Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

after spysheriff [CLOSED]


  • This topic is locked This topic is locked

#1
cheeky_ninja

cheeky_ninja

    New Member

  • Member
  • Pip
  • 4 posts
Windows Xp home edition
Spybot S&D
Adaware 6.0
Hijackthis latest version
regcleaner
- very little knowledge of regedit

Basically this computer was working fine until when using the internet, spysherif decided to download itself along with a couple of other programs for good measure. ;) I think i have successfully removed spysherif (the background is customisable and the little crosses in the system tray do not appear, nor can any reference to spysherif be found on this computer that i am aware of). also taskmanger had been disabled by the system administrator :) however i manged to get it working by using regedit.

The problem i am left with however is an unusably slow computer, the only way to bring it up to speed is to select the process you want to use on taskmanager>processes e.g. explorer.exe and give it a higher priority. When looking on the taskmanger to see what processes were using the system resoures i noticed that there were at least 15 entries for devldr32.exe, however if i try to kill the process it tells me it cannot be done because the command for this object is not valid. As well as this the number of entries fluctuates rapidly and can be anywhere between 15 and 60+ (it increases in number over time, from 15 to 60 in 1 hour and 30 minutes). Obviously this is bad for system performance.

I have researched devldr32.exe and have found it to be a file associated with the soundblaster which has been installed for several years with no problems.

I cannot delete devldr32.exe from C:>windows>system32 because it is running and i cannot stop it running. I tried to delete it using hijackthis on reboot but the computer doesn't turn off properly so it won't delete it on reboot. This error can be caused by devldr32.exe not turning off on shutdown so i am at a loss as to how to delelte it.

Not only this but the guy upstairs who is picking on me also decided that i should have the procecess cssrs.exe running. Through research i have discoverd that this is called w.agotbot although i am not too sure of this because i cannot check it on internet explorer because the system is crashing as i type. Agobot is meant to create startup entries of winfx and/or device drivers. However i cannot find either of these in the startup registery either in msconfig or on regcleaner. (Neither can i find a reference to devldr32.exe on regcleaner, msconfig or regedit. However, i must confess that i do not really know what i am doing in regedit).

Please help me, i have been searching the forums for the last 3 days in relevance to the devldr32.exe problem but no-one else seems to be experiencing it. :tazz: This isn't my computer, its my gf's family's and they are all at each others throats now because of me and they have work to do etc etc...... so yeah, i hope you can help me because i'm going to be skinned :( and i go on holiday on sunday for 2 weeks, so i dont know if i will be able to check this thread it is now tuesday i know i have left it a bit late, i will put a fresh hijackthis log on, on saturday evening. My gf is standing next to me insisting that i tell you that they cannot use computers so its my responsibility to fix it especially as i broke it in the first place.

Also i have not used a forum akin to this before so i appologise for incorrect topic titles / descriptions, i also appologise for the length of this i just wanted to give you as much information as possible, i have performed up to date scans with adaware and spybot S&D and found no errors. please help me? :( :woot:

Logfile of HijackThis v1.99.1
Scan saved at 18:28:19, on 02/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cssrs.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\devldr32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7C73EEF-3234-4D45-9149-6A9E20888F8D}: NameServer = 195.92.195.94 195.92.195.95
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_8.dll
O21 - SSODL: System - {153D824B-C013-4C51-8614-E3D6582102F9} - vr_sys.dll (file missing)
O21 - SSODL: ArcSoft PhotoImpression 3.0 - {C5D75B76-55C3-7362-05EC-75C265121C8F} - c:\program files\arcsoft\photoimpression\scfnp32.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
  • 0

Advertisements


#2
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Please don't try to delete devldr32.exe because it's legit. First we have to clean your system because you aren't clean yet! Maybe the 'devldr32.exe problem' is over after the clean up, we'll have a look!

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Make sure all hidden files and folders are visible (Instructions )

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Scan again with HijackThis and check the following items:

O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O21 - SSODL: System - {153D824B-C013-4C51-8614-E3D6582102F9} - vr_sys.dll (file missing)

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Find and delete these files and folders (if they are still there):
C:\WINDOWS\System32\cssrs.exe <= this file (DON'T confuse it with csrss.exe)
C:\WINDOWS\iccontrol.exe <= this file

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt (C:\smitfiles.txt) log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Edited by didom, 05 August 2005 - 09:02 AM.

  • 0

#3
cheeky_ninja

cheeky_ninja

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
cheeeeeeeers Didom all of the logs will be at the bottom but as far as i can see it is all working again ;) and the devldr32 problem has dissapeared :) cheers mate :tazz:, urm yeah, here are all of the logs:

Logfile of HijackThis v1.99.1
Scan saved at 17:46:53, on 05/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7C73EEF-3234-4D45-9149-6A9E20888F8D}: NameServer = 195.92.195.95 195.92.195.94
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_8.dll
O21 - SSODL: System - {153D824B-C013-4C51-8614-E3D6582102F9} - vr_sys.dll (file missing)
O21 - SSODL: ArcSoft PhotoImpression 3.0 - {C5D75B76-55C3-7362-05EC-75C265121C8F} - c:\program files\arcsoft\photoimpression\scfnp32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe


smitRem log file
version 2.2

by noahdfear

The current date is: 05/08/2005
The current time is: 17:49:48.76

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 18:48:13, 05/08/2005
+ Report-Checksum: 955742E1

+ Scan result:

C:\Program Files\ArcSoft\PhotoImpression\scfnp32.dll -> TrojanDownloader.Murlo.ar : Ignored
[712] C:\WINDOWS\System32\abirvalg32.dll -> TrojanProxy.Small.cn : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0J23MN6P\loadppc[1].exe -> TrojanDropper.Small.abx : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfk4gpcpmlq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfk4olczgdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfk4qkcjgao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfk4qod5kbo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfk4wodjsep.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkiggc5edp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkiqmcjmbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkishajogq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkishcjkfo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkiwjajeao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkiwkcjkep.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkiwpdzsbp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkoaocpsfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkoomdzmlp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkyggd5ikp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfkysoajwaq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfl4eocpwdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfl4kmczsho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wflialazefq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wflichdpsgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wflikpcjkkp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wflouhdzmkq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfmiqldzmgo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfmiwocjcco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wfmyumcpido.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wgkigpazigp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wgkiopcpwcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wgkiqkczmkp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjk4cpczceq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjk4eocpgap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjk4okc5gbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjkocmcpkkp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjkoslcpifo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjkykicpoho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjl4gocpwap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjl4wgcpiap.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjl4wkcjcbo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlicmcpebq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjliemcpwhp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlikjdpolq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlikpdzggp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlisicjacp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjliwmdjodp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjliwpd5wgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjloepdzmlo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlokkcpegq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlosjd5sbq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlouhczshp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlykidpmgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlyqmajcgo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlysid5odo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlysjdjacq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjlyulcjekq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmiagazeeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmiakazalo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmialazcgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmigic5kep.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmignazckp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmiqnazsgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmispazeao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmiwiazaho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmyekczego.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmyemczwho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmyghdjwdq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmygjcjsdo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmygkdpseo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmyqmdjolo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmywicpmgp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjmywoajshp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@e-2dj6wjnyqocpibp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@service.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Local Settings\Temporary Internet Files\Content.IE5\OHINODAV\latest[1].exe -> Trojan.Crypt.i : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Local Settings\Temporary Internet Files\Content.IE5\OHINODAV\latest[2].exe -> Trojan.Crypt.i : Cleaned with backup
C:\RECYCLER\S-1-5-21-1229272821-261903793-682003330-1004\Dc1.exe -> TrojanSpy.PdPinch : Cleaned with backup
C:\WINDOWS\svchost.exe -> TrojanDownloader.Small.bdz : Cleaned with backup
C:\WINDOWS\system32\abc.exe -> TrojanSpy.LdPinch.os : Cleaned with backup
C:\WINDOWS\system32\abirvalg32.dll -> TrojanProxy.Small.cn : Cleaned with backup
C:\WINDOWS\system32\kernels32.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system32\shell.exe -> Trojan.VB.z : Cleaned with backup
C:\WINDOWS\system32\symcsvc.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system32\~update.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\vr_sys.dll -> TrojanSpy.LdPinch.os : Cleaned with backup


