Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan-spy [RESOLVED]


  • This topic is locked This topic is locked

#1
sosaman20

sosaman20

    Member

  • Member
  • PipPip
  • 29 posts
hey, new to geeks to go, can you help me get rid of the trojan spy malware? i cant run any programs in normal mode only in safe mode. i have norton antivirus on the infected computer but the definitions are over a year old so that cant help and it wont allow me to install AVG (a other antivirus software) in safe mode. i have already downloaded and ran smitrem. and did as it said to do in other posts, but i dont know where to go from here. the computer was my sisters who did not know anything about anything at all, and had downloaded many viruses that i have deleted with the help of norton. i have also installed spybot, ad-aware, and cwshreadder, and have deleted about 1700 problems combined with all three programs. is it just me, or is that alot!!!!! anyway, please help, dont know where to go from here!!!!!!!!!! this is such a great website!!!
  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

We'll need you to use a free diagnostic tool [ HiJackThis ], read the short tutorial [ HERE ]

Then post the results of the scan here.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! I will be along to tell you what steps to take after you post the contents of the scan results.

In the event you cannot download it then you have to use another computer then transfer it to your PC.  If you are not able to run it through desktop or C:\HJT then you have to use the Task Manager, available through CTRL+ALT+DELETE then choose New Task.


  • 0

#3
sosaman20

sosaman20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
here is the log from the hijackthis program. i appreciate your quick reply and for the help!

Logfile of HijackThis v1.99.1
Scan saved at 1:30:12 PM, on 8/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\WINDOWS\taskbarmngr.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Eq platform heck\open up.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\mspn32.exe
C:\WINDOWS\System32\msfirewalls.exe
C:\WINDOWS\System32\combop.exe
C:\WINDOWS\System32\combo.exe
C:\WINDOWS\System32\directCC.exe
C:\WINDOWS\System32\mdhoader.exe
C:\WINDOWS\System32\ggnsdkva.exe
C:\WINDOWS\System32\makif70n.exe
C:\WINDOWS\System32\HPPhotoManager.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HIDE CAST] C:\Program Files\Eq platform heck\open up.exe
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\System32\requester.10.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Owner\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [HP Photo Manager] HPPhotoManager.exe
O4 - HKLM\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\Run: [USB Updates] msfirewalls.exe
O4 - HKLM\..\Run: [Component Windows] C:\WINDOWS\System32\lpqysvr.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [Windows SP4] directCC.exe
O4 - HKLM\..\Run: [v3mQ37h] mdhoader.exe
O4 - HKLM\..\Run: [Microsoft Windows Update XP64] ggnsdkva.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [HP Photo Manager] HPPhotoManager.exe
O4 - HKLM\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\RunServices: [USB Updates] msfirewalls.exe
O4 - HKLM\..\RunServices: [Windows SP4] directCC.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update XP64] ggnsdkva.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [e054RXNqg] makif70n.exe
O4 - HKCU\..\Run: [HP Photo Manager] HPPhotoManager.exe
O4 - HKCU\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\Run: [USB Updates] msfirewalls.exe
O4 - HKCU\..\Run: [Windows SP4] directCC.exe
O4 - HKCU\..\Run: [Microsoft Windows Update XP64] ggnsdkva.exe
O4 - HKCU\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\RunServices: [Microsoft Windows Update XP64] ggnsdkva.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DE7190F0-EB58-48D8-80A9-5B597E31099E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DE7190F0-EB58-48D8-80A9-5B597E31099E} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Remote Component - {7A07E1F5-154F-4C08-B796-3DCBF6A9FF59} - C:\WINDOWS\System32\avicxsst.dll
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe
  • 0

#4
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.

++++++++ STEP 1 ++++++++
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Open Ad-Aware SE 1.06, follow these download and setup instructions, check for updates:
Ad-Aware SE Setup
Do NOT run the scan yet!

Download CleanUp
Install the program, dont run it yet, we will later.

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.
  • Unzip dsrfix.zip and extract it to your desktop.
  • This will create a new folder on your desktop named dsrfix.
  • Do Not open that folder yet.
++++++++ STEP 2 ++++++++
To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

++++++++ STEP 3 ++++++++
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
    • Flash Enhancer or Fln
    • Ebates MoeMoneyMaker
  • Click Uninstall
  • Confirm with OK
++++++++ STEP 4 ++++++++
Open Ad-aware and do a full scan. Remove all it finds.

++++++++ STEP 5 ++++++++
Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
++++++++ STEP 6 ++++++++
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\Fln\ <-- whole folder
  • C:\Program Files\Ebates_MoeMoneyMaker\ <-- whole folder
  • C:\WINDOWS\System32\requester.10.exe
  • C:\Program Files\Common Files\Java\flncpy.exe
  • C:\DOCUME~1\Owner\LOCALS~1\Temp\27.exe <-- this could be a folder / just a file
  • C:\WINDOWS\System32\lpqysvr.exe
  • C:\WINDOWS\System32\spoolsrv32.exe
  • C:\WINDOWS\sdktemp.exe
  • C:\WINDOWS\taskbarmngr.exe
  • C:\WINDOWS\System32\mspn32.exe
  • C:\WINDOWS\System32\msfirewalls.exe
  • C:\WINDOWS\System32\combop.exe
  • C:\WINDOWS\System32\combo.exe
  • C:\WINDOWS\System32\directCC.exe
  • C:\WINDOWS\System32\mdhoader.exe
  • C:\WINDOWS\System32\ggnsdkva.exe
  • C:\WINDOWS\System32\makif70n.exe
  • C:\WINDOWS\System32\HPPhotoManager.exe
Finally, Empty Recycle Bin

++++++++ STEP 7 ++++++++
Now scan with HJT and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll

O4 - HKLM\..\Run: [requester] "C:\WINDOWS\System32\requester.10.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Owner\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [HP Photo Manager] HPPhotoManager.exe
O4 - HKLM\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\Run: [USB Updates] msfirewalls.exe
O4 - HKLM\..\Run: [Component Windows] C:\WINDOWS\System32\lpqysvr.exe
O4 - HKLM\..\Run: [combop.exe] combop.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [Windows SP4] directCC.exe
O4 - HKLM\..\Run: [v3mQ37h] mdhoader.exe
O4 - HKLM\..\Run: [Microsoft Windows Update XP64] ggnsdkva.exe
O4 - HKLM\..\RunServices: [HP Photo Manager] HPPhotoManager.exe
O4 - HKLM\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\RunServices: [USB Updates] msfirewalls.exe
O4 - HKLM\..\RunServices: [Windows SP4] directCC.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update XP64] ggnsdkva.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [e054RXNqg] makif70n.exe
O4 - HKCU\..\Run: [HP Photo Manager] HPPhotoManager.exe
O4 - HKCU\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\Run: [USB Updates] msfirewalls.exe
O4 - HKCU\..\Run: [Windows SP4] directCC.exe
O4 - HKCU\..\Run: [Microsoft Windows Update XP64] ggnsdkva.exe
O4 - HKCU\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKCU\..\RunServices: [Microsoft Windows Update XP64] ggnsdkva.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe



Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

++++++++ STEP 8 ++++++++
Now open the folder dsrfix on your desktop.
  • Double-Click on dsrfix.bat
  • A window will pop up briefly then close, this is normal.
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

++++++++ STEP 9 ++++++++
Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
++++++++ STEP 10 ++++++++
Finally, restart your computer back into Normal Mode Have an On-line scan at this site: Panda Scan save the results then post it along with a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply.
  • 0

#5
sosaman20

sosaman20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
here is my hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 4:34:13 PM, on 8/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Eq platform heck\open up.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HIDE CAST] C:\Program Files\Eq platform heck\open up.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [Windows SP4] directCC.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Component Windows] C:\WINDOWS\System32\lpqysvr.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {DE7190F0-EB58-48D8-80A9-5B597E31099E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DE7190F0-EB58-48D8-80A9-5B597E31099E} - (no file) (HKCU)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Remote Component - {7A07E1F5-154F-4C08-B796-3DCBF6A9FF59} - C:\WINDOWS\System32\avicxsst.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)



and here is my log from ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:20:24 PM, 8/7/2005
+ Report-Checksum: B0C7DE2B

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\vw5a1JcgXPLX -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\vw5s1JcgXPLX -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\BPT -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\135.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\136.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\137.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\138.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\144.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\27.exe -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\28.exe -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\64.exe -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF} -> Spyware.eXact : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\UnawareObj.UnawareObj -> Spyware.FlashTrack : Cleaned with backup
HKLM\SOFTWARE\Classes\UnawareObj.UnawareObj\CurVer -> Spyware.FlashTrack : Cleaned with backup
HKLM\SOFTWARE\DInstaller2 -> Spyware.BroadCastPC : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\.DEFAULT\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-2539188619-950421699-3683211137-1003\Software\Bundles -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-18\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__flsmngr.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End

the computer i am working on does not have internet access so is there an alternative to using the panda scan? or how can i hook it up so it is connected to the net for the panda scan? other than that, the instructions have run smoothly.

P.S. i am not from the philippines, i am from the midwestern part of the USA
  • 0

#6
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

If your having trouble connecting to the Internet try running the WinSockFix utility to repair your connection:

Download this from another computer then transfer it to your PC then run WinSockXPFix.


This will bring back your internet connections.

Download Lavasoft's VX2 Cleaner plug-in HERE
  • Install the VX2 Cleaner
  • Start Ad-Aware SE
  • Go to "Plug-ins"
  • Select the VX2 Cleaner plug-in and click "Run Plugin"
  • If your computer isn't infected, click "Close".
If your computer is infected
  • Select "Clean system"
  • Reboot your computer
  • Scan your computer with Ad-Aware
  • Remove any VX2 objects detected
  • Reboot your computer again
  • Run a second scan to make sure the files have been removed from your computer
Reboot your PC.

Let me know how this goes. I will be back tonight I have a very important schedule today. :tazz:
  • 0

#7
sosaman20

sosaman20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
i downloaded and ran the add on to adaware and it said that my system was clean. i had to run it in safe mode because adaware wouldnt run in normal mode. i also clicked on the search button and it said that, like, it wouldnt work or that it couldnt be found. i dont know what was up with that. during that time of me cleaning out some of the malware on the computer, it cleaned out about 25,000 files, is this normal? also, the computer no longer has a internet connection, the service is expired and my sister wont renew it. that is my status as of now.
  • 0

#8
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

If your having trouble connecting to the Internet try running the WinSockFix utility to repair your connection:

Download this from another computer then transfer it to your PC then run http://www.geekstogo.com/modules.php?modid...n=download&id=7.


That should bring back your internet connections.


Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Do NOT run it yet.

Reboot in SAFE MODE. (How to boot in Safe Mode...)

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
    • Eq platform heck
  • Click Uninstall
  • Confirm with OK
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\Eq platform heck\ <-- whole folder
  • C:\Program Files\Common Files\Java\bptre.exe
  • C:\WINDOWS\System32\directCC.exe <-- if you cant find this file, please have a search for it
  • C:\WINDOWS\System32\lpqysvr.exe
  • C:\WINDOWS\System32\mspn32.exe <-- if you cant find this file, please have a search for it
  • C:\WINDOWS\System32\avicxsst.dll
  • C:\WINDOWS\taskbarmngr.exe
Finally, Empty Recycle Bin

Please close all remaining windows, open HijackThis then click SCAN. Please put a check on the following items listed below:

O4 - HKLM\..\Run: [HIDE CAST] C:\Program Files\Eq platform heck\open up.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [Windows SP4] directCC.exe
O4 - HKLM\..\Run: [Component Windows] C:\WINDOWS\System32\lpqysvr.exe
O4 - HKCU\..\RunServices: [Windows Processe Manager] mspn32.exe

O21 - SSODL: Remote Component - {7A07E1F5-154F-4C08-B796-3DCBF6A9FF59} - C:\WINDOWS\System32\avicxsst.dll
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)


Make sure to double check the items you have selected, then click Fix Checked.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

Windows Taskbar Manager

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

wtaskbarmngr

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Post a new HiJackThis log after it reboots and let me know if you received any error messages.
  • Open HijackThis
  • go to Config, then Misc Tools
  • Open Uninstall Manager, then click Save List...
  • Post the results here
  • close HJT
Open up NOTEPAD, then copy & paste the following commands. Save it to desktop as findpf.bat. Save it as file type all files.

@echo off
cd\
dir %System Root%\PROGRA~1 > pflist.txt
notepad pflist.txt

Now on your desktop double-click findpf.bat then post the results in your next reply.
(NOTE: You can delete this file afterwards.)
  • 0

#9
sosaman20

sosaman20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
hi, i ran through your plan of attack for me today, and it was going smooth until i got to the part where it said to exit ewido and go to RUN and type in services.msc. it could not find the file specified, and basically an error message came up. i dont know if that means if that is deleted, or what that meant. i still cant use the search option for looking for files, i still cant run files in normal mode like ad aware. anyway, here are the 2 logs you requested me to give you...


Logfile of HijackThis v1.99.1
Scan saved at 1:29:41 PM, on 8/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HIDE CAST] C:\Program Files\Eq platform heck\open up.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [Windows SP4] directCC.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Component Windows] C:\WINDOWS\System32\lpqysvr.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {DE7190F0-EB58-48D8-80A9-5B597E31099E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DE7190F0-EB58-48D8-80A9-5B597E31099E} - (no file) (HKCU)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Remote Component - {7A07E1F5-154F-4C08-B796-3DCBF6A9FF59} - C:\WINDOWS\System32\avicxsst.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)





smitRem log file
version 2.2

by noahdfear

The current date is: Mon 08/08/2005
The current time is: 13:00:50.43

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!
  • 0

#10
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
You have NOT posted the uninstall list as well as the pflist.txt, also the reports from Ewido. You can review it on post#8 of this topic.

Oh boy this one is a toughie, so let us dig deeper. Let us have some diagnostics.

Please DO NOT miss this log. Very important.

* Please right-click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

Advertisements


#11
sosaman20

sosaman20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
ok, i think i finally have the posts you want. it still wouldnt let me go to run and type in services.msc, so the hijackthis program for that didnt work for the taskbarmanager. i still also cant search for a file, anyway, here are the logs




