Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSGuard,ADV?,Desktop trojan:need help! [CLOSED]


  • This topic is locked This topic is locked

#1
g2glee47

g2glee47

    New Member

  • Member
  • Pip
  • 5 posts
PS Guard and a host of other stuff infected me at 10:22:40 PM on August 18th. The symptoms were; a new opening screen (Black background with WARNING Virus Infection DANEGER and other garbage and a CLICK HERE to remove button. With effort I could start my Internet connection and my home page was changed (about:Blank) and yahoo page had a permanent overlay making it very had to use. A series of ‘out of the blue’ jumps to spyware sites, Gambling Casino’s , flower shops or dating sites would occur every so often and my desktop settings were altered and some setting screens in ‘Desktop Properties’ have disappeared! After executing a series of fixes I already knew, I got down to normal functioning with the following exceptions. Startup is normal and everything works fine until 3 to 5 minutes after I’ve been running a series of pop up screens open for no apparent reason. The first is always a small screen that invites me to connect to my earthlink net connection. Upon clicking it closed it will reappear three more times after 3 or 4 seconds until the last. Then ,on a cycle of 3 to 5 minutes or so a series of seemingly random medium sized ad windows (about 9 or 10 different ones) pop up once only and stay put unless I close them. They are for Casino’s , spyware sites, a dating site and a flower shop. In addition I still seem to be missing at least one screen of my Desktop Properties as I can not find a screen to change or select wallpaper. My F8 key nolonger will get me to the startup options screen in bios so I cannot invoke Safe mode or the other numbered option choices with it. I cannot be sure this infection did it as I have not used it for several months but thought I would mention just the same. I have run CleanUP, AD-Aware SE and Trojan Hunter and although the first two found and removed much stuff (Trojan Hunter ran last and found nothing) I can see no improvement or change at all. I still get the popup stuff as described above and cannot access some startup and desktop options.

Thanks for any help with this, here is the latest Hijack log file:

Logfile of HijackThis v1.99.1
Scan saved at 4:05:50 PM, on 8/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\SYSTEM\KERNEL32.DLL
D:\WINDOWS\SYSTEM\MSGSRV32.EXE
D:\WINDOWS\SYSTEM\MPREXE.EXE
D:\WINDOWS\SYSTEM\mmtask.tsk
D:\WINDOWS\SYSTEM\MSTASK.EXE
D:\WINDOWS\EXPLORER.EXE
D:\WINDOWS\TASKMON.EXE
D:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\WINDOWS\SYSTEM\PDESK.EXE
D:\WINDOWS\RUNDLL32.EXE
D:\WINDOWS\RUNDLL32.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
D:\PROGRAM FILES\CALLWAVE\IAM.EXE
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
D:\WINDOWS\SYSTEM\DDHELP.EXE
C:\OLDDRIVE\PROGRAM FILES\WINZIP\WZQKPICK.EXE
D:\WINDOWS\SYSTEM\RNAAPP.EXE
D:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\WINDOWS\SYSTEM\PSTORES.EXE
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...=6.0B2&N=PL&O=I
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - D:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
F1 - win.ini: run=HPFsched
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {5FB28941-1038-11DA-AC07-44458F330CD9} - D:\WINDOWS\SYSTEM\KDJL.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] D:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] D:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] D:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [sp] rundll32 D:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [intell32.exe] D:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [svchost] D:\WINDOWS\TEMP\36998747.EXE
O4 - HKLM\..\Run: [PSGuard] D:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] D:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [NetZero_uoltray] D:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [spc_w] "D:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [E6TaskPanel] "D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\OLDdrive\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O18 - Filter: text/html - {5FB28940-1038-11DA-AC07-4445E07FA942} - D:\WINDOWS\SYSTEM\KDJL.DLL
O18 - Filter: text/plain - {5FB28940-1038-11DA-AC07-4445E07FA942} - D:\WINDOWS\SYSTEM\KDJL.DLL
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

You have more than one infection there. Let's get rid of the other one first before we tackle PSGuard.

Download CWShredder http://www.greyknigh.../CWShredder.exe

Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.

Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder and hit the Fix button.

Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.
  • 0

#3
g2glee47

g2glee47

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
As per request I have sumitted log files below: I have been on the computer for 30min or more with NO sign of any trouble!! Thank you very much It seems to have worked so far. I'm ready for next step to make it FINAL!


SeH...log file:



(8/28/05 8:57:55 PM) SPSeHjFix started v1.09
(8/28/05 8:57:55 PM) OS: Win98SE A (4.10.67766446)
(8/28/05 8:57:55 PM) Language: english
(8/28/05 8:58:27 PM) Disinfect started
(8/28/05 8:58:27 PM) Bad-Dll(IEP): (not found)
(8/28/05 8:58:27 PM) Bad-Dll(IEP) in BHO: (not found)
(8/28/05 8:58:27 PM) Searchassistant Uninstaller found: regsvr32 /s /u D:\WINDOWS\SYSTEM\KDJL.DLL
(8/28/05 8:58:27 PM) Searchassistant Uninstaller - Keys Deleted
(8/28/05 8:58:27 PM) UBF: 6
(8/28/05 8:58:27 PM) UBB: 1
(8/28/05 8:58:27 PM) FilterKey: HKCR\text/html (deleted)
(8/28/05 8:58:27 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(8/28/05 8:58:27 PM) FilterKey: HKCR\CLSID\{5FB28940-1038-11DA-AC07-4445E07FA942} (deleted)
(8/28/05 8:58:27 PM) FilterKey: HKCR\text/plain (deleted)
(8/28/05 8:58:27 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(8/28/05 8:58:27 PM) FilterKey: HKCR\CLSID\{5FB28940-1038-11DA-AC07-4445E07FA942} (error while deleting)
(8/28/05 8:58:27 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FB28941-1038-11DA-AC07-44458F330CD9} (deleted)
(8/28/05 8:58:27 PM) BHO-Key: HKCR\CLSID\{5FB28941-1038-11DA-AC07-44458F330CD9} (deleted)
(8/28/05 8:58:27 PM) UBR: 18
(8/28/05 8:58:27 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 D:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(8/28/05 8:58:27 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
(8/28/05 8:58:27 PM) Stealth-String not found:
(8/28/05 8:58:27 PM) File added to delete: d:\windows\system\kdjl.dll
(8/28/05 8:58:27 PM) File added to delete: d:\windows\system\kdjl.dll
(8/28/05 8:58:27 PM) File added to delete: d:\windows\temp\se.dll
(8/28/05 8:58:27 PM) Reboot
(8/28/05 8:59:36 PM) SPSeHjFix 2nd Step
(8/28/05 8:59:36 PM) RunServicesOnce-Key: (edited)
(8/28/05 8:59:47 PM) Cleaned


Hijacklogfile:


Logfile of HijackThis v1.99.1
Scan saved at 11:55:11 PM, on 8/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\SYSTEM\KERNEL32.DLL
D:\WINDOWS\SYSTEM\MSGSRV32.EXE
D:\WINDOWS\SYSTEM\MPREXE.EXE
D:\WINDOWS\SYSTEM\mmtask.tsk
D:\WINDOWS\SYSTEM\MSTASK.EXE
D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
D:\WINDOWS\SYSTEM\DDHELP.EXE
D:\WINDOWS\EXPLORER.EXE
D:\WINDOWS\TASKMON.EXE
D:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\WINDOWS\SYSTEM\PDESK.EXE
D:\WINDOWS\RUNDLL32.EXE
D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
D:\PROGRAM FILES\CALLWAVE\IAM.EXE
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\OLDDRIVE\PROGRAM FILES\WINZIP\WZQKPICK.EXE
D:\WINDOWS\SYSTEM\RNAAPP.EXE
D:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\WINDOWS\SYSTEM\PSTORES.EXE
D:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\WINDOWS\NOTEPAD.EXE
D:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\TEMP\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...=6.0B2&N=PL&O=I
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - D:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
F1 - win.ini: run=HPFsched
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] D:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] D:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] D:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [intell32.exe] D:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [svchost] D:\WINDOWS\TEMP\36998747.EXE
O4 - HKLM\..\Run: [PSGuard] D:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] "D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [sp] rundll32 D:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] D:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [spc_w] "D:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [E6TaskPanel] "D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\OLDdrive\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It's still there...so we'll run it again and I will also give you the fix for the PSGuard infection.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download CWShredder http://www.greyknigh.../CWShredder.exe

Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.

Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder and hit the Fix button.

Restart your computer and do the following:

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\WINDOWS\TEMP\se.dll/space.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - ~37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O4 - HKLM\..\Run: [intell32.exe] c:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [svchost] c:\WINDOWS\TEMP\36998747.EXE
O4 - HKLM\..\Run: [PSGuard] c:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [sp] rundll32 c:\WINDOWS\TEMP\SE.DLL,DllInstall
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\WINDOWS\web\related.htm


Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

If you are using Windows 95/98 or Windows ME, you MUST do the following steps that are enclosed in the starting and ending double lines before proceeding any further:
========================================================================
Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat


Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.

Reboot. Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/s...sinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.
========================================================================


Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Then post the Panda log here along with the logs for HijackThis, the log for SpSeHjfix and smitfiles.txt.
  • 0

#5
g2glee47

g2glee47

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I am stalled at the point where I need to open in safe mode. The problem with my F8 key not working has returned! I have tried all the usually stuff; quidk pedk, push and hold ect and your sugestion of f5 key nothing works I only end up in bios or get nothing. I nee a way if you know of one to get thier otherwise?? I may be able to boot in dos or use a rescue disk. would this do? Please advise thanks.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Run through all the steps again in Normal Mode then. Make sure you run SpSeHjfix also. Tell me if you can get into safe mode after doing all those steps and restarting.
  • 0

#7
g2glee47

g2glee47

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Please find requested logs below.

Panda report:
Incident Status Location

Adware:Adware/StartPage.AES No disinfected C:\q626464.exe
Possible Virus. No disinfected D:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 11:33:28 AM, on 8/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\SYSTEM\KERNEL32.DLL
D:\WINDOWS\SYSTEM\MSGSRV32.EXE
D:\WINDOWS\SYSTEM\MPREXE.EXE
D:\WINDOWS\SYSTEM\mmtask.tsk
D:\WINDOWS\SYSTEM\MSTASK.EXE
D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
D:\WINDOWS\EXPLORER.EXE
D:\WINDOWS\SYSTEM\RNAAPP.EXE
D:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\WINDOWS\TASKMON.EXE
D:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\WINDOWS\SYSTEM\PDESK.EXE
D:\WINDOWS\RUNDLL32.EXE
D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\PROGRAM FILES\NZSEARCH\NZSPC.EXE
D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
D:\PROGRAM FILES\CALLWAVE\IAM.EXE
D:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\OLDDRIVE\PROGRAM FILES\WINZIP\WZQKPICK.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\WINDOWS\SYSTEM\PSTORES.EXE
D:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...=6.0B2&N=PL&O=I
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - D:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
F1 - win.ini: run=HPFsched
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] D:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] D:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] D:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [intell32.exe] D:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard] D:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] "D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] D:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [spc_w] "D:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [E6TaskPanel] "D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\OLDdrive\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab

SpSeHjfix:
(8/30/05 3:37:46 PM) SPSeHjFix started v1.09
(8/30/05 3:37:47 PM) OS: Win98SE A (4.10.67766446)
(8/30/05 3:37:47 PM) Language: english
(8/30/05 3:37:56 PM) Disinfect started
(8/30/05 3:37:56 PM) Bad-Dll(IEP): (not found)
(8/30/05 3:37:56 PM) Bad-Dll(IEP) in BHO: (not found)
(8/30/05 3:37:56 PM) UBF: 4
(8/30/05 3:37:56 PM) UBB: 0
(8/30/05 3:37:56 PM) UBR: 19
(8/30/05 3:37:56 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 D:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(8/30/05 3:37:56 PM) Bad IE-pages:
(8/30/05 3:37:56 PM) Stealth-String not found:
(8/30/05 3:37:56 PM) File added to delete: d:\windows\temp\se.dll
(8/30/05 3:37:56 PM) Reboot
(8/30/05 3:38:35 PM) SPSeHjFix 2nd Step
(8/30/05 3:38:35 PM) RunServicesOnce-Key: (edited)
(8/30/05 3:38:51 PM) Cleaned
Smitfiles:

smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present
~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system folder ~~~
oleext.dll

~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~ wininet.dll ~~~~
wininet.dll Present!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system folder ~~~
oleext.dll

~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~ wininet.dll ~~~~

wininet.dll Clean!! :tazz:

Latest HijackThis run just before posting:

Logfile of HijackThis v1.99.1
Scan saved at 2:41:58 PM, on 8/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\SYSTEM\KERNEL32.DLL
D:\WINDOWS\SYSTEM\MSGSRV32.EXE
D:\WINDOWS\SYSTEM\MPREXE.EXE
D:\WINDOWS\SYSTEM\mmtask.tsk
D:\WINDOWS\SYSTEM\MSTASK.EXE
D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
D:\WINDOWS\TASKMON.EXE
D:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\WINDOWS\SYSTEM\PDESK.EXE
D:\WINDOWS\RUNDLL32.EXE
D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\PROGRAM FILES\CALLWAVE\IAM.EXE
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
D:\WINDOWS\SYSTEM\DDHELP.EXE
C:\OLDDRIVE\PROGRAM FILES\WINZIP\WZQKPICK.EXE
D:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\WINDOWS\SYSTEM\PSTORES.EXE
D:\WINDOWS\SYSTEM\SPOOL32.EXE
D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
D:\WINDOWS\SYSTEM\RNAAPP.EXE
D:\WINDOWS\SLRUNDLL.EXE
D:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\IPCLIENT.EXE
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
D:\WINDOWS\EXPLORER.EXE
D:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...=6.0B2&N=PL&O=I
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - D:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=HPFsched
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] D:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] D:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] D:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [THGuard] "D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] D:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [spc_w] "D:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [E6TaskPanel] "D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\OLDdrive\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Check and fix this in HijackThis:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

Delete this file -> C:\q626464.exe

Boot into Safe Mode and run smitRem.exe again. Save the log.

Restart and post that smitfiles.txt log along with a new HijackThis log.
  • 0

#9
g2glee47

g2glee47

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I am still having no problems with the exception of still not being able to open in safe mode...I begining to think its an unrelated problem. I'm going to try a new keyboard first and think seriously about getting new mBoard. This baby is getting old( about three years). IF and when I get opening options I will do a line by line load see if I can isolate and remove the loading of the noname-nofile SearchHook.

It goes away and stays away upon running and fixing with HJ but every reboot and it comes back. I removed empty spaces from smitlog to save posting space.

Thanks for all your help. Leland



smitRem log file
version 2.3

by noahdfear

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system folder ~~~
~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system folder ~~~
~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~ wininet.dll ~~~~
wininet.dll Clean!! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 1:28:35 PM, on 9/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\SYSTEM\KERNEL32.DLL
D:\WINDOWS\SYSTEM\MSGSRV32.EXE
D:\WINDOWS\SYSTEM\MPREXE.EXE
D:\WINDOWS\SYSTEM\mmtask.tsk
D:\WINDOWS\SYSTEM\MSTASK.EXE
D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
D:\WINDOWS\EXPLORER.EXE
D:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\WINDOWS\TASKMON.EXE
D:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\WINDOWS\SYSTEM\PDESK.EXE
D:\WINDOWS\RUNDLL32.EXE
D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
D:\PROGRAM FILES\CALLWAVE\IAM.EXE
D:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\OLDDRIVE\PROGRAM FILES\WINZIP\WZQKPICK.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\WINDOWS\SYSTEM\PSTORES.EXE
D:\WINDOWS\SYSTEM\RNAAPP.EXE
D:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.ne...=6.0B2&N=PL&O=I
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - D:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=HPFsched
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] D:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] D:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] D:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [THGuard] "D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] D:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [spc_w] "D:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [E6TaskPanel] "D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\OLDdrive\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download Registrar Lite http://www.resplende...oad/reglite.exe and install it.

Copy and paste the follow text into the address bar and hit Go:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key. We want to remove this line:

~CFBFAE00-17A6-11D0-99CB-00C04FD64497

Restart. Is it still showing up in HijackThis scan now?
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP