Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Search2Web and other problems [RESOLVED]


  • This topic is locked This topic is locked

#31
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

I heard back from Atribune about the folder that you sent him. It is a password stealer, so get rid of that:



Please reopen HiJackThis and scan your computer. Please place a check mark next to the following entries. Be sure to select only the entries that are listed below, as deleting the wrong file could cause harm to your system.

F3 - REG:win.ini: load=C:\WINDOWS\system32\zimvhrxis\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\zimvhrxis\csrss.exe


Next, please close all programs except for HiJackThis, and select Fix Checked.
Reboot your computer and boot into safe mode.

To boot into safe mode turn your computer on and press f8, continiously, until a menu appears. At this menu please select safemode

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Next, open Windows Explorer. The easiest way to do this is:Click Start
Select Run
Type in Explorer
In Windows Exploer, please delete the following Folders, if they are found.

C:\WINDOWS\system32\zimvhrxis
C:\Documents and Settings\All Users\Application Data\SOFTWARE TRANS THUNK ARMY You might be able to find this now that you are showing hidden files and folders

Close Windows Explorer

Then disable show hidden files and folders:
[b]
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Do not show hidden files and folders.
* Check the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK


Reboot your computer back to normal Windows, and then post a new HiJackThis log for me.
  • 0

Advertisements


#32
yumphla

yumphla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi,
I got the zimvhrxis folder deleted so messages didn't appear at start up but I still couldn't find the Software Trans Thunk Army folder!
Thanks for all your help and here's the new HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 23:26:01, on 02/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Jessops\Picture Suite\InsDetect.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Jessops Insert Detect] C:\Program Files\Jessops\Picture Suite\\InsDetect.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126714332796
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37240.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#33
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

Things are looking better!

Please download Lop.zip (it is attached to the bottom of my reply).

Unzip it to your desktop, then go into the lop folder and please run lop.bat and post the log it produces.

I would also reccomend that you change all of your passwords since you had a password stealer on your computer.

Im asking for the lop log again just to see if that folder that you cannot find will show up. :tazz:

Attached Files

  • Attached File  lop.zip   313bytes   31 downloads

  • 0

#34
yumphla

yumphla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thanks for all your help with this.Here is the log from lop.bat:


Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\Administrator\Application Data

07/04/2004 09:56 <DIR> .
07/04/2004 09:56 <DIR> ..
07/04/2004 09:56 <DIR> Microsoft
0 File(s) 0 bytes
3 Dir(s) 91,244,912,640 bytes free
Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\All Users\Application Data

28/09/2005 23:45 <DIR> .
28/09/2005 23:45 <DIR> ..
04/06/2004 15:21 <DIR> Adobe
05/01/2005 23:50 <DIR> Apple Computer
27/09/2005 15:02 <DIR> avg7
06/09/2005 14:57 <DIR> Grisoft
06/09/2005 13:30 <DIR> McAfee.com
20/09/2005 22:44 <DIR> MSScanAppDataDir
04/06/2005 22:01 <DIR> PopCap
19/05/2004 15:57 <DIR> QuickTime
07/04/2004 09:53 <DIR> SBSI
24/10/2004 20:38 <DIR> Spybot - Search & Destroy
28/09/2004 18:20 <DIR> Symantec
04/06/2005 22:33 <DIR> Trymedia
14/09/2005 17:14 <DIR> Windows Genuine Advantage
0 File(s) 0 bytes
15 Dir(s) 91,244,908,544 bytes free
Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\Eilis\Application Data

01/07/2005 12:18 <DIR> Adobe
08/07/2005 11:58 <DIR> AdobeUM
31/07/2004 15:21 <DIR> Apple Computer
09/01/2005 22:16 <DIR> ArcSoft
10/09/2005 17:22 <DIR> AVG7
06/04/2005 23:42 <DIR> capella-software
27/03/2005 21:08 <DIR> CyberLink
19/09/2005 16:36 <DIR> Else Date
10/04/2005 19:52 <DIR> Help
07/04/2004 09:21 <DIR> Identities
07/04/2004 10:01 <DIR> Jasc Software Inc
29/09/2004 21:45 <DIR> Lavasoft
13/01/2005 00:13 <DIR> Leadertech
10/06/2004 20:19 <DIR> Macromedia
17/06/2004 17:08 <DIR> Real
11/06/2004 17:57 <DIR> Sonic
07/04/2004 09:52 <DIR> Sun
07/04/2004 09:58 <DIR> Symantec
01/09/2004 16:13 <DIR> Template
0 File(s) 0 bytes
19 Dir(s) 91,244,908,544 bytes free
Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\MAURA\Application Data

25/09/2004 14:05 <DIR> Adobe
24/08/2005 17:41 <DIR> AdobeUM
19/08/2004 20:06 <DIR> alta
31/07/2004 14:42 <DIR> Apple Computer
06/09/2005 14:59 <DIR> AVG7
08/04/2004 21:16 <DIR> CyberLink
19/04/2004 23:16 0 dm.ini
06/09/2005 12:59 <DIR> Else Date
30/06/2004 22:42 72,288 GDIPFONTCACHEV1.DAT
08/04/2004 21:29 <DIR> Help
07/04/2004 09:21 <DIR> Identities
07/04/2004 10:01 <DIR> Jasc Software Inc
05/07/2005 20:10 <DIR> Lavasoft
08/04/2004 20:46 <DIR> Leadertech
05/09/2004 19:22 <DIR> Macromedia
04/11/2004 12:15 <DIR> MSN6
12/07/2004 17:38 <DIR> Real
08/04/2004 20:46 <DIR> Sonic
07/04/2004 09:52 <DIR> Sun
07/04/2004 09:58 <DIR> Symantec
08/04/2004 20:49 <DIR> Template
2 File(s) 72,288 bytes
19 Dir(s) 91,244,908,544 bytes free
Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\Default User\Application Data

07/04/2004 09:58 <DIR> .
07/04/2004 09:58 <DIR> ..
03/09/2002 08:50 62 DESKTOP.INI
1 File(s) 62 bytes
2 Dir(s) 91,244,908,544 bytes free
Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'McAfee.com Scan for Viruses - My Computer (CARLIN-MAURA
).job'
[TRACE] Printing all job properties

ApplicationName: 'c:\program files\mcafee.com\vso\mcmnhdlr.exe'
Parameters: '/runtask:0'
WorkingDirectory: 'c:\program files\mcafee.com\vso'
Comment: 'McAfee.com Scan for Viruses - My Computer'
Creator: 'MAURA'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 10/07/2005 20:00:00
StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 09/28/2004
EndDate: 00/00/0000
StartTime: 20:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
  • 0

#35
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

Things look great! How is the system running?
  • 0

#36
yumphla

yumphla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi

The system is running great on this side of the partition - thanks for all your help! However, on the other side of the partition, it's still looking for the zimvhrxis folder at startup but I can't find the folder anywhere, it has definitely been deleted. Should I get rid of the partition?
  • 0

#37
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Boot into your other partition, and post a new HiJackThis log for me to look at. :tazz:
  • 0

#38
yumphla

yumphla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi,
Here is the HiJack This log from the other side of the partition, thank you!!


Logfile of HijackThis v1.99.1
Scan saved at 18:07:08, on 05/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Radio 1 Mini DJ\skinkers.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.inpkfxvos...XLrA7x7Rc7.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\zimvhrxis\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\zimvhrxis\csrss.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [WinDriv32] C:\WINDOWS\system32\WinDriv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\Eilis\My Documents\internet crap\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [eq kind] C:\DOCUME~1\Eilis\APPLIC~1\ELSEDA~1\Mapi close.exe
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\system32\zimvhrxis\csrss.exe
O4 - HKCU\..\Run: [BBCRadio1Cluster] C:\Program Files\Radio 1 Mini DJ\skinkers.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...earch.html?p=ZS
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126714332796
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37240.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#39
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello!

We can just fix those entires in HiJackThis, as the folder is actually gone.

Please reopen HiJackThis and scan your computer. Please place a check mark next to the following entries. Be sure to select only the entries that are listed below, as deleting the wrong file could cause harm to your system.

F3 - REG:win.ini: load=C:\WINDOWS\system32\zimvhrxis\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\zimvhrxis\csrss.exe


Next, please close all programs except for HiJackThis, and select Fix Checked.
Reboot your computer.

Then, from the same partition,


Please download Lop.zip (it is attached to the bottom of my reply).

Unzip it to your desktop, then go into the lop folder and please run lop.bat and post the log it produces

Attached Files

  • Attached File  lop.zip   313bytes   29 downloads

  • 0

#40
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hi again =)

From your first partition that we worked on, there are two more folders that need to be deleted.

C:\Documents and Settings\Eilis\Application Data\Else Date
C:\Documents and Settings\MAURA\Application Data\Else Date

Post back with the lop log from the 2nd partition and we will move on from there =)
  • 0

Advertisements


#41
yumphla

yumphla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi!

I got those two folders deleted and here is the lop log from the 2nd partition. Thanks for all your help with this!!

Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\Administrator\Application Data

07/04/2004 09:56 <DIR> .
07/04/2004 09:56 <DIR> ..
07/04/2004 09:56 <DIR> Microsoft
0 File(s) 0 bytes
3 Dir(s) 91,201,134,592 bytes free
Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\All Users\Application Data

28/09/2005 23:45 <DIR> .
28/09/2005 23:45 <DIR> ..
04/06/2004 15:21 <DIR> Adobe
05/01/2005 23:50 <DIR> Apple Computer
27/09/2005 15:02 <DIR> avg7
06/09/2005 14:57 <DIR> Grisoft
06/09/2005 13:30 <DIR> McAfee.com
20/09/2005 22:44 <DIR> MSScanAppDataDir
04/06/2005 22:01 <DIR> PopCap
19/05/2004 15:57 <DIR> QuickTime
07/04/2004 09:53 <DIR> SBSI
24/10/2004 20:38 <DIR> Spybot - Search & Destroy
28/09/2004 18:20 <DIR> Symantec
04/06/2005 22:33 <DIR> Trymedia
14/09/2005 17:14 <DIR> Windows Genuine Advantage
0 File(s) 0 bytes
15 Dir(s) 91,201,130,496 bytes free
Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\Eilis\Application Data

01/07/2005 12:18 <DIR> Adobe
08/07/2005 11:58 <DIR> AdobeUM
31/07/2004 15:21 <DIR> Apple Computer
09/01/2005 22:16 <DIR> ArcSoft
10/09/2005 17:22 <DIR> AVG7
06/04/2005 23:42 <DIR> capella-software
27/03/2005 21:08 <DIR> CyberLink
10/04/2005 19:52 <DIR> Help
07/04/2004 09:21 <DIR> Identities
07/04/2004 10:01 <DIR> Jasc Software Inc
29/09/2004 21:45 <DIR> Lavasoft
13/01/2005 00:13 <DIR> Leadertech
10/06/2004 20:19 <DIR> Macromedia
17/06/2004 17:08 <DIR> Real
11/06/2004 17:57 <DIR> Sonic
07/04/2004 09:52 <DIR> Sun
07/04/2004 09:58 <DIR> Symantec
01/09/2004 16:13 <DIR> Template
0 File(s) 0 bytes
18 Dir(s) 91,201,130,496 bytes free
Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\MAURA\Application Data

25/09/2004 14:05 <DIR> Adobe
24/08/2005 17:41 <DIR> AdobeUM
19/08/2004 20:06 <DIR> alta
31/07/2004 14:42 <DIR> Apple Computer
06/09/2005 14:59 <DIR> AVG7
08/04/2004 21:16 <DIR> CyberLink
19/04/2004 23:16 0 dm.ini
30/06/2004 22:42 72,288 GDIPFONTCACHEV1.DAT
08/04/2004 21:29 <DIR> Help
07/04/2004 09:21 <DIR> Identities
07/04/2004 10:01 <DIR> Jasc Software Inc
05/07/2005 20:10 <DIR> Lavasoft
08/04/2004 20:46 <DIR> Leadertech
05/09/2004 19:22 <DIR> Macromedia
04/11/2004 12:15 <DIR> MSN6
12/07/2004 17:38 <DIR> Real
08/04/2004 20:46 <DIR> Sonic
07/04/2004 09:52 <DIR> Sun
07/04/2004 09:58 <DIR> Symantec
08/04/2004 20:49 <DIR> Template
2 File(s) 72,288 bytes
18 Dir(s) 91,201,130,496 bytes free
Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\Default User\Application Data

07/04/2004 09:58 <DIR> .
07/04/2004 09:58 <DIR> ..
03/09/2002 08:50 62 DESKTOP.INI
1 File(s) 62 bytes
2 Dir(s) 91,201,130,496 bytes free
Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is 48F9-77FD

Directory of C:\Documents and Settings\NetworkService\Application Data
  • 0

#42
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello=)

Please post a new HiJackThis log from your second partition, and we will clean up anything that is left over, and then we should be done =)
  • 0

#43
yumphla

yumphla

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi,
Thank you so much for all your help with this! Here's that HiJack This log:



Logfile of HijackThis v1.99.1
Scan saved at 00:31:35, on 06/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Radio 1 Mini DJ\skinkers.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Jessops\Picture Suite\InsDetect.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.inpkfxvos...XLrA7x7Rc7.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [WinDriv32] C:\WINDOWS\system32\WinDriv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\Eilis\My Documents\internet crap\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [eq kind] C:\DOCUME~1\Eilis\APPLIC~1\ELSEDA~1\Mapi close.exe
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\system32\zimvhrxis\csrss.exe
O4 - HKCU\..\Run: [BBCRadio1Cluster] C:\Program Files\Radio 1 Mini DJ\skinkers.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...earch.html?p=ZS
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126714332796
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37240.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#44
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Hello, I apologize for the delay, but I will not be able to look at this log until this afternoon when I get home from class.

Thanks for your patience :tazz:
  • 0

#45
Justin

Justin

    I do a little bit of everything

  • Member
  • PipPipPipPipPip
  • 2,353 posts
Please reopen HiJackThis and scan your computer. Please place a check mark next to the following entries. Be sure to select only the entries that are listed below, as deleting the wrong file could cause harm to your system.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.inpkfxvos...XLrA7x7Rc7.html
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKCU\..\Run: [WinDriv32] C:\WINDOWS\system32\WinDriv32.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\Eilis\My Documents\internet crap\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [eq kind] C:\DOCUME~1\Eilis\APPLIC~1\ELSEDA~1\Mapi close.exe
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\system32\zimvhrxis\csrss.exe


Reboot your computer and boot into safe mode.

To boot into safe mode turn your computer on and press f8, continiously, until a menu appears. At this menu please select safemode

Next, open Windows Explorer. The easiest way to do this is:Click Start
Select Run
Type in Explorer
While in Windows Explorer, please delete the following Files, if they are found. Please note thay you may not find the files, please let me know if you do not find them.

C:\WINDOWS\system32\WinDriv32.exe

Please exit Windows Explorer and reboot you computer normally.
In your next reply, please post a new HiJackThis log, as well as any other information that has been requested
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP