Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

psgaurd [CLOSED]


  • This topic is locked This topic is locked

#1
rickcole

rickcole

    Member

  • Member
  • PipPip
  • 14 posts
I was surfing the internet when a popup came up that seems to have installed psgaurd. it changed my background and startup page and i am getting this error message consistently
"Internet Explorer cannot find active desktop html file"
it has slowed my computer and is making my life difficult.
any assistence would be much appreciated, thank you.
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Edited by tampabelle, 26 August 2005 - 06:00 PM.

  • 0

#3
rickcole

rickcole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
This is my hijack this log.
if i did something wrong please tell me im new at this


Logfile of HijackThis v1.99.1
Scan saved at 10:49:08 AM, on 8/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ZANGO\ZANGO.EXE
C:\PROGRAM FILES\NDW\NDW.EXE
C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
C:\WINDOWS\TEMP\TQEQVSMKD.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\DMUSIC46.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\WINDOWS SYNCROAD\WINSYNC.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\PROGRAM FILES\PRECISIONTIME\PRECISIONTIME.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DATE MANAGER\DATEMANAGER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: Adult Search - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\QABAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: seriadui - {F284ADEC-32D5-38A5-F8E4-FC08A3EC7538} - C:\WINDOWS\SYSTEM\SERIADUI.DLL (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\PROGRAM FILES\ESYNDICATE\ESYN.DLL
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32V.DLL
O2 - BHO: (no name) - {02438CA1-165A-11DA-993C-000135422C67} - C:\WINDOWS\SYSTEM\CHEE.DLL (file missing)
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\QABAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [zango] c:\program files\zango\zango.exe
O4 - HKLM\..\Run: [ndw] C:\Program Files\ndw\ndw.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
O4 - HKLM\..\Run: [TQEQVSMKD.EXE] C:\WINDOWS\TEMP\TQEQVSMKD.EXE
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [9e4e3120d750] C:\WINDOWS\SYSTEM\DMUSIC46.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Oawi] C:\WINDOWS\Application Data\dots.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\SYSTEM\wcpcc.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMSERVICE_1051.dll,InstantAccess
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\EZSTUB.EXE
O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Sims\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Sims\PartyPoker.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com...eeddelivery.dll
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://infinity.n-ca...seInstaller.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo.../nethv32_EN.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downlo...ervice_5_EN.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downlo...E_1051_pack.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downlo...UTH_1015_EN.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {99410CDE-6F16-42CE-9D49-3807F78F0287} (ZangoInstaller Class) - http://infinity.zang...b?productid=542
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://go-in-now.com/tl7000.dll
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downlo...netslv32_EN.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...092a8c949e20686
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: WebMaster ChatNow Client - http://68.16.242.2:8...ava/chatnow.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresp...p/TLIEFlash.CAB
O18 - Filter: text/html - {02438CA0-165A-11DA-993C-00015A0E89FC} - C:\WINDOWS\SYSTEM\CHEE.DLL
O18 - Filter: text/plain - {02438CA0-165A-11DA-993C-00015A0E89FC} - C:\WINDOWS\SYSTEM\CHEE.DLL
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Are you sure that your PC works ???? You have quite a good collection of infections to educate a college !!! lol

Good news - we can clean it all up. It will take a few iterations, so please be patient.


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#5
rickcole

rickcole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I do not know whether or not this a permanant problem, CWShredder link brings me to a page that "Cannot be Didplayed"
i will try the again tomorrow, but in case it just never comes up is there an alternative program?

i will try tomorrow though....i hope it works!!!!
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Just right click on the download links and then save the file on your PC.

Proceed with the fix to the extent possible. Complete it, even if you are not able to do certain part of the fix and then post back the requested logs and let me know if you have any issues with the fix.
  • 0

#7
rickcole

rickcole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
how do i unzip programs?
  • 0

#8
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
You can download winzip from www.winzip.com
  • 0

#9
rickcole

rickcole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here is my current log, but a problem has arisen,
when i click on the shotcuts to the internet, I cannot access it. nothing shows up. in order to get a screen to show up, i had to get a link off of an email.

Logfile of HijackThis v1.99.1
Scan saved at 9:11:11 PM, on 8/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ZANGO\ZANGO.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\NDW\NDW.EXE
C:\PROGRAM FILES\WINDOWS SYNCROAD\WINSYNC.EXE
C:\WINDOWS\SYSTEM\DMUSIC46.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PRECISIONTIME\PRECISIONTIME.EXE
C:\PROGRAM FILES\DATE MANAGER\DATEMANAGER.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Adult Search - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\QABAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: seriadui - {F284ADEC-32D5-38A5-F8E4-FC08A3EC7538} - C:\WINDOWS\SYSTEM\SERIADUI.DLL (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\PROGRAM FILES\ESYNDICATE\ESYN.DLL
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32V.DLL
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\QABAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [zango] c:\program files\zango\zango.exe
O4 - HKLM\..\Run: [ndw] C:\Program Files\ndw\ndw.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
O4 - HKLM\..\Run: [TQEQVSMKD.EXE] C:\WINDOWS\TEMP\TQEQVSMKD.EXE
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [9e4e3120d750] C:\WINDOWS\SYSTEM\DMUSIC46.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Oawi] C:\WINDOWS\Application Data\dots.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\SYSTEM\wcpcc.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMSERVICE_1051.dll,InstantAccess
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunServices: [Oawi] C:\WINDOWS\Application Data\dots.exe
O4 - HKCU\..\RunServices: [WINT] C:\WINDOWS\SYSTEM\wcpcc.exe
O4 - HKCU\..\RunServices: [Instant Access] rundll32.exe EGCOMSERVICE_1051.dll,InstantAccess
O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Sims\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Sims\PartyPoker.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com...eeddelivery.dll
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://infinity.n-ca...seInstaller.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo.../nethv32_EN.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downlo...ervice_5_EN.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downlo...E_1051_pack.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downlo...UTH_1015_EN.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {99410CDE-6F16-42CE-9D49-3807F78F0287} (ZangoInstaller Class) - http://infinity.zang...b?productid=542
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://go-in-now.com/tl7000.dll
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downlo...netslv32_EN.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...092a8c949e20686
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: WebMaster ChatNow Client - http://68.16.242.2:8...ava/chatnow.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresp...p/TLIEFlash.CAB



is there any improvementt????????? I did everything i could
  • 0

#10
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi

Can you post the logs for these programs also -

About Buster
SpSeHjfix
  • 0

Advertisements


#11
rickcole

rickcole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
here is my log


(8/29/05 7:55:13 PM) SPSeHjFix started v1.1.2
(8/29/05 7:55:13 PM) OS: Win98SE A (4.10.2222)
(8/29/05 7:55:13 PM) Language: english
(8/29/05 7:55:13 PM) Win-Path: C:\WINDOWS
(8/29/05 7:55:13 PM) System-Path: C:\WINDOWS\SYSTEM
(8/29/05 7:55:13 PM) Temp-Path: C:\WINDOWS\TEMP\
(8/29/05 7:55:25 PM) Disinfection started
(8/29/05 7:55:25 PM) Bad-Dll(IEP): c:\windows\temp\se.dll
(8/29/05 7:55:25 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\CHEE.DLL
(8/29/05 7:55:25 PM) Searchassistant Uninstaller - Keys Deleted
(8/29/05 7:55:25 PM) UBF: 6 - UBB: 5 - UBR: 34
(8/29/05 7:55:25 PM) FilterKey: HKCR\text/html (deleted)
(8/29/05 7:55:25 PM) FilterKey: HKCR\CLSID\{02438CA0-165A-11DA-993C-00015A0E89FC} (deleted)
(8/29/05 7:55:25 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(8/29/05 7:55:25 PM) FilterKey: HKCR\text/plain (deleted)
(8/29/05 7:55:25 PM) FilterKey: HKCR\CLSID\{02438CA0-165A-11DA-993C-00015A0E89FC} (error while deleting)
(8/29/05 7:55:25 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(8/29/05 7:55:25 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02438CA1-165A-11DA-993C-000135422C67} (deleted)
(8/29/05 7:55:25 PM) BHO-Key: HKCR\CLSID\{02438CA1-165A-11DA-993C-000135422C67} (deleted)
(8/29/05 7:55:25 PM) UBF: 4 - UBB: 4 - UBR: 34
(8/29/05 7:55:25 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(8/29/05 7:55:25 PM) Stealth-String not found
(8/29/05 7:55:25 PM) File added to delete: c:\windows\system\chee.dll
(8/29/05 7:55:25 PM) Reboot
(8/29/05 7:57:27 PM) SPSeHjFix 2nd Step
(8/29/05 7:57:28 PM) Stealth-String not present. Disinfection succesfully
(8/29/05 7:57:37 PM) Cleaned


(8/29/05 8:13:18 PM) SPSeHjFix started v1.1.2
(8/29/05 8:13:18 PM) OS: Win98SE A (4.10.2222)
(8/29/05 8:13:18 PM) Language: english
(8/29/05 8:13:18 PM) Win-Path: C:\WINDOWS
(8/29/05 8:13:18 PM) System-Path: C:\WINDOWS\SYSTEM
(8/29/05 8:13:18 PM) Temp-Path: C:\WINDOWS\TEMP\
(8/29/05 8:13:20 PM) Disinfection started
(8/29/05 8:13:20 PM) Bad-Dll(IEP): (not found)
(8/29/05 8:13:20 PM) Bad-Dll(IEP) in BHO: (not found)
(8/29/05 8:13:20 PM) UBF: 4 - UBB: 4 - UBR: 34
(8/29/05 8:13:20 PM) UBF: 4 - UBB: 4 - UBR: 34
(8/29/05 8:13:20 PM) Bad IE-pages: (none)
(8/29/05 8:13:20 PM) Stealth-String not found
(8/29/05 8:13:20 PM) Not infected->END


(8/29/05 8:13:49 PM) SPSeHjFix started v1.1.2
(8/29/05 8:13:49 PM) OS: Win98SE A (4.10.2222)
(8/29/05 8:13:49 PM) Language: english
(8/29/05 8:13:49 PM) Win-Path: C:\WINDOWS
(8/29/05 8:13:49 PM) System-Path: C:\WINDOWS\SYSTEM
(8/29/05 8:13:49 PM) Temp-Path: C:\WINDOWS\TEMP\
(8/29/05 8:13:51 PM) Disinfection started
(8/29/05 8:13:51 PM) Bad-Dll(IEP): (not found)
(8/29/05 8:13:51 PM) Bad-Dll(IEP) in BHO: (not found)
(8/29/05 8:13:51 PM) UBF: 4 - UBB: 4 - UBR: 34
(8/29/05 8:13:51 PM) UBF: 4 - UBB: 4 - UBR: 34
(8/29/05 8:13:51 PM) Bad IE-pages: (none)
(8/29/05 8:13:51 PM) Stealth-String not found
(8/29/05 8:13:51 PM) Not infected->END


(8/29/05 9:06:50 PM) SPSeHjFix started v1.1.2
(8/29/05 9:06:50 PM) OS: Win98SE A (4.10.2222)
(8/29/05 9:06:50 PM) Language: english
(8/29/05 9:06:50 PM) Win-Path: C:\WINDOWS
(8/29/05 9:06:50 PM) System-Path: C:\WINDOWS\SYSTEM
(8/29/05 9:06:50 PM) Temp-Path: C:\WINDOWS\TEMP\
(8/29/05 9:06:52 PM) Disinfection started
(8/29/05 9:06:52 PM) Bad-Dll(IEP): (not found)
(8/29/05 9:06:52 PM) Bad-Dll(IEP) in BHO: (not found)
(8/29/05 9:06:52 PM) UBF: 4 - UBB: 4 - UBR: 34
(8/29/05 9:06:52 PM) UBF: 4 - UBB: 4 - UBR: 34
(8/29/05 9:06:52 PM) Bad IE-pages: (none)
(8/29/05 9:06:52 PM) Stealth-String not found
(8/29/05 9:06:52 PM) Not infected->END




and i didn't get an aobut buster log, the first time i ran it my computer started acting funky so i just restearted it.
  • 0

#12
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp


2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Adult Search - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\QABAR.DLL
O2 - BHO: seriadui - {F284ADEC-32D5-38A5-F8E4-FC08A3EC7538} - C:\WINDOWS\SYSTEM\SERIADUI.DLL (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\PROGRAM FILES\ESYNDICATE\ESYN.DLL
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32V.DLL
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\QABAR.DLL
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O4 - HKLM\..\Run: [zango] c:\program files\zango\zango.exe
O4 - HKLM\..\Run: [ndw] C:\Program Files\ndw\ndw.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
O4 - HKLM\..\Run: [TQEQVSMKD.EXE] C:\WINDOWS\TEMP\TQEQVSMKD.EXE
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [9e4e3120d750] C:\WINDOWS\SYSTEM\DMUSIC46.exe
O4 - HKCU\..\Run: [Oawi] C:\WINDOWS\Application Data\dots.exe
O4 - HKCU\..\Run: [WINT] C:\WINDOWS\SYSTEM\wcpcc.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMSERVICE_1051.dll,InstantAccess
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunServices: [Oawi] C:\WINDOWS\Application Data\dots.exe
O4 - HKCU\..\RunServices: [WINT] C:\WINDOWS\SYSTEM\wcpcc.exe
O4 - HKCU\..\RunServices: [Instant Access] rundll32.exe EGCOMSERVICE_1051.dll,InstantAccess
O4 - HKCU\..\RunServices: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com...eeddelivery.dll
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://infinity.n-ca...seInstaller.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downlo...ervice_5_EN.cab
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downlo...E_1051_pack.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downlo...UTH_1015_EN.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {99410CDE-6F16-42CE-9D49-3807F78F0287} (ZangoInstaller Class) - http://infinity.zang...b?productid=542
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://go-in-now.com/tl7000.dll
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downlo...netslv32_EN.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...092a8c949e20686
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Run CleanUp and delete all temp files including temporary internet files

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

Top Text
Precision Time
Date Manager
GMT
Gain


Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Folders
C:\PROGRAM FILES\SEP
C:\PROGRAM FILES\ESYNDICATE
c:\program files\zango
C:\Program Files\ndw
C:\Program Files\Web Offer
C:\Program Files\Common Files\GMT
C:\Program Files\PrecisionTime
C:\Program Files\Date Manager

Files
C:\WINDOWS\DOWNLOADED PROGRAM FILES\QABAR.DLL
C:\WINDOWS\SYSTEM\LMF32V.DLL
C:\WINDOWS\Xhrmy.exe
C:\WINDOWS\SYSTEM\DMUSIC46.exe
C:\WINDOWS\Application Data\dots.exe
C:\WINDOWS\SYSTEM\wcpcc.exe
EGCOMSERVICE_1051.dll
C:\WINDOWS\web\related.htm
C:\WINDOWS\SYSTEM\maxspeed.exe



Reboot the PC in Normal Mode.

Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.
  • 0

#13
rickcole

rickcole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
aye aye aye and oi vaigh!!!!!

my internet is internally not working. i open up my internet and i can't go to a single page. and when i check my outlook i get "cannot find winninet.dll file, please reinstall outlook". is my computer doomed?????????????

i did everything up to the panda scan last night but could not complete it. i had to get some sleep. but now my computer seems to have no hope. i have to ues a different computer to post this. what's my status, and can you help me????????

p.s. psgaurd is still on, is it supposed to be?
  • 0

#14
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Next go to Control Panel click Display > Desktop > Customize Desktop >Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.

Reboot the PC in Normal Mode and post the smitfiles.txt and a fresh HJT log
  • 0

#15
rickcole

rickcole

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
It appears psgaurd is gone, BUT IM STILL MISSING WININET.DLL!!!!!!!!!
AN EXTREMELY VITAL FILE THAT MY LIFE SEEMINGLY DEPENDS ON!!!!!
but im calm...
here;s my stuff

smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system folder ~~~

wininet.dll MISSING!!

oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Missing!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system folder ~~~

wininet.dll MISSING!!

oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Missing!!


Logfile of HijackThis v1.99.1
Scan saved at 8:54:04 PM, on 8/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HPZTSB03.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WINDOWS SYNCROAD\WINSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Windows SyncroAd] C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Sims\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Sims\PartyPoker.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo.../nethv32_EN.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: WebMaster ChatNow Client - http://68.16.242.2:8...ava/chatnow.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresp...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP