Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

pop ups installing search bars DONT KNOW WHAT HAPPENED!

Started by inkyspanky , Oct 20 2005 08:00 PM

  • Please log in to reply

#1
inkyspanky
Posted 20 October 2005 - 08:00 PM

inkyspanky

    Member

  • Member
  • PipPip
  • 36 posts
hi there,
you guys have helped me in the past and you were amazing. My computer worked perfectly for about 6 months and now I DONT KNOW WHAT HAPPENED!!!!!!!! It was probably games and things thats i play. My computer is really slow all of a sudden. when i restart i get weird pop up errors without doing anything. When i open the internet i get tons of pop ups, and there is a wierd tool bar up top that i can't get rid of. Here is my Hijackthis log. Please help!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 9:58:56 PM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\btxfsst.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\yyhgcpt.exe
C:\Program Files\CMSystem\CMSystem.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\etb\pokapoka76.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.type2find.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msclean] C:\WINDOWS\msclean.exe
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [yyhgcpt] C:\WINDOWS\yyhgcpt.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\sdkggg.exe reg_run
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\etb\pokapoka76.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - Global Startup: AOL Instant Messenger.lnk = C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v6.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\btxfsst.exe




O yea i forgot to mention the tiny hour-glass next to my cursor is constantly flashing. Thank you so much, hope to hear from you soon.

Christine
  • 0

Advertisements

#2
loophole
Posted 20 October 2005 - 09:59 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello inkyspanky

You have the narrator trojan among a few other things. This will take a few steps to clean upbut shouldn't be too bad

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Edited by loophole, 20 October 2005 - 10:00 PM.

  • 0

#3
inkyspanky
Posted 21 October 2005 - 05:04 PM

inkyspanky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
hi there, thanks for the quick reply!! my computer is so bad i cannot even turn it on for a minute without it either locking up or it shutting itself down and telling me there was a fatal error BUT i got on long enough to do all that stuff (it took all day) and i had to email the log text to myself and am now on a friends computer cutting and pasting. ANYWAYS here it is...

the winPfind file thing:

WARNING: not all files found by this scanner are bad. Consult with a
knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can
ignore it. Windows somethimes displays this message due to the high
volume of disk I/O. As long as the hard disk light is flashing, the
program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2
Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
FSG! 10/8/2005 1:25:00 AM RHS 5250940 C:\AVG6DB_F.DAT
UPX! 2/11/2005 10:58:18 PM 54208 C:\Install.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 9/23/2005 5:12:32 PM 545280
C:\WINDOWS\flashax.exe

Checking %System% folder...
UPX! 10/20/2005 6:26:40 PM 374272
C:\WINDOWS\SYSTEM32\93_app13.exe
UPX! 10/20/2005 6:25:32 PM 29696
C:\WINDOWS\SYSTEM32\APD123.exe
PEC2 9/3/2002 1:30:40 PM 41397
C:\WINDOWS\SYSTEM32\dfrg.msc
69.59.186.63 10/21/2005 3:32:40 PM 10240
C:\WINDOWS\SYSTEM32\ebdnn.dll
209.66.67.134 10/21/2005 3:32:40 PM 10240
C:\WINDOWS\SYSTEM32\ebdnn.dll
web-nex 10/21/2005 3:32:40 PM 10240
C:\WINDOWS\SYSTEM32\ebdnn.dll
winsync 10/21/2005 3:32:40 PM 10240
C:\WINDOWS\SYSTEM32\ebdnn.dll
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\eliteaxk32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitefeu32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitefjk32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitefmf32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitefna32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitegau32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitegjo32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitegsd32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitejpy32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitejtv32.exe
FSG! 8/19/2001 8:30:46 AM 11881
C:\WINDOWS\SYSTEM32\elitekad32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitekpc32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitemdy32.exe
FSG! 8/19/2001 8:30:46 AM 11881
C:\WINDOWS\SYSTEM32\elitencc32.exe
FSG! 8/19/2001 8:30:46 AM 11881
C:\WINDOWS\SYSTEM32\elitepyn32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitexwy32.exe
FSG! 8/19/2001 8:30:46 AM 11593
C:\WINDOWS\SYSTEM32\elitexxb32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitezke32.exe
FSG! 8/19/2001 8:30:46 AM 11589
C:\WINDOWS\SYSTEM32\elitezvc32.exe
PEC2 10/26/2003 8:56:50 PM 153600
C:\WINDOWS\SYSTEM32\email.ocx
69.59.186.63 10/21/2005 3:32:38 PM 46080
C:\WINDOWS\SYSTEM32\fgdjjjk.dll
209.66.67.134 10/21/2005 3:32:38 PM 46080
C:\WINDOWS\SYSTEM32\fgdjjjk.dll
web-nex 10/21/2005 3:32:38 PM 46080
C:\WINDOWS\SYSTEM32\fgdjjjk.dll
winsync 10/21/2005 3:32:38 PM 46080
C:\WINDOWS\SYSTEM32\fgdjjjk.dll
69.59.186.63 10/20/2005 6:52:38 PM 200704
C:\WINDOWS\SYSTEM32\installer216.exe
209.66.67.134 10/20/2005 6:52:38 PM 200704
C:\WINDOWS\SYSTEM32\installer216.exe
66.63.167.97 10/20/2005 6:52:38 PM 200704
C:\WINDOWS\SYSTEM32\installer216.exe
66.63.167.77 10/20/2005 6:52:38 PM 200704
C:\WINDOWS\SYSTEM32\installer216.exe
web-nex 10/20/2005 6:52:38 PM 200704
C:\WINDOWS\SYSTEM32\installer216.exe
winsync 10/20/2005 6:52:38 PM 200704
C:\WINDOWS\SYSTEM32\installer216.exe
rec2_run 10/20/2005 6:52:38 PM 200704
C:\WINDOWS\SYSTEM32\installer216.exe
PECompact2 9/9/2005 12:08:28 AM 1997664
C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/9/2005 12:08:28 AM 1997664
C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 8/22/2001 9:00:00 PM 86030
C:\WINDOWS\SYSTEM32\msdjgk.dll
UPX! 8/22/2001 9:00:00 PM 218624
C:\WINDOWS\SYSTEM32\mseggo.gif
UPX! 8/22/2001 9:00:00 PM 215040
C:\WINDOWS\SYSTEM32\msfaol.dll
UPX! 8/22/2001 9:00:00 PM 170496
C:\WINDOWS\SYSTEM32\msiaih.dll
UPX! 8/22/2001 9:00:00 PM 113664
C:\WINDOWS\SYSTEM32\msnimk.gif
UPX! 10/20/2005 6:30:08 PM 25105
C:\WINDOWS\SYSTEM32\MTE2ODM6ODoxNg.exe
UPX! 10/20/2005 9:53:16 PM 67584
C:\WINDOWS\SYSTEM32\nsa3.dll
aspack 8/4/2004 4:56:36 AM 708096
C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 4:56:44 AM 657920
C:\WINDOWS\SYSTEM32\rasdlg.dll
FSG! 8/19/2001 8:30:46 AM 11593
C:\WINDOWS\SYSTEM32\temperror32.dat
PEC2 10/29/2003 12:34:54 AM 130560
C:\WINDOWS\SYSTEM32\tray.ocx
winsync 9/3/2002 2:10:48 PM 1309184
C:\WINDOWS\SYSTEM32\wbdbase.deu
69.59.186.63 10/20/2005 6:52:42 PM 30720
C:\WINDOWS\SYSTEM32\wuauclt.dll
209.66.67.134 10/20/2005 6:52:42 PM 30720
C:\WINDOWS\SYSTEM32\wuauclt.dll
66.63.167.97 10/20/2005 6:52:42 PM 30720
C:\WINDOWS\SYSTEM32\wuauclt.dll
66.63.167.77 10/20/2005 6:52:42 PM 30720
C:\WINDOWS\SYSTEM32\wuauclt.dll
web-nex 10/20/2005 6:52:42 PM 30720
C:\WINDOWS\SYSTEM32\wuauclt.dll
winsync 10/20/2005 6:52:42 PM 30720
C:\WINDOWS\SYSTEM32\wuauclt.dll
rec2_run 10/20/2005 6:52:42 PM 30720
C:\WINDOWS\SYSTEM32\wuauclt.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 2:41:38 AM 1309184
C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder and sub-folders for system and hidden files
within the last 60 days...
10/21/2005 3:35:46 PM S 2048
C:\WINDOWS\bootstat.dat
9/13/2005 5:54:36 PM RHS 209920
C:\WINDOWS\msclean.exe
10/21/2005 3:34:28 PM H 24 C:\WINDOWS\p0JqG
10/21/2005 3:35:36 PM H 8192
C:\WINDOWS\system32\config\default.LOG
10/21/2005 3:36:24 PM H 1024
C:\WINDOWS\system32\config\SAM.LOG
10/21/2005 3:35:48 PM H 16384
C:\WINDOWS\system32\config\SECURITY.LOG
10/21/2005 3:36:38 PM H 77824
C:\WINDOWS\system32\config\software.LOG
10/21/2005 3:35:56 PM H 749568
C:\WINDOWS\system32\config\system.LOG
9/15/2005 4:00:54 AM H 1024
C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
10/21/2005 3:35:04 PM H 6
C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
5/25/2004 12:06:58 PM 417792
C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 68608
C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 549888
C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 110592
C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 135168
C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 80384
C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 155136
C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 1/23/2005 11:33:44 AM 94208
C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 358400
C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 129536
C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 380416
C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 68608
C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 9/3/2002 1:40:02 PM 187904
C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 618496
C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 1:47:04 PM 35840
C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 25600
C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 257024
C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 32768
C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154
C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 114688
C:\WINDOWS\SYSTEM32\powercfg.cpl
12/29/2002 3:14:38 AM 81920
C:\WINDOWS\SYSTEM32\Startup.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 298496
C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/3/2002 2:06:38 PM 28160
C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 94208
C:\WINDOWS\SYSTEM32\timedate.cpl
10/20/2005 7:01:28 PM 31744
C:\WINDOWS\SYSTEM32\vgactl.cpl
Microsoft Corporation 8/4/2004 4:56:58 AM 148480
C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 5:16:30 AM 174360
C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/3/2002 1:40:02 PM 187904
C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 1:47:04 PM 35840
C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 2:06:38 PM 28160
C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 5:16:30 AM 174360
C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 4/7/2003 4:14:30 AM 94208
C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/27/2005 9:05:52 PM 638 C:\Documents
and Settings\All Users\Start
Menu\Programs\Startup\AOL Instant Messenger.lnk
7/28/2004 12:11:36 AM HS 84 C:\Documents
and Settings\All Users\Start
Menu\Programs\Startup\desktop.ini
10/21/2005 3:32:36 PM 91648 C:\Documents
and Settings\All Users\Start
Menu\Programs\Startup\rtdk.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/27/2004 5:04:06 PM HS 62 C:\Documents
and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
7/28/2004 12:11:36 AM HS 84 C:\Documents
and Settings\Administrator\Start
Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
7/27/2004 5:04:06 PM HS 62 C:\Documents
and Settings\Administrator\Application
Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\User Agent\Post Platform]
SV1 =
iebar =
acc=ventura5 =
acc=none =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
C:\PROGRA~1\Grisoft\AVG6\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mqgnnntm
{59507ee8-7ec6-4809-aadc-db2058443e20} = C:\WINDOWS\system32\ebdnn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG
Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
C:\PROGRA~1\Grisoft\AVG6\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline
Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC}
wb = C:\WINDOWS\system32\nsa3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}
MenuText = Java :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer
Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address :
%SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links :
%SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG_CC C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
DeadAIM rundll32.exe "C:\PROGRA~1\AIM95\DeadAIM.ocm",ExportedCheckODLs
SpyBlocker C:\Program Files\SpyBlocker Software\spyblocker.exe
IgfxTray C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
msclean C:\WINDOWS\msclean.exe
APD123 C:\WINDOWS\system32\APD123.exe
yyhgcpt C:\WINDOWS\yyhgcpt.exe
winsync C:\WINDOWS\system32\sdkggg.exe reg_run
SurfSideKick 3 C:\Program Files\SurfSideKick 3\Ssk.exe
System service76 C:\WINDOWS\etb\pokapoka76.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} =
C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} =
%SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} =
%SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} =
%SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} =
C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/21/2005 3:46:21 PM







and here is the track qoo log:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_CC"="C:\\PROGRA~1\\Grisoft\\AVG6\\avgcc32.exe /STARTUP"
"DeadAIM"="rundll32.exe
\"C:\\PROGRA~1\\AIM95\\DeadAIM.ocm\",ExportedCheckODLs"
"SpyBlocker"="C:\\Program Files\\SpyBlocker Software\\spyblocker.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"msclean"="C:\\WINDOWS\\msclean.exe"
"APD123"="C:\\WINDOWS\\system32\\APD123.exe"
"yyhgcpt"="C:\\WINDOWS\\yyhgcpt.exe"
"winsync"="C:\\WINDOWS\\system32\\sdkggg.exe reg_run"
"SurfSideKick 3"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"System service76"="C:\\WINDOWS\\etb\\pokapoka76.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7}
C:\PROGRA~1\Grisoft\AVG6\avgse.dll

Subkey --- mqgnnntm
{59507ee8-7ec6-4809-aadc-db2058443e20}
C:\WINDOWS\system32\ebdnn.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

AOL Instant Messenger.lnk
desktop.ini
rtdk.exe
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

AOL Instant Messenger.lnk
desktop.ini
rtdk.exe
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


ac3filter.cpl
access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131_04.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
Startup.cpl
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
vgactl.cpl
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation



lemme know what to do next!!! thanks so much!!

-christine (inkyspanky)
  • 0

#4
loophole
Posted 21 October 2005 - 08:14 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello Inkyspanky :tazz:

Please save these directions in notepad and save them to your desktop for use in safemode

Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mqgnnntm]

[-HKEY_CLASSES_ROOT\CLSID\{59507ee8-7ec6-4809-aadc-db2058443e20}]


Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\WINDOWS\SYSTEM32\msdjgk.dll
C:\WINDOWS\SYSTEM32\mseggo.gif
C:\WINDOWS\SYSTEM32\msfaol.dll
C:\WINDOWS\SYSTEM32\msiaih.dll
C:\WINDOWS\SYSTEM32\msnimk.gif
C:\WINDOWS\SYSTEM32\wuauclt.dll
C:\WINDOWS\SYSTEM32\vgactl.cpl
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rtdk.exe
C:\WINDOWS\yyhgcpt.exe
C:\WINDOWS\system32\sdkggg.exe
C:\WINDOWS\btxfsst.exe
C:\WINDOWS\msclean.exe

As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode Safe mode(continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Surfsidekick
CMSystem


Now open The directions you saved on your desktop

Run those filepaths through Killbox once more to be sure nothing survived. (if all the files arent there this time just continue with the files that are in there)

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Reboot

Please download LQfix.exe from one of the following locations:
  • http://www.downloads.subratam.org/LQfix.exe
    http://miekiemoes.geekstogo.com/tools/LQfix.exe

  • Save it to your desktop.
  • Double-Click LQfix.exe and click Next > Next > Install.
  • Leave the default settings, if you change them, the fix will Fail!
  • You need an active Internet Connection, so make sure your you're not blocking any connection now.
  • Now make sure the "Launch LQfix" box is checked.
  • Click the Finish button, after clicking the Finish button the fix will start.
  • Follow the on-screen prompts.
  • Your system will reboot afterwards.
  • Please be patient after the reboot, there is a script running in the background that needs to complete.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.type2find.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.type2find.com/sp2.php
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [yyhgcpt] C:\WINDOWS\yyhgcpt.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKLM\..\Run: [msclean] C:\WINDOWS\msclean.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\sdkggg.exe reg_run
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)


Now close all windows other than HiJackThis, then click Fix Checked.

Please post a new hijack log

Thanks :)
  • 0

#5
inkyspanky
Posted 28 October 2005 - 01:00 PM

inkyspanky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
K sorry that took so long. thanks again for the fast help. i did all that stuff. it went fairly smoothly. at the end when i did the final hijackthis scan the first five items you listed to check off and "fix" were not there. hope thats okay. Alright things are working quicker already and my computer isnt shutting itself down but while posting this reply i have gotten four popups i dont know if that matters or whatever...anyways here is my hijack this log thing:



Logfile of HijackThis v1.99.1
Scan saved at 2:54:47 PM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\AIM95\aim.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsa3.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: AOL Instant Messenger.lnk = C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\btxfsst.exe (file missing)

k is that all? is there anything else that i need to do? i know for sure im downloading all new virus scanners and things. i have an old version of avg and an old version of adaware, also a really old spybot. is there any scanner things that you recommend i download to do regular scans on my own?

thanks again for all your help, let me know if there is anything else to do.

-christine jordan
  • 0

#6
loophole
Posted 28 October 2005 - 05:30 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Nope were not done yet but we don't have too much farther to go

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsa3.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:


Windows Overlay Components


When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Please reboot into safe mode Safe mode(continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

SurfSideKick 3



Please delete these folders using Windows Explorer(if present):

C:\Program Files\SurfSideKick 3




Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field


Windows Overlay Components

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click YES

Post a new hijack log and tell me how your system is running now.

Thanks :)
  • 0

#7
inkyspanky
Posted 28 October 2005 - 06:57 PM

inkyspanky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
k i did all that and there are still popups:( not many so i guess its not a big deal. here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:55:35 PM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\tbzthle.exe
C:\Program Files\CMSystem\CMSystem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [tbzthle] C:\WINDOWS\tbzthle.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v6.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe


anything else?

-christine
  • 0

#8
loophole
Posted 28 October 2005 - 08:23 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Well You picked up some more. Just hang in there and we can get this system clean

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [tbzthle] C:\WINDOWS\tbzthle.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please remove these entries from Add/Remove Programs in the Control Panel(if present):

CMSystem



Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\Program Files\CMSystem

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\tbzthle.exe
C:\WINDOWS\system32\APD123.exe

After that, Reboot.

Please run this online virus scan:
Panda Active Scan You need to use Internet Explorer for this scan.
  • Once you get to the Panda site, scroll down a bit and click on Scan your PC
  • A new window will appear; click on Check Now!
  • A new window will appear; fill in the boxes (Country, State, email addy)
  • Click on Scan Now! >
    If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
  • From "Select a device to scan...", choose "My Computer"
  • Allow the scan to run. It'll take a while.
  • When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
  • I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here. Also post a new Hijack log

Thanks :tazz:
  • 0

#9
inkyspanky
Posted 29 October 2005 - 01:47 PM

inkyspanky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
hello. k i fixed the things on hijackthis. i went to safe mode...that program to remove was not there and i did not notice any unfamiliar things. I rebooted and had a problem with the pandascan. i got to the screen with the country etc and then i clicked scan. i must alreayd have the activex thing because it started scanning it did not give me the option that you mentioned about choosing which device to scan...and then it just went to a blannk screen. two progress bars completed and then the screen just went white like it was thinking but nothing happened. i closed it and did it again and it did the same two scans(quicker this time) and then just went to awhite screen. i dont know what that means. BUT throughtout all this i havent gotten one popup and its working very quickly. here is my new hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 3:41:05 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe



k sorry that didnt work. lemme know what else to do

-christine
  • 0

#10
loophole
Posted 29 October 2005 - 07:45 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Lets try this one

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

Advertisements

#11
inkyspanky
Posted 30 October 2005 - 12:51 PM

inkyspanky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
i cannot use that program. my computer for some reason does not let me click on buttons on websites. i do not know why it is so frustrating usually i can right click and select open in new window or something but this button wont let me do that. i had the same problem with the panda one too but i was able to copy and paste the link from my roommates computer to mine but this one will not work. im sorry this is probably frustrating for you too. i dont know what to do.

-christine
  • 0

#12
loophole
Posted 30 October 2005 - 06:25 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Do you get the prompt to install the Active x at the top of the screen?
  • 0

#13
inkyspanky
Posted 01 November 2005 - 04:51 PM

inkyspanky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
no my computer does not even click the button. it just stays at the same screen. but anyways, i think that i already have that because when i did the panda one it scanned without saying anything about activex. i have not been using my computer at all i have left it off just turning it on when i need to try to do something that you told me. is this a good thing? should i have it on? or is off good?
  • 0

#14
loophole
Posted 01 November 2005 - 05:39 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
You do have the Active X for the panda scan I missed that. Download these two programs

Spywareblaster

1. Install it
2.Check for and downoad updates
3. Then enable all protection

Spybot Search & Destroy

!. Install it
2. check for updates an download them
3. Immuniz the system

Now go do some surfing and tell me how the computer runs :tazz:

Edited by loophole, 01 November 2005 - 05:39 PM.

  • 0

#15
inkyspanky
Posted 04 November 2005 - 02:52 PM

inkyspanky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
hi there. did that. everything seems to be working alright now. not as fast as usual, and still a few popups but certainly an improvement. thanks for all your help here is a final log thing i dont know if you need it but here it is:

Logfile of HijackThis v1.99.1
Scan saved at 3:49:41 AM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.co...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe


do you have a reccomendation for a virus scanner? is avg good? i have the old one and its screwed up so i am going to uninstall it and get a new one. what do you suggest?.

thanks again
-christine jordan
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP