- awaiting further instructions.
(Denmark lost, DARN! - think I'm gonna have to be the Official Spanker of the Danish Women's Nat. Handball team)
Ty Sam
Removing ad.oinadserver
Started by
lawndart
, Dec 08 2005 08:24 AM
#16
Posted 18 December 2005 - 04:38 AM
lawndart
- Topic Starter
-
- Member
-
- 14 posts
Member
- awaiting further instructions.
(Denmark lost, DARN! - think I'm gonna have to be the Official Spanker of the Danish Women's Nat. Handball team)
Ty Sam
#17
Posted 18 December 2005 - 06:59 AM
Buckeye_Sam
-
- Member
-
- 10,019 posts
Malware Expert
We're hoping for a little more info than that obviously. Try it again, but this time when you go to save the file, change where it says "Save as type:" to All files.
And the word Quote should not be included in the text that you copy.
Or if it's easier you can just download and extract the file attached here. [attachment=5269:attachment]
And the word Quote should not be included in the text that you copy.
Or if it's easier you can just download and extract the file attached here. [attachment=5269:attachment]
Edited by Buckeye_Sam, 18 December 2005 - 07:03 AM.
#18
Posted 18 December 2005 - 03:04 PM
lawndart
- Topic Starter
-
- Member
-
- 14 posts
Member
Okay, it worked - here's what was in the Notepad file, items in parantheses are my own translations:
Disken i drev C har ikke noget navn. (The disc in C drive has no name.)
Diskens serienummer er D0EE-6968 (The disc's serial number is D0EE-6968)
Indhold af C:\WINDOWS.1\system32 (Contents of C:\...etc)
09-10-2001 13:00 56.320 dvdplay.exe
18-10-2005 14:22 401.408 d?dplay.exe
2 fil(er) 457.728 byte ( 2 file(s) )
Indhold af C:\Documents and Settings\Barry.HANNE-ADGGTZJ3N\Skrivebord
(Contents of C:\Documents and Settings\Barry.HANNE-ADGGTZJ3N\Desktop)
(the language is Danish)
Disken i drev C har ikke noget navn. (The disc in C drive has no name.)
Diskens serienummer er D0EE-6968 (The disc's serial number is D0EE-6968)
Indhold af C:\WINDOWS.1\system32 (Contents of C:\...etc)
09-10-2001 13:00 56.320 dvdplay.exe
18-10-2005 14:22 401.408 d?dplay.exe
2 fil(er) 457.728 byte ( 2 file(s) )
Indhold af C:\Documents and Settings\Barry.HANNE-ADGGTZJ3N\Skrivebord
(Contents of C:\Documents and Settings\Barry.HANNE-ADGGTZJ3N\Desktop)
(the language is Danish)
#19
Posted 18 December 2005 - 03:15 PM
Buckeye_Sam
-
- Member
-
- 10,019 posts
Malware Expert
That's what we needed to see! 
The bad file is still there.
Please make sure that you can View Hidden Files
Now you need to locate this file and delete it. The ? could represent any character, but we do know that the file is around 401kb in size and it's dated 10/18/2005.
C:\WINDOWS.1\system32\d?dplay.exe
Be careful not to delete the legitimate file dvdplay.exe which is only 56kb and dated 10/9/2001.
Please post a new hijackthis log so I can give one more good review. Let me know if you are having any more problems.
The bad file is still there.
Please make sure that you can View Hidden Files
- Click Start -> My Computer
- Select Tools -> Folder options
- Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
- Also make sure that 'Display the contents of system folders' is checked.
- Make sure "Hide extensions for known file types" is unchecked
- Make sure "Hide protected operating system files (recommended)" is unchecked
- For more info on how to show hidden files click here.
Now you need to locate this file and delete it. The ? could represent any character, but we do know that the file is around 401kb in size and it's dated 10/18/2005.
C:\WINDOWS.1\system32\d?dplay.exe
Be careful not to delete the legitimate file dvdplay.exe which is only 56kb and dated 10/9/2001.
Please post a new hijackthis log so I can give one more good review. Let me know if you are having any more problems.
#20
Posted 19 December 2005 - 02:21 PM
lawndart
- Topic Starter
-
- Member
-
- 14 posts
Member
I did the Hijack search, but I haven't carried out your last direction and removed the pest, because after looking over the log I wasn't sure if it was even there - or is it?
Which one do we zap?
And do I need to do the Spybot Teatimer thing agin - I restored it back to what it was, before I made this last log.
And do I have to do the Safe Mode routine again at the conclusion?
Here's the Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 21:10:00, on 19-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS.1\System32\cisvc.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS.1\System32\nvsvc32.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\Explorer.EXE
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\HP\hpcoretech\hpcmpmgr.exe
C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {092646CF-8755-ADAE-7DF7-D3F8FC99CDBA} - C:\WINDOWS.1\system32\nvrbxdj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmer\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Programmer\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programmer\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programmer\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.1\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyEmergency] "C:\Programmer\Spy Emergency 2005\SpyEmergency.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programmer\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programmer\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programmer\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programmer\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmer\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://sites.chatspa...va/cs4ms090.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmer\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS.1\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe (file missing)
Thank you
Which one do we zap?
And do I need to do the Spybot Teatimer thing agin - I restored it back to what it was, before I made this last log.
And do I have to do the Safe Mode routine again at the conclusion?
Here's the Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 21:10:00, on 19-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS.1\System32\cisvc.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS.1\System32\nvsvc32.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\Explorer.EXE
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\HP\hpcoretech\hpcmpmgr.exe
C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {092646CF-8755-ADAE-7DF7-D3F8FC99CDBA} - C:\WINDOWS.1\system32\nvrbxdj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmer\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Programmer\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programmer\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programmer\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.1\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyEmergency] "C:\Programmer\Spy Emergency 2005\SpyEmergency.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmer\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programmer\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programmer\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programmer\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programmer\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmer\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://sites.chatspa...va/cs4ms090.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmer\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS.1\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe (file missing)
Thank you
#21
Posted 19 December 2005 - 04:05 PM
Buckeye_Sam
-
- Member
-
- 10,019 posts
Malware Expert
The file is still there. It doesn't show up in your hijackthis log any longer, but the batch file that we ran shows that it is there.
Go to My Computer -> Local Disc(C:) -> Windows.1 -> system32
Once you are in this folder look for the file named d?dplay.exe Keep in mind that the ? could represent a different character, so this may not be the exact name. But it is 401kb and dated 10/18/05. Once you find this file, right click on it and select Delete.
Now you do need to disable Spybot's Teatimer again in order complete this next part successfully.
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
O2 - BHO: (no name) - {092646CF-8755-ADAE-7DF7-D3F8FC99CDBA} - C:\WINDOWS.1\system32\nvrbxdj.dll (file missing)
Reboot and post a new hijackthis log.
Go to My Computer -> Local Disc(C:) -> Windows.1 -> system32
Once you are in this folder look for the file named d?dplay.exe Keep in mind that the ? could represent a different character, so this may not be the exact name. But it is 401kb and dated 10/18/05. Once you find this file, right click on it and select Delete.
Now you do need to disable Spybot's Teatimer again in order complete this next part successfully.
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
O2 - BHO: (no name) - {092646CF-8755-ADAE-7DF7-D3F8FC99CDBA} - C:\WINDOWS.1\system32\nvrbxdj.dll (file missing)
Reboot and post a new hijackthis log.
#22
Posted 20 December 2005 - 12:03 PM
lawndart
- Topic Starter
-
- Member
-
- 14 posts
Member
Mission accomplished? Here's the newest Hijack log -
- can we have our Kool-aid now?
These two items from your last post were all on the same line in my Hijack scan, listed as one item:
O2 - BHO: (no name) - {092646CF-8755-ADAE-7DF7-D3F8FC99CDBA} -
C:\WINDOWS.1\system32\nvrbxdj.dll (file missing)
And need I bother with Safe Mode or any of that? I'll wait til your final post for any extra stuff I gotta do I guess.
I hope Santa brings you something extra special this year Sam - maybe something from Britney's underwear drawer.
Logfile of HijackThis v1.99.1
Scan saved at 18:55:23, on 20-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\system32\userinit.exe
C:\WINDOWS.1\Explorer.EXE
C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS.1\System32\cisvc.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\HP\hpcoretech\hpcmpmgr.exe
C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS.1\System32\nvsvc32.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Programmer\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmer\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Programmer\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programmer\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programmer\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.1\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyEmergency] "C:\Programmer\Spy Emergency 2005\SpyEmergency.exe"
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programmer\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programmer\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programmer\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programmer\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmer\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://sites.chatspa...va/cs4ms090.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmer\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS.1\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe (file missing)
- can we have our Kool-aid now?