::Report End

and finally pandascan


Incident Status Location

Adware:Adware/CWS No disinfected C:\WINDOWS\System32\chp.dll
Adware:Adware/Troyanov No disinfected C:\WINDOWS\System32\dcom_8.dll
Adware:adware/troyanov No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\WINDOWS\system32\chp.dll
Adware:Adware/Troyanov No disinfected C:\WINDOWS\system32\dcom_7.dll
Adware:Adware/Troyanov No disinfected C:\WINDOWS\system32\dcom_8.dll
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050730-165907.backup
  • 0

#4
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
That's great! But you aren't clean yet. So please follow every step and maybe you should print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Click Start>Run, type services.msc into the Open: text box and click the Ok button.
  • In the Services window look for the svchost.exe (moto) service and double-click on it.
  • Click on the Stop button
  • In the Startup type dropdown box select Disabled
  • Click Apply button and then the Ok button.
  • Please run HijackThis and click Config -> Misc Tools -> Delete an NT service.
  • In the Delete window, type moto and press OK.
  • OK any prompts, close HijackThis, and restart your computer.
Scan again with HijackThis and check the following items:

O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - (no file)
03 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_8.dll
O21 - SSODL: System - {153D824B-C013-4C51-8614-E3D6582102F9} - vr_sys.dll (file missing)
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Make sure all hidden files and folders are visible (Instructions )
Reboot your computer into safe mode (Instructions)

Find and delete these files and folders (if they are still there):
C:\WINDOWS\System32\dcom_8.dll <= this file
C:\WINDOWS\system32\dcom_7.dll<= this file
C:\WINDOWS\System32\chp.dll <= this file
C:\WINDOWS\iccontrol.exe <= this file
C:\WINDOWS\svchost.exe <= this file


Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.


Then run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot into normal mode.

Then, please run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan and a new HiJackThis log.

Let me know if any problems persist.
  • 0

#5
cheeky_ninja

cheeky_ninja

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
cheers again, chp.dll wouldnt delete but i used hijackthis to delete it upon reboot.

activescan found a file, c:\ProgramFiles\Arcsoft\Photoimpression\scfnp32.dll, this is a legitimate file so i chose to ignore it, just thought id say.

Also when deleting c:\Windows\svchost.exe, it was absent so i assume HJT had deleted it through the previous steps, cheers again :tazz:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:52:04, 06/08/2005
+ Report-Checksum: 91A2E4C3

+ Scan result:

C:\Program Files\ArcSoft\PhotoImpression\scfnp32.dll -> TrojanDownloader.Murlo.ar : Ignored
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@bs.serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Sharyn Robinson\Cookies\sharyn robinson@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup


::Report End

ActiveScan:

Incident Status Location

Virus:Trj/Qhost.gen Disinfected C:\Documents and Settings\Sharyn Robinson\Local Settings\Temp\DCF.tmp
Virus:Trj/Qhost.gen Disinfected C:\Documents and Settings\Sharyn Robinson\Local Settings\Temp\DD0.tmp
Adware:Adware/CWS No disinfected C:\WINDOWS\system32\chp.dll
and a new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 17:37:18, on 06/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7C73EEF-3234-4D45-9149-6A9E20888F8D}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
  • 0

#6
cheeky_ninja

cheeky_ninja

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
by the way i forgot 2 say im going on holiday tomorrow so i wont be able to check this for 2 weeks, cheers for your help mate :tazz:
  • 0

#7
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Did you tried to delete chp.dll in safe mode? Because you have to be able to delete the file in safe mode :tazz:

Make sure all hidden files and folders are visible (Instructions )

Please go to this site: http://virusscan.jotti.org/
On top you'll find "File to upload and scan".
Browse to the next file, submit ith on that site and let it scan:

c:\ProgramFiles\Arcsoft\Photoimpression\scfnp32.dll

Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.


Reboot your computer into safe mode (Instructions)

Find and delete these files and folders (if they are still there):
C:\WINDOWS\system32\chp.dll <= this file

Reboot your computer back into normal mode and do another scan with PandaActiveScan post the results in your next reply.

Let me know if any problems persist.

Edited by didom, 06 August 2005 - 11:03 AM.

  • 0

#8
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP