[angelslacker]

i tried ad-aware, spybot s&d, etc.. but it still returns to about:blank

Logfile of HijackThis v1.98.2
Scan saved at 11:13:36 AM, on 1/13/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\sysjm.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Winamp3\Winamp\winampa.exe
C:\WINDOWS\system32\winqn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lqidf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lqidf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lqidf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lqidf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lqidf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lqidf.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lqidf.dll/sp.html#12345
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Angel\Application Data\Mozilla\Profiles\default\nxqoszay.slt\prefs.js)
O2 - BHO: (no name) - {64CA0FC6-5085-C447-8988-25C5AC6CDBBE} - C:\WINDOWS\system32\netuu32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Gram Exit] C:\PROGRA~1\OOZEPU~1\Film dash.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp3\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\Angel\LOCALS~1\Temp\8.tmp.exe 0 10001
O4 - HKLM\..\Run: [winqn.exe] C:\WINDOWS\system32\winqn.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.awmdabest.com
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097068904046
O16 - DPF: {79E81BD1-2549-4625-8B70-3D55B1DAF971} (File Class) - http://www.pdbox.co....up/FileUtil.cab
O16 - DPF: {7FC751A9-492D-41B1-9F8D-D2C8809D8907} (EmoWebInstallerCtl Class) - http://pimg.hanmail....TVInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DA3F9206-FDFF-4079-B5AA-E5361051EB3C} (PDBOXUploadCtrl Control) - http://www.pdbox.co....PdBoxUpload.cab
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox25 Control) - http://www.pdbox.co....own/PDBox25.cab

[Advertisements]

Download and run About:Buster http://www.majorgeek...wnload4289.html
It ususally takes two runs to get cleaned.

Download CWShredder from http://www.intermute...r_download.html
Use the Fix button.

Then get HijackThis version 1.99 and post a log made with that.

Regards,

Pieter

[Metallica]

Download and run About:Buster http://www.majorgeek...wnload4289.html
It ususally takes two runs to get cleaned.

Download CWShredder from http://www.intermute...r_download.html
Use the Fix button.

Then get HijackThis version 1.99 and post a log made with that.

Regards,

Pieter

[angelslacker]

i downloaded the free CWShredder...

Logfile of HijackThis v1.99.0
Scan saved at 4:27:31 PM, on 1/17/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\sysjm.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Winamp3\Winamp\winampa.exe
C:\WINDOWS\system32\winqn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Angel\Application Data\Mozilla\Profiles\default\nxqoszay.slt\prefs.js)
O2 - BHO: (no name) - {15EAF32F-E910-66D5-9145-A0FEDA5A8A51} - C:\WINDOWS\netrl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Gram Exit] C:\PROGRA~1\OOZEPU~1\Film dash.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp3\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [winqn.exe] C:\WINDOWS\system32\winqn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range:  (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097068904046
O16 - DPF: {79E81BD1-2549-4625-8B70-3D55B1DAF971} (File Class) - http://www.pdbox.co....up/FileUtil.cab
O16 - DPF: {7FC751A9-492D-41B1-9F8D-D2C8809D8907} (EmoWebInstallerCtl Class) - http://pimg.hanmail....TVInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DA3F9206-FDFF-4079-B5AA-E5361051EB3C} (PDBOXUploadCtrl Control) - http://www.pdbox.co....PdBoxUpload.cab
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox25 Control) - http://www.pdbox.co....own/PDBox25.cab
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\sysjm.exe

[Metallica]

Did you also use About: Buster ??

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {15EAF32F-E910-66D5-9145-A0FEDA5A8A51} - C:\WINDOWS\netrl.dll

O4 - HKLM\..\Run: [Gram Exit] C:\PROGRA~1\OOZEPU~1\Film dash.exe

O4 - HKLM\..\Run: [winqn.exe] C:\WINDOWS\system32\winqn.exe

O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab

O23 - Service: Network Security Service - Unknown - C:\WINDOWS\sysjm.exe

Download: DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Reboot into safe mode and delete:
C:\PROGRAM FILES\OOZEPU~1 <= entire folder. the name is abbreviated , but the folder should hold the file Film dash.exe
c:\ied_s7.cab
c:\x.cab
C:\WINDOWS\system32\winqn.exe

Regards,.

Pieter

[angelslacker]

yes i also dl-ed/used about:buster from the site you gave me...

[Metallica]

OK. I would have expected that to work for this particular variant.

Can you post a new log after follwoing the instructions above?

Regards,

Pieter

[angelslacker]

Reboot into safe mode and delete:
C:\PROGRAM FILES\OOZEPU~1 <= entire folder. the name is abbreviated , but the folder should hold the file Film dash.exe
c:\ied_s7.cab
c:\x.cab
C:\WINDOWS\system32\winqn.exe

i only found this & deleted it:
C:\WINDOWS\system32\winqn.exe
~ i cannot find the rest that you posted.

O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

i didn't delete this one because i'm using this one when i watch/write dvd, do i have to delete this?!

Logfile of HijackThis v1.99.0
Scan saved at 1:22:01 PM, on 1/19/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Winamp3\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Pinnacle\SHARED~1\Filter\server.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Angel\Application Data\Mozilla\Profiles\default\nxqoszay.slt\prefs.js)
O2 - BHO: (no name) - {557DB264-B787-9FAF-B38E-5229D7E658DF} - C:\WINDOWS\system32\winwc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp3\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097068904046
O16 - DPF: {79E81BD1-2549-4625-8B70-3D55B1DAF971} (File Class) - http://www.pdbox.co....up/FileUtil.cab
O16 - DPF: {7FC751A9-492D-41B1-9F8D-D2C8809D8907} (EmoWebInstallerCtl Class) - http://pimg.hanmail....TVInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DA3F9206-FDFF-4079-B5AA-E5361051EB3C} (PDBOXUploadCtrl Control) - http://www.pdbox.co....PdBoxUpload.cab
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox25 Control) - http://www.pdbox.co....own/PDBox25.cab
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

[Metallica]

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {557DB264-B787-9FAF-B38E-5229D7E658DF} - C:\WINDOWS\system32\winwc.dll

Reboot and post a new log.

If you use the PowerBar every time you turn your computer on, you can leave it enabled.

Regards,

Pieter

[angelslacker]

Logfile of HijackThis v1.99.0
Scan saved at 10:04:48 AM, on 1/24/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Winamp3\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\CTFMON.EXE
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\unzipped\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Angel\Application Data\Mozilla\Profiles\default\nxqoszay.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp3\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097068904046
O16 - DPF: {79E81BD1-2549-4625-8B70-3D55B1DAF971} (File Class) - http://www.pdbox.co....up/FileUtil.cab
O16 - DPF: {7FC751A9-492D-41B1-9F8D-D2C8809D8907} (EmoWebInstallerCtl Class) - http://pimg.hanmail....TVInstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {DA3F9206-FDFF-4079-B5AA-E5361051EB3C} (PDBOXUploadCtrl Control) - http://www.pdbox.co....PdBoxUpload.cab
O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox25 Control) - http://www.pdbox.co....own/PDBox25.cab
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

[Metallica]

That looks good now. Is your computer behaving too?

Regards,

Pieter

[twin_graffitee]

Logfile of HijackThis v1.99.0
Scan saved at 6:59:49 PM, on 1/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\netclnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\winasp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system\lsvchost.exe
C:\WINDOWS\System32\aa.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\mpwe.exe
C:\WINDOWS\System32\navprotect.exe
C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\Program Files\AdStatus Service\AdStatServ.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\System32\npfw32.exe
C:\Program Files\AdStatus Service\AdStatKeep.exe
C:\WINDOWS\system\rvchost.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\Program Files\Winamp3\Winamp\winamp.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Yahoo!\Messenger\yupdater.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [*dnsav] C:\WINDOWS\Tasks\dnsav.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] svzhost.exe
O4 - HKLM\..\Run: [l1] C:\WINDOWS\System32\aa.exe
O4 - HKLM\..\Run: [MSN Messenge] winlogin.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Windows Media Player] mpwe.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe
O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvgfv32.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Norton Personal Firewall] npfw32.exe
O4 - HKLM\..\Run: [winmgr.exe] scvhost.exe
O4 - HKLM\..\Run: [.symantec] C:\WINDOWS\system\rvchost.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Zonealarm] iexplore.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svzhost.exe
O4 - HKLM\..\RunServices: [MSN Messenge] winlogin.exe
O4 - HKLM\..\RunServices: [Windows Media Player] mpwe.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Norton Personal Firewall] npfw32.exe
O4 - HKLM\..\RunServices: [winmgr.exe] scvhost.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Zonealarm] iexplore.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] svzhost.exe
O4 - HKCU\..\Run: [MSN Messenge] winlogin.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [Windows Media Player] mpwe.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Norton Personal Firewall] npfw32.exe
O4 - HKCU\..\RunServices: [MSN Messenge] winlogin.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\XI\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\XI\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {58CDB34C-B4D7-418B-A0FB-C4C8A01C2F0E} - http://pi2.51.net/download/diybar.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097066570187
O16 - DPF: {90231C0E-765E-4429-8F70-F4E9A0F8D44A} (WebCtrl Class) - http://www.peeringpo...7/FandangoV.cab
O16 - DPF: {D1792F99-AA90-4D46-8B73-2CE45DADDD3C} (WAFDownloader Class) - https://www.web-a-fi...edownloader.cab
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://213.200.210.1...1/PH905_138.exe
O18 - Protocol: start - (no CLSID) - (no file)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client - Unknown - C:\WINDOWS\system32\netclnt.exe
O23 - Service: WinFax PRO - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

[Metallica]

twin_graffitee,

Please start your own thread, but do a virusscan first, for example here:
http://housecall.antivirus.com/

Regards,

Pieter

[angelslacker]

That looks good now. Is your computer behaving too?

Regards,

Pieter

yes its okay now, thank you very much...!!!

[Metallica]

yes its okay now, thank you very much...!!!

Good.


Glad we could help.

Safe surfing,

Pieter