Volume in drive C is PRESARIO
Volume Serial Number is 64D7-0EAD

Directory of C:\PROGRA~1

08/08/2005 01:20 PM <DIR> .
08/08/2005 01:20 PM <DIR> ..
01/12/2005 02:36 PM <DIR> Adobe
08/02/2005 09:33 AM <DIR> Aprps
01/25/2003 05:31 AM <DIR> AWS
03/29/2005 12:25 AM <DIR> Bpt
08/20/2003 01:31 PM <DIR> Britannica 2003
08/07/2005 04:04 PM <DIR> CleanUp!
01/24/2003 10:22 AM <DIR> Coloreal
07/31/2005 07:17 PM <DIR> Common Files
01/24/2003 09:04 AM <DIR> ComPlus Applications
01/30/2005 08:30 PM <DIR> Corel
01/24/2003 10:32 AM <DIR> CpqFeatures
01/31/2004 05:07 PM <DIR> directx
08/01/2005 10:57 AM <DIR> Encarta Online
08/07/2005 12:34 PM <DIR> ewido
07/31/2005 12:36 PM <DIR> Hewlett-Packard
08/21/2003 10:50 AM <DIR> hp deskjet 3420 series
07/29/2005 10:06 AM <DIR> Infogrames Interactive
01/24/2003 10:16 AM <DIR> IntelliMoverDemo
08/02/2005 09:56 AM <DIR> Internet Explorer
01/24/2003 10:07 AM <DIR> InterVideo
01/24/2003 10:28 AM <DIR> Java
01/24/2003 10:29 AM <DIR> Java Web Start
01/24/2003 10:31 AM <DIR> JavaSoft
08/02/2005 09:44 AM <DIR> Lavasoft
03/27/2005 10:00 PM <DIR> Messenger
01/24/2003 09:07 AM <DIR> microsoft frontpage
01/24/2003 10:20 AM <DIR> Microsoft Money
01/24/2003 10:20 AM <DIR> Microsoft Office
02/01/2005 07:24 PM <DIR> Microsoft Picture It! 7
01/24/2003 10:22 AM <DIR> Microsoft Works
02/05/2003 07:19 PM <DIR> Movie Maker
07/27/2005 04:23 PM <DIR> MSN
01/24/2003 09:03 AM <DIR> MSN Gaming Zone
01/27/2005 04:42 PM <DIR> MUSICMATCH
01/11/2005 08:39 PM <DIR> NetMeeting
01/24/2003 10:27 AM <DIR> Netscape
09/16/2003 12:48 PM <DIR> Norton AntiVirus
01/24/2003 10:36 AM <DIR> OEMLink
02/05/2003 07:19 PM <DIR> Outlook Express
01/24/2003 10:42 AM <DIR> PC-Doctor
01/27/2005 04:40 PM <DIR> Philips
01/24/2003 10:18 AM <DIR> Quicken
03/23/2005 09:10 PM <DIR> QuickTime
01/24/2003 10:10 AM <DIR> Real
01/24/2003 10:09 AM <DIR> RecordNow
08/20/2003 01:39 PM <DIR> Sierra On-Line
01/24/2003 10:46 AM <DIR> Sonic
08/01/2005 08:38 PM <DIR> Spybot - Search & Destroy
05/18/2003 12:52 PM <DIR> Symantec
01/24/2003 10:09 AM <DIR> VERITAS Software
01/24/2003 10:30 AM <DIR> Viewpoint
12/02/2004 09:52 PM <DIR> Windows Media Player
02/05/2003 07:19 PM <DIR> Windows NT
01/24/2003 09:07 AM <DIR> xerox
0 File(s) 0 bytes
56 Dir(s) 70,370,623,488 bytes free





---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:20:24 PM, 8/7/2005
+ Report-Checksum: B0C7DE2B

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\vw5a1JcgXPLX -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\vw5s1JcgXPLX -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\BPT -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\135.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\136.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\137.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\138.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\144.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\27.exe -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\28.exe -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\64.exe -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF} -> Spyware.eXact : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\UnawareObj.UnawareObj -> Spyware.FlashTrack : Cleaned with backup
HKLM\SOFTWARE\Classes\UnawareObj.UnawareObj\CurVer -> Spyware.FlashTrack : Cleaned with backup
HKLM\SOFTWARE\DInstaller2 -> Spyware.BroadCastPC : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\.DEFAULT\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-2539188619-950421699-3683211137-1003\Software\Bundles -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-18\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__flsmngr.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End






"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"nwiz" = "nwiz.exe /installquiet /keeploaded" ["NVIDIA Corporation"]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" ["HP"]
"MMTray" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"QuickFinder Scheduler" = ""C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"" ["Novell, Inc., c/o Corel Corporation Limited"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{d0e04dfd-9185-49bd-b3a8-cdefa63f810a}" = "Philips RUSH Audio Player (128 MB)Shell Hook"
-> {CLSID}\InProcServer32\(Default) = "PHIL16Ah.dll" ["Copyright © 2003, Koninklijke Philips"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0003-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Corel\WordPerfect Office 2002\PROGRAMS\PFSE100.DLL" ["Novell, Inc., c/o Corel Corporation Limited"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

D:\
INFECTION WARNING! D:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Enabled Scheduled Tasks:
------------------------

"FRU Task #Hewlett-Packard#Deskjet#3420" -> launches: "C:\Program Files\Hewlett-Packard\upapp\hpqfruv.exe -I "#Hewlett-Packard#Deskjet#3420"" [empty string]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{DE7190F0-EB58-48D8-80A9-5B597E31099E}\
"ButtonText" = "Microsoft AntiSpyware helper"
"MenuText" = "Microsoft AntiSpyware helper"

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{DD6687B5-CB43-4211-BFC9-2942CCBDCB3E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 114 seconds, including 18 seconds for message boxes)



Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
CleanUp!
Coloreal
FlashTrack Uninstall
HijackThis 1.99.1
hp deskjet 3420 series (Remove only)
hp instant support
Inactive HP Printer Drivers (Remove only)
Intel® Extreme Graphics Driver Software
IntelliMover Data Transfer Demo
InterVideo WinDVD Player
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft Learning and Research Plus Support Files
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Picture It! Express 7.0
Microsoft Works 7.0
MUSICMATCH Jukebox
Norton AntiVirus 2003
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
Philips RUSH Audio Player (128 MB)
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
QuickTime
RealOne Player
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
Simple Installer - Multilanguage Version
Spybot - Search & Destroy 1.3
upapp
Viewpoint Media Player (Remove Only)
VX2 Cleaner plug-in for Ad-Aware SE
Window Searching
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix (SP2) [See q330638 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811789
WordPerfect Office 2002 Trial
WordPerfect Office 2002 Trial
  • 0

#12
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Reboot in SAFE MODE. (How to boot in Safe Mode...)

Uninstall these programs:

Viewpoint Media Player (Remove Only) - this is a foistware: it installs itself in your system without your permission.
FlashTrack Uninstall

then delete these folders:

C:\Program Files\Aprps\ <-- whole folder
C:\Program Files\Viewpoint\ <-- whole folder

then empty recycle bin.

reboot back in NORMAL MODE.

the first diagnostics did not find any evidence, let us try another one:

Please download RootKitRevealer from here:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.

post a new hijackthis log as well.
  • 0

#13
sosaman20

sosaman20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
here is the hijack log and the other log you wanted to see. one time when i ran the other program, it returned nothing, so i ran it again and it only found the one file, then i ran it again, and it found over 4000 files, but it wouldnt let me save it, so i ran it again and only found one, so i posted the only one i could save.


Logfile of HijackThis v1.99.1
Scan saved at 10:23:36 PM, on 8/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {DE7190F0-EB58-48D8-80A9-5B597E31099E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DE7190F0-EB58-48D8-80A9-5B597E31099E} - (no file) (HKCU)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)




D: 0 bytes Error mounting volume
  • 0

#14
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Download and install Registrar Lite version 2.00
  • Double click the purple Registrar Lite icon on your desktop.
  • Copy the line below and paste it into the "Address" field (located at the top) of the program:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  • Click the "Go" button.
  • On the right-hand side it will load all of your BHOs (you'll just see a bunch of numbers)
  • Locate the following entries:

    • {0AD937E7-2F37-4873-A05E-548A67EF1D0E}
  • Right click on each one and select Properties
  • Click the Permissions Button and a new window will open.
  • Click the Advanced button
  • Place a checkmark next to the following:
    'Inherit from parent the permission entries that apply to child objects...'
  • Click OK, Ok again and rightclick on each of the following:
    {0AD937E7-2F37-4873-A05E-548A67EF1D0E}
  • Choose delete.
  • Exit Registrar Lite.
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)


Make sure to double check the items you have selected, then click Fix Checked.

Click BACK then click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name): (just copy & paste the entry below)

wtaskbarmngr

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Post a new HiJackThis log after it reboots and let me know if you received any error messages.
  • 0

#15
sosaman20

sosaman20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
i downloaded that program and did what you said to do, but there was already a checkmark next to the 'Inherit from parent the permission entries that apply to child objects...' but i did as you said and deleted it. when i went to hjt, there was no "O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)", so i just checked the 023- service.... but when i restarted, it was still on the system as you can see in the hjt log. it wouldnt let me do anything in the config window either. it said that i had to disable it with services.msc, but since that doesnt work when i go to start/run, i dont know how else to disable it.






Logfile of HijackThis v1.99.1
Scan saved at 10:55:44 AM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {DE7190F0-EB58-48D8-80A9-5B597E31099E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DE7190F0-EB58-48D8-80A9-5B597E31099E} - (no file) (HKCU)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP