Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ps guard [RESOLVED]

Started by lenjane5132 , Jul 29 2005 04:55 PM

  • This topic is locked This topic is locked

#1
lenjane5132
Posted 29 July 2005 - 04:55 PM

lenjane5132

    New Member

  • Member
  • Pip
  • 5 posts
i am using win 98 , i used adaware but this one seems so elusive. It wont even let me download. I had to use another computer and send my self an email of hhijack this then email it away becasue the virus wont let me on long enough to access this site. i used trend housecall. and i use avg virus protection already.spybot search and destroy found nothing. i was unable to down load cw shredder but i can try from another computer and email it to mine if it works long enough. Hope this log is accurate and i hope you can help as someone stole my original disks so if idump this operating system i am hooped till i buy another.


Logfile of HijackThis v1.99.1
Scan saved at 1:29:45 AM, on 29/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DL L
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\ESSSPK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP
MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE BROWSER\NETSCAPE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://c:\windows\TEMP\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\OOBE\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\OOBE\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.windowsdo...com/success.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670}
- C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM
FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}
- C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: (no name) - {65937EA1-FDA0-11D9-98B3-0003892DD384} -
C:\WINDOWS\SYSTEM\EDAK.DLL
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} -
C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no
file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM
FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_2_0.DLL
O3 - Toolbar: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\PROGRAM FILES\ADVANCED SEARCHBAR\ADVANCEDSEARCHBAR.DLL (file
missing)
O4 - HKLM\..\Run: [Adaptec DirectCD]
C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR]
C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE
/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk
Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [EM_EXEC]
C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink
Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN
Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program
Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Adaptec DirectCD]
C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKCU\..\Run: [EssSpkPhone] essspk.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Norton eMail Protect] C:\Program Files\Norton
AntiVirus\POPROXY.EXE
O4 - HKCU\..\Run: [Startup Monitor] C:\PROGRAM FILES\STARTUP
MONITOR\STARTUPMONITOR.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media
Components\Encoder\WMENCAGT.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program
Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program
Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
(no file)
O9 - Extra button: AOL Instant Messenger ™ -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Yahoo! Services -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESUS.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESUS.DLL
O9 - Extra button: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\PROGRAM FILES\ADVANCED SEARCHBAR\ADVANCEDSEARCHBAR.DLL
(file missing)
O9 - Extra 'Tools' menuitem: Advanced Searchbar -
{57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\PROGRAM FILES\ADVANCED
SEARCHBAR\ADVANCEDSEARCHBAR.DLL (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {D47B9AB4-83C1-4534-ABDC-ACBFFE8F2B86} (CWDL_DownLoadControl
Class) - http://www.callwave....DL_DownLoad.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
- C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class)
-
http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments
Control) - http://sea2fd.sea2.h...ex/HMAtchmt.ocx
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) -
http://pcpitstop.com...p/PCPitStop.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control
4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX
Class) -
http://download.weat...?rand=200342213
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)
- http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: Yahoo! Chat 1.3 -
http://jcs.chat.dcn....m/c174/chat.cab
O16 - DPF: Yahoo! Literati -
http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Word Racer -
http://download.game...nts/y/wt1_x.cab
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {099513A2-15DE-49B2-B543-45DE6254DC00} (Yahoo! Photos Easy
Upload Tool Class) -
http://us.dl1.yimg.c...ropper1_6aa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cab
  • 0

Advertisements

#2
Armodeluxe
Posted 31 July 2005 - 09:45 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi lenjane5132, welcome to GeeksToGo

We'll need to transport some files from the computer you are now using, to your infected computer. If you can email the following file to the infected computer, fine. Just extract the following Smitrem.zip to its own folder on the desktop and proceed with the directions below from "click on RunThis.bat". Otherwise follow these alternate transfer directions:

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.

On your infected computer, boot again in safe mode and open your task manager again.
Now insert the cd, floppy or usb-stick where you saved the smitrem folder in your infected computer.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now browse to the drive where your floppy, usb-stick or cd is present (could be A or D or E or F.. you'll see..)
Search for that smitrem folder.
Right click on the smitrem folder and choose: Copy

Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there, right click and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete.

When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a hijackthis log in your next reply.

Regards,

Armodeluxe
  • 0

#3
lenjane5132
Posted 31 July 2005 - 12:15 PM

lenjane5132

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you for your reply. I was able to download smitrem to my desktop and opened into its own file. I rebooted into safemode , closed all windows except the one as it instructed and ran the program ... but before completing it said there was a conflict and i got the abort retry fail message. All windows were closed and i dont know what the conflict could be. The ps guard icons are stlil evident on my desktop. Here is the file from hijack this .

Logfile of HijackThis v1.99.1
Scan saved at 11:13:53 PM, on 30/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\ESSSPK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE BROWSER\NETSCAPE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdo...com/success.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKCU\..\Run: [EssSpkPhone] essspk.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKCU\..\Run: [Startup Monitor] C:\PROGRAM FILES\STARTUP MONITOR\STARTUPMONITOR.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESUS.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESUS.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {D47B9AB4-83C1-4534-ABDC-ACBFFE8F2B86} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c...ymmapi_0727.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea2fd.sea2.h...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://jcs.chat.dcn....m/c174/chat.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {099513A2-15DE-49B2-B543-45DE6254DC00} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_6aa.cab
  • 0

#4
Armodeluxe
Posted 31 July 2005 - 04:04 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi lenjane

One of the reasons causing problems for you is that you are running two antivirus programs at the same time. Doing that is known to cause conflicts and instability on a system. If you'd like to keep both of them, at least you should turn off the active protection features of one of them and keep it handy just for the occasional scan. Please do that, or uninstall one of them. My advice for you would be to rid of Norton and keep AVG, but it's your choice. I myself used to have Norton, it came preinstalled on my computer but I rid of it when the subscription expired and have been using Antivir since. AVG I never gave a try cause I never had problems with Antivir, but it is highly recommended by experts in antispyware.

You have another infection that has to be taken care of before PSGuard, but I went after PSGuard first because of your connection problem. We'll give it a try again after cleaning se.dll. If you receive any error messages this time, please make a note of it and include exactly in your next post. I'm especially interested if the message text says anything about wininet.dll. Hope it goes well this time.

Please download Seeker's SpSeHjfix here:
http://www.derbilk.de/SpSeHjfix109.zip
Unzip it to the desktop but do NOT run it yet.

Open your AdAware and click check for updates now. Finish the update and exit AdAware.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please run SpSeHjfix.bat. Click "Start Disinfection" and follow the prompts. Allow your computer to reboot when required. Upon reboot boot back into safe mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

Also uncheck "View my Active desktop as a web page".
Click OK then Apply and OK.

Restart your computer in normal mode.

Run Panda's online virus scan and perform a full system scan. Make sure the Autoclean box is checked!

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.
  • 0

#5
lenjane5132
Posted 03 August 2005 - 10:31 PM

lenjane5132

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I am sorry it took me so long to get back to you but but the smitfile showed my wininet dll was corrupt. I ran panda to try to clean but then it deleted it. soooooo nothing worked and i had to reformat and i upgraded to xp. Thanks for your help Maybe someone else reading this will keep from making my mistake .
  • 0

#6
Armodeluxe
Posted 04 August 2005 - 09:22 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Sorry to hear about that lenjane

Panda was not supposed to delete that file, we contacted Panda about this issue but haven't heard from them yet. It certainly wasn't your mistake. If the clean on the file failed, it wasn't supposed to be deleted.

I hope you enjoy using XP. Please go to Windows update ASAP and apply all the security patches. If the version you got doesn't have SP2 already installed, please install that too. If you'd like to post a new log from the new OS, feel free to do so, I'd be happy to look at it.

Please take the following into consideration to maintain a clean computer.

Now you should go get a firewall. Don't rely on the Windows firewall as it monitors only incoming traffic. Pick one of these, they are all free.
Kerio
Zonealarm
Sygate

Visit Windows Update regularly to get the latest security updates. You can also enable automatic updates. Your antivirus software and antispyware programs should also be updated regularly and make a habit of running scans on a timely basis.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,
  • 0

#7
Armodeluxe
Posted 21 August 2005 - 11:40 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP