E361-D2E2-11D1-A41F-00609729B902}" refers to invalid object "atipuixx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EBB5845F-CA80-11CF-BD3C-008029E89281}" refers to invalid object "atitvo32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB7DF450-F119-11CD-8465-00AA00425D90}" refers to invalid object "C:\Program Files\Microsoft Office\Office\". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8F3A23C6-8BA1-F71F-B073-60826844722F}" refers to invalid object "sysconf16.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31898-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31897-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9C027CF-DF75-4D2C-B763-AC1CA31C4AF8}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamiui.dll". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\ntfsnlpa.exe tagged as "not-a-virus:AdWare.Msnagent.b". Action Taken: No Action Taken.
File C:\_RESTORE\ARCHIVE\FS25.CAB tagged as "not-a-virus:AdWare.FindSpy.a". Action Taken: No Action Taken.
File C:\_RESTORE\ARCHIVE\FS45.CAB tagged as "not-a-virus:AdWare.FindSpy.a". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\ntfsnlpa.exe tagged as "not-a-virus:AdWare.Msnagent.b". Action Taken: No Action Taken.
File C:\WINDOWS\Desktop\Geeks On Call\backups\backup-20050802-101640-978.dll tagged as "not-a-virus:AdWare.ToolBar.SBSoft.h". Action Taken: No Action Taken.
Thanks again. Talk to you soon.
David
AVG recently ran a scan and found 7 viruses. 5 of them were quarantined. The two that weren't are C:\Windows\System\csgci.exe and C:\Windows\System\hgqhp.exe. The first is labled as "Trojan horse Dropper.Generic.MK" and the second is a "Trojan horse Dropper.Agent.GA".
After these wer found, a ton of error messages came up and eventually threw me into a blue screen that no amount of "press any key" could get me out of. I finally rebooted. Everything was fine so I emptied the quarantine, rebooted again, and hit F8 to get into Safe Mode.
In Safe Mode I ran the Mwav file and here is what it found (it said 8 viruses):
File C:\WINDOWS\SYSTEM\HCLEAN32.EXE infected by "Trojan.Win32.Qhost.qr" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Desktop\Geeks On Call\backups\backup-20050802-101640-978.dll tagged as "not-a-virus:AdWare.ToolBar.SBSoft.h". Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\HELPSP~1.CAB". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CTSVCCDA.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\CTSVCCTL.EXE". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "C:\WINDOWS\SYSTEM\disktool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{700B1221-CAFF-11d1-B9DE-000000001B1B}" refers to invalid object "atippaxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E62DCD80-C262-11d1-A419-006097923041}" refers to invalid object "atipdsxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2EADFE65-C751-11D1-A636-0000E8DB1EA2}" refers to invalid object "atipdaxx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F2B8E361-D2E2-11D1-A41F-00609729B902}" refers to invalid object "atipuixx.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EBB5845F-CA80-11CF-BD3C-008029E89281}" refers to invalid object "atitvo32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB7DF450-F119-11CD-8465-00AA00425D90}" refers to invalid object "C:\Program Files\Microsoft Office\Office\". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8F3A23C6-8BA1-F71F-B073-60826844722F}" refers to invalid object "sysconf16.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31898-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31897-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9C027CF-DF75-4D2C-B763-AC1CA31C4AF8}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamiui.dll". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\ntfsnlpa.exe tagged as "not-a-virus:AdWare.Msnagent.b". Action Taken: No Action Taken.
File C:\_RESTORE\ARCHIVE\FS25.CAB tagged as "not-a-virus:AdWare.FindSpy.a". Action Taken: No Action Taken.
File C:\_RESTORE\ARCHIVE\FS45.CAB tagged as "not-a-virus:AdWare.FindSpy.a". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\ntfsnlpa.exe tagged as "not-a-virus:AdWare.Msnagent.b". Action Taken: No Action Taken.
File C:\WINDOWS\Desktop\Geeks On Call\backups\backup-20050802-101640-978.dll tagged as "not-a-virus:AdWare.ToolBar.SBSoft.h". Action Taken: No Action Taken.
Thanks again. Talk to you soon.
David
#12
Posted 12 August 2005 - 05:18 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Delete those two files you said were not quarantined by AVG. Then delete these also if found:
C:\WINDOWS\SYSTEM\ntfsnlpa.exe
C:\WINDOWS\Desktop\Geeks On Call\backups\backup-20050802-101640-978.dll
C:\WINDOWS\SYSTEM\HCLEAN32.EXE
Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Restart your computer and uncheck the same box to enable System Restore.
Your log is clean.
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.
Are there any problems now? If not, you should be set to go.
C:\WINDOWS\SYSTEM\ntfsnlpa.exe
C:\WINDOWS\Desktop\Geeks On Call\backups\backup-20050802-101640-978.dll
C:\WINDOWS\SYSTEM\HCLEAN32.EXE
Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Restart your computer and uncheck the same box to enable System Restore.
Your log is clean.
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.
Are there any problems now? If not, you should be set to go.
#13
Posted 12 August 2005 - 07:36 PM
reynolds0889
- Topic Starter
-
- Member
-
- 29 posts
Member
I do still have troubles but I wonder if I am now in the wrong area of the web site for this. Many, many times when I turn on the computer, something goes wrong. The icons don't show up and only one of the items in the system tray (Creative SB Live) shows up. I get an hour glass and can do nothing. I have to manually shut down the computer.
In addition, I get a blue screen every now and again and I don't know why. Rebooting always sooms to help, but sometimes I have to shut down and restart 3 or 4 times before it loads up correctly. Any suggestions?
David
In addition, I get a blue screen every now and again and I don't know why. Rebooting always sooms to help, but sometimes I have to shut down and restart 3 or 4 times before it loads up correctly. Any suggestions?
David
#14
Posted 12 August 2005 - 09:57 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Well, you are running a lot of programs at startup there. Let's try disabling some:
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
You can probably check and fix the Creative entries also if you don't need them starting up.
Other than that, restart your computer and see if it's any better now.
For the blue screen problem, see if it's a memory/ram issue:
Download the Windows Memory Diagnostic Tool and install it on a blank floppy disk. Restart your computer and insert the floppy. If necessary, change your bios to boot from the floppy drive first. Let it load from the floppy and run the memory test for about 15 minutes. If no errors show up, you may exit the program and take out the floppy.
If you still have problems, it's best to post this in the Windows Forum. If you have no more spyware related problems (toolbar gone?), then I will close this topic and mark it as resolved
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
You can probably check and fix the Creative entries also if you don't need them starting up.
Other than that, restart your computer and see if it's any better now.
For the blue screen problem, see if it's a memory/ram issue:
Download the Windows Memory Diagnostic Tool and install it on a blank floppy disk. Restart your computer and insert the floppy. If necessary, change your bios to boot from the floppy drive first. Let it load from the floppy and run the memory test for about 15 minutes. If no errors show up, you may exit the program and take out the floppy.
If you still have problems, it's best to post this in the Windows Forum. If you have no more spyware related problems (toolbar gone?), then I will close this topic and mark it as resolved
#15
Posted 16 August 2005 - 09:16 AM
reynolds0889
- Topic Starter
-
- Member
-
- 29 posts
Member
Okay I've done all that you suggested. I just have a couple questions and then I think I can get off your back.
1. The two viruses that AVG couldn't delete are not there anymore and I haven't had any warnings lately. Is it possible they disappeared or were delleted by some other program and I didn't know it?
2. The box that said "Disable System Restore" was already checked when I went there, so I left it that way and rebooted anyway (I had just deleted the files you told me to) and then went back and unchecked it. That's okay, right? You don't think it was already checked for some good reason. do you?
If you tell me all is well, then feel free to close this topic and mark it as resolved. Once again thank you for all of your help.
David
1. The two viruses that AVG couldn't delete are not there anymore and I haven't had any warnings lately. Is it possible they disappeared or were delleted by some other program and I didn't know it?
2. The box that said "Disable System Restore" was already checked when I went there, so I left it that way and rebooted anyway (I had just deleted the files you told me to) and then went back and unchecked it. That's okay, right? You don't think it was already checked for some good reason. do you?
If you tell me all is well, then feel free to close this topic and mark it as resolved. Once again thank you for all of your help.
David
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