These two items from your last post were all on the same line in my Hijack scan, listed as one item:
O2 - BHO: (no name) - {092646CF-8755-ADAE-7DF7-D3F8FC99CDBA} -
C:\WINDOWS.1\system32\nvrbxdj.dll (file missing)
And need I bother with Safe Mode or any of that? I'll wait til your final post for any extra stuff I gotta do I guess.
I hope Santa brings you something extra special this year Sam - maybe something from Britney's underwear drawer.
Logfile of HijackThis v1.99.1
Scan saved at 18:55:23, on 20-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\system32\userinit.exe
C:\WINDOWS.1\Explorer.EXE
C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS.1\System32\cisvc.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\QuickTime\qttask.exe
C:\Programmer\HP\hpcoretech\hpcmpmgr.exe
C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS.1\System32\nvsvc32.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Programmer\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmer\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Programmer\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programmer\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programmer\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programmer\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmer\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programmer\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.1\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyEmergency] "C:\Programmer\Spy Emergency 2005\SpyEmergency.exe"
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programmer\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programmer\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programmer\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programmer\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programmer\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://sites.chatspa...va/cs4ms090.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmer\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS.1\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Programmer\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe (file missing)
#23
Posted 20 December 2005 - 05:02 PM
Buckeye_Sam
-
- Member
-
- 10,019 posts
Malware Expert
I'm not going to hold my breath for anything from Britney this year, but thanks for the good wishes. I like your style lawndart. 
Your log is clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Your log is clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
#24
Posted 21 December 2005 - 11:10 AM
lawndart
- Topic Starter
-
- Member
-
- 14 posts
Member
Mange mange tak ska' du ha' mighty Samson!
One final q: I do enjoy surfing around erotic sites - just now and then - like many guys...and before you get some image of a gold-chain/silk-shirt/toupee-wearing barfly, I'm that type at all, noooo! LOL
Some of those sites got quicksand & landmines all over them, I know - is it just plain best to totally give these sites wide wide berth? My lifestyle certainly doesn't depend on them!
What's the status/risk of those sites?
I'll be carrying out all your precautionary steps, I already have AdAware and Bot -
- my wife informs me that our Visa account is at zero, but you can certainly count on some recompense very soon after the new year.
So Joyeux Noël, Fröhliche Weihnachten, Glædelig' Jul og God' Nytår!
Thanks again Sam - enjoy your holidays!
Darty
One final q: I do enjoy surfing around erotic sites - just now and then - like many guys...and before you get some image of a gold-chain/silk-shirt/toupee-wearing barfly, I'm that type at all, noooo! LOL
Some of those sites got quicksand & landmines all over them, I know - is it just plain best to totally give these sites wide wide berth? My lifestyle certainly doesn't depend on them!
What's the status/risk of those sites?
I'll be carrying out all your precautionary steps, I already have AdAware and Bot -
- my wife informs me that our Visa account is at zero, but you can certainly count on some recompense very soon after the new year.
So Joyeux Noël, Fröhliche Weihnachten, Glædelig' Jul og God' Nytår!
Thanks again Sam - enjoy your holidays!
Darty
#25
Posted 21 December 2005 - 05:24 PM
Buckeye_Sam
-
- Member
-
- 10,019 posts
Malware Expert
In my opinion, you run no more risk of picking up malware from an adult website than you do from any other site. When you visit a legitimate and professionally designed and operated website, no matter what the content, it's very unlikely that they are going to try to throw malware at you. It's the sites that barrage you with strange popups/pop unders that can't be blocked or ask you to install a special plugin or toolbar to view their site properly that you have to worry about. Those are the sites, no matter what the content is, that I would steer clear of.
In addition to the steps I outlined in my last post, I highly recommend an alternate browser to IE called Firefox. It's a free download and by far superior to Internet Explorer. You can get it here.
http://www.mozilla.com/firefox/
Use Firefox, Spyware Blaster, and all the other recommendations I made, along with some common sense and it's very unlikely that you'll have any more problems.
Sam
In addition to the steps I outlined in my last post, I highly recommend an alternate browser to IE called Firefox. It's a free download and by far superior to Internet Explorer. You can get it here.
http://www.mozilla.com/firefox/
Use Firefox, Spyware Blaster, and all the other recommendations I made, along with some common sense and it's very unlikely that you'll have any more problems.
Sam
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
