Post by: deduemjo on November 22, 2004, 02:47:27 PM
Basically my IE Startpage was constantly changed to about:blank and had a Search engine site called Search Now. (isnt about:blank just supposed to be blank?). Also, other random sites were constantly beeing forwarded to this while I was browsing the internet.
I googled it and found out that I, like many, was infested with the CWS Spyware. I downloaded CWShredder and ran it. The program found CWS.HiddenDll and removed it along with 6 apparent registry entries. After doing this my IE was back to normal. After a while it came back though. I ran CWShredder again and it again found the above.
This keeps coming back and all I can do is rerun CWShredder every time, but its really annoying.
I've followed the forum with Guestolo - but Hijackthis does not appear to have the same rogue file. My log is as follows
Logfile of HijackThis v1.98.2
Scan saved at 19:42:18, on 22/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\PROGRAM FILES\ERROR NUKER 2004\BIN\ERRORNUKER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\WINDOWS\TEMP\TD_0013.DIR\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ngseomiqzb.us/QXE0FBhc7BD97G3U/...IbuNZuwy5N.html (http://\"http://www.ngseomiqzb.us/QXE0FBhc7BD97G3U/N9aN2TXLrB0RvnjgKvsbNmxEMXjyIUVqGwkbUIbuNZuwy5N.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {47868855-3B52-4DB6-9DD7-CC0D0CB59B21} - C:\WINDOWS\SNNPAPI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [amen plan mp3 16] C:\WINDOWS\All Users\Application Data\GPL MEMO AMEN PLAN\closerule.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [send show] C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20011004/qtinstall.info.apple.com/qt503/uk/win/QuickTimeInstaller.exe\")
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O18 - Filter: text/html - {5EC39ADF-04CA-4601-88B8-2C51E9DABFEF} - C:\WINDOWS\SNNPAPI.DLL
O18 - Filter: text/plain - {5EC39ADF-04CA-4601-88B8-2C51E9DABFEF} - C:\WINDOWS\SNNPAPI.DLL
Please can somebody help?
Post by: guestolo on November 22, 2004, 07:36:42 PM
Could you please download a couple Tools for me
Download STARTDRECK (http://\"http://members.blackbox.net/hp_links/21/nikolaus.rameis/_data/startdreck.zip\")
Unzip it to it's own folder
run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post the log!
Can you also Download DLLCompare (http://\"http://download.broadbandmedic.com/DllCompare.exe\")
Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button
Post this log too along with a fresh Hijackthis log, thanks
Could you also let me know if you paid for SpyKiller or Spyware Assassin
If you didn't you should get rid of them, I'll give you links to 2 free ones that are
reputable
Read this about the 2 you have
Rogue Spyware software (http://\"http://www.spywarewarrior.com/rogue_anti-spyware.htm\")
The above will help indicate what infection of About:blank you have
We will be able to try a different route with About:Buster if Startdreck or DllCompare come up negative
Post by: deduemjo on November 23, 2004, 03:36:51 AM
Won't let me remove spykiller with Add/REmove Programs - says could not load initialisation file (haven't tried to remove other one yet)
Post by: deduemjo on November 23, 2004, 07:22:11 AM
StartDreck (build 2.1.7 public stable) - 2004-11-23 @ 12:25:25 (GMT +00:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at OEMCOMPUTER
»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*SpyKiller=C:\Program Files\SpyKiller\spykiller.exe /startup
*BestPopUpKiller=C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
*Spyware Assassin v.4.0="C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
*send show=C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*SpyKiller=C:\Program Files\SpyKiller\spykiller.exe /startup
*BestPopUpKiller=C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
*Spyware Assassin v.4.0="C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
*send show=C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*EnsoniqMixer=C:\WINDOWS\starter.exe
*CountrySelection=pctptt.exe
*PTSNOOP=ptsnoop.exe
*SystemTray=SysTray.Exe
*Internet Registration=c:\program files\internet explorer\connection wizard\netcheck.exe
*Gearbox="C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
*LoadQM=loadqm.exe
*PE2CKFNT SE=C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
*InstantAccess=C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
*RegisterDropHandler=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
*Password Check=c:\windows\GrabCookie.exe
*Disc Detector=C:\Program Files\Creative\ShareDLL\CtNotify.exe
*AtiCwd32=Aticwd32.exe
*AtiQiPcl=AtiQiPcl.exe
*amen plan mp3 16=C:\WINDOWS\All Users\Application Data\GPL MEMO AMEN PLAN\closerule.exe
*C:\WINDOWS\IPCFG.EXE=C:\WINDOWS\IPCFG.EXE
*C:\WINDOWS\SCANDS32.EXE=C:\WINDOWS\SCANDS32.EXE
*Error Nuker 2004=C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*SAgent2ExePath=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
*RegisterDropHandler=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{24D52758-A1FE-4A21-A2F0-A86CE31C0B40}
`InprocServer32=C:\WINDOWS\SNNPAPI.DLL
»Files
»System/Drivers
»Running Processes
+FF0FA045=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFE5D9=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE05D5=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE0F89=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEB2D5=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEBE19=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
+FFFE70F9=C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
+FFFD2FB5=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFECF41=C:\WINDOWS\EXPLORER.EXE
+FFFE424D=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFCFE01=C:\WINDOWS\TASKMON.EXE
+FFFB2519=C:\WINDOWS\STARTER.EXE
+FFFB14E1=C:\WINDOWS\ptsnoop.exe
+FFFB773D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFBB169=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFBFA39=C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
+FFFBF541=C:\WINDOWS\LOADQM.EXE
+FFFB5CC9=C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
+FFFA02AD=C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
+FFFA5319=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFAEF2D=C:\WINDOWS\IPCFG.EXE
+FFFAD81D=C:\WINDOWS\SCANDS32.EXE
+FFF93801=C:\PROGRAM FILES\ERROR NUKER 2004\BIN\ERRORNUKER.EXE
+FFF961C5=C:\WINDOWS\RunDLL.exe
+FFF94849=C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
+FFF9A615=C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
+FFF9E201=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
+FFF9D3C5=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
+FFF81791=C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
+FFF85A95=C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
+FFF8A969=C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
+FFF8EC4D=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF8C23D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF7E5A1=C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
+FFF8E5F5=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF6A59D=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF655E9=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF685E5=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF52499=C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
+FFF43DE1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF482B1=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF48A7D=C:\WINDOWS\RUNDLL32.EXE
+FFFCB579=C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\2PF8TSRM\STARTDRECK[1]\STARTDRECK.EXE
»Application specific
Hope this helps
Post by: deduemjo on November 23, 2004, 07:41:29 AM
The new HIjackthis log is as follows
Logfile of HijackThis v1.98.2
Scan saved at 12:47:24, on 23/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\PROGRAM FILES\ERROR NUKER 2004\BIN\ERRORNUKER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qgvaqzprawkvgmtyc.com/QXE0FBhc7...IbuNZuwy5N.html (http://\"http://www.qgvaqzprawkvgmtyc.com/QXE0FBhc7BD97G3U/N9aN2TXLrB0RvnjgKvsbNmxEMUTdeK8rat2f0IbuNZuwy5N.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {24D52758-A1FE-4A21-A2F0-A86CE31C0B40} - C:\WINDOWS\SNNPAPI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [amen plan mp3 16] C:\WINDOWS\All Users\Application Data\GPL MEMO AMEN PLAN\closerule.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [send show] C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20011004/qtinstall.info.apple.com/qt503/uk/win/QuickTimeInstaller.exe\")
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O18 - Filter: text/html - {EBE573C9-8819-4FCA-890F-9D2DF3A9897D} - C:\WINDOWS\SNNPAPI.DLL
O18 - Filter: text/plain - {EBE573C9-8819-4FCA-890F-9D2DF3A9897D} - C:\WINDOWS\SNNPAPI.DLL
Post by: guestolo on November 23, 2004, 08:09:20 PM
I also see that your not running any Anti-Virus software
If you need a Free solution, let me know, it's not safe being on the Net without it..
Don't install one yet, we'll try and get you clean first
I would uninstall Spyware Assasin and Restart your computer
Next:
Create a New folder on your desktop, call it Aboutbuster
Download to desktop About:Buster (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
Unzip it to that new folder. Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it says it found an update hit Download Updates. If it doesnt it will automatically tell you and exit
Don't run this yet, but ensure you update for now
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button\")
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES
Allow to download updates
Don't run it yet, but check for Updates now
You may want to print the rest of this out:
This will allow you to follow along without connection to the Internet till we are done
Go to Add/Remove in your control panel then look for and uninstall if found, Window Search, Window Searching, Lop.com, LOP Search, Browser Enhancer, Ultimate Browser Enhancer . If you are given a code to insert, do so.
If those that are listed above are not installed then d/l the LOP uninstaller.
Download the LOP uninstaller from HERE (http://\"http://members.rogers.com/rjmac/new_uninstall.exe\") . Close IE and run the uninstaller; click OK>it will then ask you to type in a number that it supplies, do so and click 'uninstall'>yes>OK>OK.
RESTART your computer into Safe Mode by tapping the F8 key on Windows Startup
If your unsure how to start in safe mode, read this link
How to start in Safe mode (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=2#_Section2\")
Try uninstalling SpywareAssasin and/or Spykiller if you can
Open About:Buster
Now for the scanning part. Hit start and then Ok. The program should start scanning.
Let it complete the scanning, rescan again when prompted
Save the log on to the desktop
Stay in Safe Mode---Open Ad-Aware
Do a Full System Scan
After Scanning is complete,Remove all Criticals: right click in the Criticals and Select All
Open CWShredder and let it FIX all problems
RESTART your computer back into Normal Mode
Run About:Buster again, save this log too....
You should also do a Free Online Virus scan at either
Trend Micros---Set to Autoclean
http://housecall.trendmicro.com/ (http://\"http://housecall.trendmicro.com/\")
and/or Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm (http://\"http://www.pandasoftware.com/activescan/com/activescan_principal.htm\")
Let either clean what it can and try and delete what it can't
Please ensure you tell me where any malware was found if you have trouble removing it
I just noticed that your running Hijackthis from your Temp. directory
Important
Create a Permanent folder for Hijackthis, backups will be stored there.
EG>>>
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
Please redownload Hijackthis from
HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Post back a fresh hijackthis log after you are done the above, could you also post the About:Buster logs, thanks
Post by: deduemjo on November 24, 2004, 03:09:29 AM
Not much worked I'm afraid - here's details
1. I have Norton Anti Virus software - as far as I know I have to run it manually (when I updated and ran at weekend(in relation to current problem) it found a trojan virus - it is now clean)
2. There is no entry for Spyware Assassin in Add/Remove Program list (Spykiller is but it won't lat me remove it as described earlier) . I searched files for Spyware Assassin - found [email protected][2] and Cyber Tech Help Support- deleted both of these manually (?) and restarted computer
3. Downloading Aboutblaster didn't seem to work - got ' Run-time error 339' then 'Component MsComCtl.ocx or one of its dependencies not correctly registered: a file is missing or invalid'
4. AD-Aware also won't work (tried this the other night and got same message)
'Ad-aware caused an error in<unknown>' something in German and then'Exception EReadError in Modul AD-AWARE.EXE bei00021FOB'
5. None of the things you mention in Add/Remove Programs are listed. Did you mean delete LOP installer? What is/where do I find this? Again did manual search and found various files - most obvious looking one being HSFLOP.PDR but didn't delete any.
6. Tried to do the virus scans- trend micro website seemed to hang before I got there (could be me - but other websites work OK). Panda one started but got an error when downloading 'Your security settings prohibit Active X controls on this page. As a result the page will not display correctly' and download failed.
I should perhaps also mention when I attempt to start up internet I get a 'configurations conflict error' which I need to fix before I go any further.
Interestingly I've just gone back into home page and About:blank is not there!!!!
Plenty problems anyway it seems.
Look forward to your response.
Post by: guestolo on November 24, 2004, 08:35:26 AM
http://www.javacoolsoftware.net/downloads/...ngfilesetup.exe (http://\"http://www.javacoolsoftware.net/downloads/missingfilesetup.exe\")
Double click to run it
This should help cure the problem with
Component MsComCtl.ocx or one of its dependencies not correctly registered: a file is missing or invalid'
Just on my way out, don't get rid of Ad-Aware, I have a couple files that your probably missing
Look for riched20.dll & riched32.dll, both in c:\windows\system folder
Let me know the size of them if you find them
Right click on them properties
If you don't find them we will have to install them for you
Try the online virus scan at Rav's, we will have to adjust your Security settings if you can't install the ActiveX
I'll get into more detail later
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: deduemjo on November 24, 2004, 01:35:13 PM
latest is
1) downloaded file you suggested - so have now successfully updated aboutblaster.
2) Ad-Aware still won't work - same error
3) in c:windows/system found 2 files RICHED>DLL (235KB) and RICHED20.DLL (412KB) - but no RICHED32
4) Couldn't do on-line virus scan at Rav's due to an Active X error again (said security settings needed to be on medium - which it seems to be)
Am getting a Windows security Serice message regularly saying Windiws firewall is detecting strange(malicious) activity on network
Look forward to reply
Post by: Guest on November 24, 2004, 09:27:01 PM
Please download that LOP uninstaller and run it from the instructions I gave you earlier, if you haven't done it already
Restart your computer afterwards
Let's see if we can get Ad-Aware running and get you to run that online Virus scan
Are time zones may be different: Sorry we can't get together on this at the same time
We should get you totally clean if you can handle the delay in responses
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' /> Right now it's 6:33 pm PST here for me....
I'm not sure what the posted response time shows
Leave RICHED>DLL alone
Navigate to RICHED20.DLL
Right click on it and RENAME it to RICHED20.OLD
This is just to keep it as a backup
Next download the 2 files that may be causing your problem with Ad-Aware
Save both of these to your C:\Windows\System Folder
Riched20.dll (http://\"http://######/benditup/riched20.dll\")
Riched32.dll (http://\"http://######/benditup/Riched32.dll\")
See if you can run Ad-Aware after you save the 2 above files
You may have to Restart your computer again before it will work
If you can, ensure you update it
Restart your computer into SAFE MODE
Run About:Buster in Safe mode
Scan twice, make sure you save the logs
Run Ad-Aware in safe mode
Clean all critical objects as I explained before
Restart back in Normal Mode, run About:Buster again
Access your Internet options for IE via Control panel
Under the Security tab>>Custom Level
See if these are set
Download Signed Active X controls --- Prompt
Download Unsigned Active X controls --- Disable
Initialize and script active X Not marked safe---Disable
Run Active X controls-- Enable
Script Active X controls marked safe for scripting---Enable
Scroll down and see if Active Scripting is enabled
RESTART your browser
See if you can run the Online Virus scans at RAV'S and Panda's
If still no luck, try adding either of those sites to your
Trusted Sites
Do what you can, Post back with a Fresh hijackthis log and About:Buster logs
If you can get the scan at RAV's to run please post the results too, thanks
If you can, can you also open up Hijackthis>>>Config>>Misc Tools>>Open Hosts File Manager>>Click the "Open In Notepad" button
Copy and paste the whole contents of the Hosts notepad file back here too
Post by: guestolo on November 24, 2004, 09:28:37 PM
/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />Removed Riched20.dll
and Riched32.dll
Post by: deduemjo on November 25, 2004, 02:55:03 AM
Bit more progress but not much
1. Downloaded LOP installer - seemed to work OK - and restarted computer (slightly faster?or is it me. Didn't get the configuration conflicts error when going into IE)
2. Couldn't rename riched20 - said 'access is denied - the source file may be in use'. So didn't download the new riched files you suggest - should I have done?
3. Browser settings regarding Active X are all as you suggested
4. Tried copying and pasting Rav's into trusted sites- wouldn't let me - said ' needed prefix to ensure secure connection https://prefix (http://\"https://prefix\")
Still getting the Windows Security Firewall warning.
Look forward to next installment!
Post by: guestolo on November 25, 2004, 08:39:32 AM
And I would like to see the About:buster logs
Try Restarting into safe mode and rename RICHED20.DLL>>>RICHED20.OLD
Ensure that you download Both those files and try Ad-Aware again
At minimum make sure you download Riched32.dll
Remember to save it to the proper folder
When you try and add those sites to the Trusted Zones
Try entering these exact addresses
http://www.ravantivirus.com (http://\"http://www.ravantivirus.com\")
or
try these addresses
http://housecall.trendmicro.com/ (http://\"http://housecall.trendmicro.com/\")
and/or Panda's
http://www.pandasoftware.com/ (http://\"http://www.pandasoftware.com/\")
In the Trusted zones settings you may have to take the check out of
"Require server verification(https)........"
If the above doesn't work
I'll check back later.....Make sure you post a fresh hijackthis log and About:Buster logs
Make sure you run scans in safe mode with about:buster and ad-aware
if you can get it to run
Remember to try renaming that file in safe mode
Post by: deduemjo on November 30, 2004, 07:09:52 AM
Hope you're still around.
I'll set about your latest set of instructions now
Post by: deduemjo on November 30, 2004, 07:18:20 AM
Logfile of HijackThis v1.98.2
Scan saved at 12:25:35, on 30/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ojesjimfnxnbap.net/QXE0FBhc7BD9...IbuNZuwy5N.html (http://\"http://www.ojesjimfnxnbap.net/QXE0FBhc7BD97G3U/N9aN2TXLrB0RvnjgKvsbNmxEMWavN7iocefRUIbuNZuwy5N.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox (http://\"http://www.ntlworld.com/gearbox\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20011004/qtinstall.info.apple.com/qt503/uk/win/QuickTimeInstaller.exe\")
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
Post by: Guest on November 30, 2004, 08:22:53 AM
2. Renamed the Riched 20 file in safe mode as suggested - this seemed to work
3. Rebooted back into normal mode
4. Couldn't download the 2 riched files you posted - says '404 Page Not Found - The Page you are looking for does not exist on Free Webs,
5. Therefore didn't try rerunning Adaware
6. Tried to add Rav's to trusted zones - got same error until I unchecked the server verification as you suggested. The add then seems to work. Do I now leave the server verification box unchecked - or recheck it again?(Haven't rechecked it yet)
7. Went into Rav's and waited a while whilst it seemed to be updating files for latest version - then it just seemed to redirect me to a page that recommends various software.
8. Will try this - or one of suggested others later - as have to get back to work
Regards
Post by: guestolo on November 30, 2004, 09:55:55 AM
I'm on my way to work also so I'll get you further instructions later
In the meantime, could you try one of those other online AV sites
Something may be redirecting you, we will have to check your hosts file later
Could you also
Download the Trial version of TrojanHunter from this link
http://www.trojanhunter.com/trojanhunter/ (http://\"http://www.trojanhunter.com/trojanhunter/\")
This is good for 30 days
After installation you will have to manually update the Latest Ruleset
Go to this link
http://www.trojanhunter.com/trojanhunter/updating/ (http://\"http://www.trojanhunter.com/trojanhunter/updating/\")
Download the Latest Ruleset to desktop
Unzip it to your Trojan Hunter folder
Allow to overwrite if prompted
The default location should be C:\Program Files\TrojanHunter
Run a full system scan
Trojan Hunter comes with TrojanGuard, don't enable it for now
After you have ran TrojanHunter, let it fix whatever it finds, restart your computer and post back a fresh hijackthis log
I'll upload you those 2 riched files later, it would be nice to get Ad-Aware running on your system too
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Remember when you download Zip files to choose save to disk rather than Open
If your having troubles saving zip files to disk and they just want to open instead, let me know, we'll have to fix that too.
Post by: Guest on November 30, 2004, 01:59:59 PM
1. Put panda into trusted websites - server box still unchecked - this Ok?
2. downloaded Active Scan and choseScan all my computer
3. It Found 12 infected files and disinfected them
4. saved report - but cannot open it - says cannot find NOTEPAD.exe (needed to download these files) - could this possibly be the problem with the About Buster logs also?
5. from some notes I made the virus scan appeared to find the following
2 Tr/Dr, 3 TRojans,5 Exploits, and 2 Trj/Sm
Their locations were system.dll, a few temp.exe's, a few app data\sun\java\deployment, a data.dat, a programflies\pl.exe and a recycled\1.exe
Hope this helps
By the way - can't send e-mails at the moment - presumably 'cos I've renamed the RICHED.dll file?
Will now try the trojan download instructions you made
Post by: Guest on November 30, 2004, 03:11:59 PM
2. downloaded latest ruleset to desktop
3. didn't really know how to unzip this into the first one - so just picked up the icon of the ruleset from the desktop and placed it in the first one - seemd to go away and load an update
4. Tried to run scan - got a Rich Edit line insertion error message (due to the renamed rich file?) - however pressed Ok and it seemed to do scan.
5. Found 3 tRojans in Dialler.D.exe and Dialer.Infotel.101 and cleaned them
6. rebooted and here's hijack this log (couldn't open this cos could not load Rich Edit control DLL message - so renamed the riched20OLD file back to RICHED20.DLL (didn't need safe mode) - and it seemed to work
Here's log
Logfile of HijackThis v1.98.2
Scan saved at 20:08:29, on 30/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SCANDS32.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ojesjimfnxnbap.net/QXE0FBhc7BD9...IbuNZuwy5N.html (http://\"http://www.ojesjimfnxnbap.net/QXE0FBhc7BD97G3U/N9aN2TXLrB0RvnjgKvsbNmxEMWavN7iocefRUIbuNZuwy5N.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox (http://\"http://www.ntlworld.com/gearbox\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://www.ravantivirus.com (http://\"http://www.ravantivirus.com\")
O15 - Trusted Zone: http://www.pandasoftware.com (http://\"http://www.pandasoftware.com\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20011004/qtinstall.info.apple.com/qt503/uk/win/QuickTimeInstaller.exe\")
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
Post by: guestolo on November 30, 2004, 08:12:16 PM
Do you have an Unzipping utility such as Winzip on your computer
Let me know and we can get you a free one
I prefer IZArc, this is a utility that you can keep for free and is needed in many cases
We'll come back to this
But please let me know if you have something like Winzip installed
I'm uploading Riched32.dll
Save this to your C:\Windows\System folder
Riched32.dll <--removed link
If you have trouble with the above link, try right click on it, Select Copy Shortcut and paste it into the IE address bar and hit Go
We'll see if we can get Ad-Aware to run after that, but let's do this first
A couple files I know are bad, but let's make sure, and there's one I'm not too sure about
So:
Set Windows to Show Hidden Files and Folders
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
* Click Start, Programs and Accessories and open Windows Explorer.
* Select a hard drive from the left hand side of the Windows Explorer window.
* Select View the Entire contents of this drive.
Navigate to the files below
right click on them---left click properties---version
What info can you find on them, including date created and size
Do you know what they're related too
Let's do a Free Online file virus scan on them
Go to this Online Malware Scan
Give this site time to load
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Use the browse button and navigate to these files
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
c:\windows\GrabCookie.exe
Right click on each file individually and choose Select
Then use the Submit button
Let it scan each file seperately
Could you post back the results of the scan back here please
For now I will assume they are all bad, unless you know what they're related too
or found bad at the online malware scan
Do another scan with Hijackthis and put a check next to these entries
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ojesjimfnxnbap.net/QXE0FBhc7BD9...IbuNZuwy5N.html (http://\"http://www.ojesjimfnxnbap.net/QXE0FBhc7BD9...IbuNZuwy5N.html\")
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
Optionally, remove the next ones too, they are not threats, but not needed on startup
Considered resource hogs, programs can be started manually and work fine without them
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES to the prompt and exit Hijackthis
Restart your computer
Try running Ad-Aware again, if you can ensure you check for updates and do a Full sytem scan
Remove All Critical objects
Restart your computer again to finish the cleaning process
Don't delete any backups made by hijackthis until we having you running clean
We won't manually delete any files or folders until we're sure about what you find on them
On that note, I see you have BestPopUpKiller installed, probably when you installed Spykiller
You also have Panicwares Popup stopper, you only need one popup stopper
I suggest you see if there is an entry in Add/Remove programs to remove Bestpopup killer and uninstall it, I assume you didn't pay for it?
We're going to get your computer running clean again and put some tools on your computer to help keep it that way
Let's make sure that we get the files needed on your computer first and we get you clean
Post back with a fresh Hijackthis log after you have tried the above
Could you also let me know if you have an unzipping utility
Another request, this hijackther has a tendency of removing some files from the computer
You say you have Spybot installed
Can you open Spybot>>Help>>about
Let me know Spybot version and Latest update detection date
Also check for this file for me please
Navigate to your Spybot folder
By default it should be in this location
C:\Program Files\Spybot - Search & Destroy
Open it and let me know if you can find this file, it should be there
SDHelper.dll
If it's not there we can replace it easily, or simply uninstall Spybot and redownload it
Search for updates and Check for problems
Fix Everything in RED
Restart your computer to finish the cleaning
Seems like a bit of work, but you should notice an improvement in overall performance when we're done
Along with the request above and new Hijackthis log
Could you also open Hijackthis>>Config>>Misc Tools>>Open Hosts file manager
Click the "Open In notepad"
Copy and paste the Whole contents of the hosts notepad file back here too
If you have trouble opening it, it may mean the hijacker deleted the hosts file too...
Let me know, we again can easily replace it
One more last request
Navigate to C:\Windows folder
Highlight it, on the right hand side look for Control.exe
Again, it should be there, if not we can easily replace it
We'll have to get you an unzipping utility first if you don't have Winzip
You won't have to pay for this
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> I guess that's enough for this round, I hope I'm not making this too tough on you
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />Just a quick edit
I noticed you said this and I missed it
Quote
says cannot find NOTEPAD.exe
It's very possible one of the infections has removed notepad.exe from the default location
Can you please download this file and save it to your C:\Windows folder
Notepad.exe <--removed link
Allow it to overwrite if prompted
This should allow notepad to work properly
Again, if the link doesn't work properly, copy and paste the shortcut to the IE address bar and hit GO
Post by: Guest on December 01, 2004, 02:59:43 AM
2. When trying to download the riched 32.dll file get the message -' YOur current security settings do not allow file to be downloaded'. I tried the right click option also and put t in address bar - when I clicked return (is this what you mean by go?)got same error.
3. SElected hard drive c after following your instructions with the hidden files - went onto Jotti here is first report on the ipcfg.exe
Service load: 0% 100%
File: ipcfg.exe
Status: INFECTED/MALWARE
Packers detected: FSG
AntiVir TR/Click.Small.br.2 (0.41 seconds taken)
Avast No viruses found (1.74 seconds taken)
BitDefender Trojan.Clicker.Small.BR (0.91 seconds taken)
ClamAV Trojan.Clicker.Small-23 (1.36 seconds taken)
Dr.Web Trojan.Promospy (0.56 seconds taken)
F-Prot Antivirus No viruses found (0.09 seconds taken)
Kaspersky Anti-Virus Trojan-Clicker.Win32.Small.br (1.01 seconds taken)
mks_vir No viruses found (0.18 seconds taken)
NOD32 No viruses found (0.38 seconds taken)
Norman Virus Control No viruses found (1.18 seconds taken)
Statistics
Last piece of malware found was Win32:SpyBot-GEN in eee.exe, detected by:
Scanner Malware name Time taken
AntiVir X 0.14 seconds
Avast Win32:SpyBot-GEN 1.51 seconds
BitDefender BehavesLike:Win32.ExplorerHijack 0.33 seconds
ClamAV Trojan.Spybot.gen-2 0.33 seconds
Dr.Web Trojan.MulDrop.590 0.49 seconds
F-Prot Antivirus X 0.06 seconds
Kaspersky Anti-Virus TrojanDropper.Win32.Small.by 0.58 seconds
mks_vir X 0.26 seconds
NOD32 Win32/TrojanDropper.Small.BY 0.37 seconds
Norman Virus Control Sandbox: W32/Malware 1.53 seconds
Service statistics:
13135 files (9300 of those unique) have been uploaded & scanned since 05/11/2004, the day of the last database purge.
2707 of those 9300 files contained a virus or any other form of malware.
This page has been visited 30067 times in this time period.
This service managed to spot 162 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 1238 suspicious files without any help from scanner results.
However, 129 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 98.61% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.
Most popular malware:
Rank Malware name Uploaded Last known filename
1 behaveslike:trojan.downloader 212 times satmat.cab
2 backdoor.sdbot.gen 194 times sys.exe
3 tr/drop.delf.fd.1 104 times Keygen.exe
4 backdoor.agobot.3.gen 94 times servicelog.exe
5 tr/spam.avafx 76 times vbsys2.dll
6 win32:trojan-gen. {other} 47 times 3_636.rar
7 backdoor.win32.agobot.gen 45 times fiz.exe
8 tr/dldr.inservice.i 43 times Norton_Internet_Security_2005_Trial_to_Full_by_CDS_Group.zip
9 backdoor.rbot.gen 37 times newboter.exe
10 win32.p2p.spybot.gen 35 times dl.exe.zip
11 tr/dldr.small.uv.3 34 times s1p1y.exe
12 win32:trojan-gen. 34 times Mp3s.exe
13 behaveslike:win32.av-killer 30 times winshost.exe
14 backdoor.agent.ec 27 times bmemjgbt.exe
15 backdoor.wootbot.gen 25 times Kopie van 1.exe.exe
4. here's second file - scands32.exe
Service load: 0% 100%
File: scands32.exe
Status: INFECTED/MALWARE
Packers detected: FSG
AntiVir TR/Click.Small.br.1 (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender Trojan.Clicker.Small.BR (0.34 seconds taken)
ClamAV No viruses found (0.33 seconds taken)
Dr.Web Trojan.Click.160 (0.50 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus Trojan-Clicker.Win32.Small.br (0.59 seconds taken)
mks_vir No viruses found (0.20 seconds taken)
NOD32 No viruses found (0.39 seconds taken)
Norman Virus Control No viruses found (0.54 seconds taken)
Statistics
Last piece of malware found was Win32.IRC.Bot.based in E94C-EBD0.dll, detected by:
Scanner Malware name Time taken
AntiVir X 0.14 seconds
Avast Win32:SpyBot-GEN 1.51 seconds
BitDefender Win32.P2P.SpyBot.Gen 0.35 seconds
ClamAV X 0.33 seconds
Dr.Web Win32.IRC.Bot.based 0.53 seconds
F-Prot Antivirus X 0.06 seconds
Kaspersky Anti-Virus X 0.60 seconds
mks_vir X 0.42 seconds
NOD32 X 0.37 seconds
Norman Virus Control X 0.12 seconds
Service statistics:
13142 files (9306 of those unique) have been uploaded & scanned since 05/11/2004, the day of the last database purge.
2711 of those 9306 files contained a virus or any other form of malware.
This page has been visited 30073 times in this time period.
This service managed to spot 162 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 1238 suspicious files without any help from scanner results.
However, 129 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 98.61% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.
Most popular malware:
Rank Malware name Uploaded Last known filename
1 behaveslike:trojan.downloader 212 times satmat.cab
2 backdoor.sdbot.gen 194 times sys.exe
3 tr/drop.delf.fd.1 104 times Keygen.exe
4 backdoor.agobot.3.gen 94 times servicelog.exe
5 tr/spam.avafx 76 times vbsys2.dll
6 win32:trojan-gen. {other} 47 times 3_636.rar
7 backdoor.win32.agobot.gen 45 times fiz.exe
8 tr/dldr.inservice.i 43 times Norton_Internet_Security_2005_Trial_to_Full_by_CDS_Group.zip
9 backdoor.rbot.gen 37 times newboter.exe
10 win32.p2p.spybot.gen 35 times dl.exe.zip
11 tr/dldr.small.uv.3 34 times s1p1y.exe
12 win32:trojan-gen. 34 times Mp3s.exe
13 behaveslike:win32.av-killer 30 times winshost.exe
14 backdoor.agent.ec 27 times bmemjgbt.exe
15 backdoor.wootbot.gen 25 times Kopie van 1.exe.exe
5. And here'e 3rd - GrabCookie.exe
Service load: 0% 100%
File: GrabCookie.exe
Status: OK
Packers detected: None
AntiVir No viruses found (0.16 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.37 seconds taken)
ClamAV No viruses found (0.37 seconds taken)
Dr.Web No viruses found (0.53 seconds taken)
F-Prot Antivirus No viruses found (0.07 seconds taken)
Kaspersky Anti-Virus No viruses found (0.59 seconds taken)
mks_vir No viruses found (0.22 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (2.16 seconds taken)
Statistics
Last piece of malware found was Trojan-Clicker.Win32.Small.br in scands32.exe, detected by:
Scanner Malware name Time taken
AntiVir TR/Click.Small.br.1 0.15 seconds
Avast X 1.51 seconds
BitDefender Trojan.Clicker.Small.BR 0.34 seconds
ClamAV X 0.33 seconds
Dr.Web Trojan.Click.160 0.50 seconds
F-Prot Antivirus X 0.06 seconds
Kaspersky Anti-Virus Trojan-Clicker.Win32.Small.br 0.59 seconds
mks_vir X 0.20 seconds
NOD32 X 0.39 seconds
Norman Virus Control X 0.54 seconds
Service statistics:
13147 files (9309 of those unique) have been uploaded & scanned since 05/11/2004, the day of the last database purge.
2712 of those 9309 files contained a virus or any other form of malware.
This page has been visited 30074 times in this time period.
This service managed to spot 162 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 1240 suspicious files without any help from scanner results.
However, 129 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 98.61% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.
Most popular malware:
Rank Malware name Uploaded Last known filename
1 behaveslike:trojan.downloader 212 times satmat.cab
2 backdoor.sdbot.gen 194 times sys.exe
3 tr/drop.delf.fd.1 104 times Keygen.exe
4 backdoor.agobot.3.gen 94 times servicelog.exe
5 tr/spam.avafx 76 times vbsys2.dll
6 win32:trojan-gen. {other} 47 times 3_636.rar
7 backdoor.win32.agobot.gen 45 times fiz.exe
8 tr/dldr.inservice.i 43 times Norton_Internet_Security_2005_Trial_to_Full_by_CDS_Group.zip
9 backdoor.rbot.gen 37 times newboter.exe
10 win32.p2p.spybot.gen 35 times dl.exe.zip
11 tr/dldr.small.uv.3 34 times s1p1y.exe
12 win32:trojan-gen. 34 times Mp3s.exe
13 behaveslike:win32.av-killer 30 times winshost.exe
14 backdoor.agent.ec 27 times bmemjgbt.exe
15 backdoor.wootbot.gen 25 times Kopie van 1.exe.exe
Post by: deduemjo on December 01, 2004, 03:36:37 AM
2. Still can't run adaware - presumably cos of the riched files?
3. In Add/Remove Programs there is a 'Pop Up Stopper free edition' - is this what I need to get rid of?
4. Is it OK to leave the hidden files changes we made?
5 Here's latest hijack this log
Logfile of HijackThis v1.98.2
Scan saved at 08:43:08, on 01/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox (http://\"http://www.ntlworld.com/gearbox\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://www.ravantivirus.com (http://\"http://www.ravantivirus.com\")
O15 - Trusted Zone: http://www.pandasoftware.com (http://\"http://www.pandasoftware.com\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20011004/qtinstall.info.apple.com/qt503/uk/win/QuickTimeInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
Post by: deduemjo on December 01, 2004, 03:53:07 AM
2. SDHelper.dll is there
3. When you said fix everything in red - do you mean run Spybot?
4. In the Hijack THis configuration etc - when I try to Open hosts file manager it says ' cannot find the hosts file. Do you want to create a new default hosts file yes or no' - i chose no for now.
5. The control.exe file appears to be there
6. When I try to download the notepad link I get the same error regarding security settins I got earlier when trying to donload the riched 32 file.
Thanks for staying with this.
Post by: guestolo on December 01, 2004, 10:03:08 AM
No problem me staying with this
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> In the meantime,
Restart into safe mode
Open Hijackthis>>Config>>Misc Tools<<Open Process Manager
Kill these processes if still running
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
Stay in safe mode
Find and delete these files or folders
C:\WINDOWS\IPCFG.EXE <--file
C:\WINDOWS\SCANDS32.EXE <--file
C:\Program Files\SpyKiller
C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0
In safe mode
Do another scan with Hijackthis and fix this entry
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
Fix Checked with all other windows closed
Restart back into Normal mode
If you wouldn't mind can you try to download this different browser
Mozilla Firefox---It's a great little browser, consider it a backup browser
and it's way more secure than IE
http://www.mozilla.org/ (http://\"http://www.mozilla.org/\") free download
After installation use it to download those 2 files
Riched32.dll and notepad.exe
I'll check back later to see how you made out
Do the above and post a fresh hijackthis log
Post by: Guest on December 01, 2004, 01:07:19 PM
1. THe processes you referred to were not running in Process manager in Hijack THis
2. Found and deleted (to the recycle bin?) the .exe files you mention BUT there were also (next to the .exe) ipcfg.V10 and ipcfg.V11 and one called ipcfg files (properties of this one say virus infected file) - same for the scands32 files. Do I need to delete these also.?
3. Also deleted the Spykiller file but there wasn't one for Spyware Assassin?
4. The HIjack this and fix in safe mode seemed to work.
5. downloaded Mozilla and downloaded notepad and riched32.dll into the places you suggested.
Here is Hijack This log
Logfile of HijackThis v1.98.2
Scan saved at 18:07:19, on 01/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox (http://\"http://www.ntlworld.com/gearbox\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://www.ravantivirus.com (http://\"http://www.ravantivirus.com\")
O15 - Trusted Zone: http://www.pandasoftware.com (http://\"http://www.pandasoftware.com\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20011004/qtinstall.info.apple.com/qt503/uk/win/QuickTimeInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
Presumably Adaware may run now - but I'll await further instruction.
Regards
Post by: guestolo on December 01, 2004, 07:42:47 PM
We'll do this later, let's get some protection first
One more tool for cleanup
This will clean your temp folders and cookies amongst other things
Yours for free and hold onto
It's a good idea to clean these out every couple of weeks
Windows CleanUp! (http://\"http://downloads.stevengould.org/cleanup/CleanUp312.exe\")
After you install it--Open the program---Click on the Cleanup button
It will scan for files
When it's done it will notify you that a few files have to be deleted on System Restart
Restart your computer
When back in Windows
Open Ad-Aware if you got it installed and running
Check for updates---Download the updates
I suggest that you do a full system scan the first time if you get it running
Here are some good setup options
===============================================
Set these additional options if not checked already
Open Ad-aware---Click the GEAR at the top
# Click on the General button on the left hand side.
1. Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
1. Automatically save logfile
2. Automatically quarantine objects prior to removal
3. Safe Mode (always request confirmation)
# Next click on the Advanced button on the left hand side.
1. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
1. Include additional object information
2. Include negligible objects information
3. Include environment information
4. Include Alternate data stream details in log file
# Next click on the Tweak button on the left hand side.
1. Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
1. Include basic Ad-Aware settings in logfile
2. Include additional Ad-Aware settings in logfile
2. Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
1. Unload recognized processes & modules during scan
2. Scan registry for all users instead of current user only
3.
Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
1. Always try to unload modules before deletion
2. During removal, unload Explorer and IE if necessary
3. Let Windows remove files in use at next reboot
Once these settings have been completed, you should click on the Proceed button
Make sure you change the scan mode to Perform full system scan. Then uncheck the Search for negligible risk entries.
Step 5: Start the Actual Scan--you should close out all browser windows before you start scanning
Now click on the Next button to have Ad-Aware SE start scanning your system. Ad-Aware SE will start scanning your system for Spyware and Hijackers
When it's finished scanning
At this point you should either right click on the screen and choose the "Select All Objects" option or individually put a checkmark in each objects checkbox
click on the "Next" button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. If you would like to do so, press the "OK" button
RESTART your computer to finish the cleaning process
========================================
Once back in Windows
I don't see any Anti-Virus software running on your computer
If I'm not mistaken you said you had to run it manually
This is not a good idea, you should have one constantly monitoring your email
ensure you scan anything that you download also
If your subscription has run out it will not do you much good if you can't update it
I have a link to a free AV that does a very good job
But you should uninstall Nortons before you install this one
Not necessary if you don't have Norton's running, but you don't really need 2 AV's on your computer
Another program that is yours for free
Doesn't run in the background----Just run it once and check for updates every couple of weeks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
If you found some files to be bad with the online virus scans, go ahead and delete them
You can allow the Hosts file to be created
Post back a fresh hijackthis log
Could you also try running about:buster one more time and post the log
If you can't find the log, just copy and paste the scan from About:busters main screen back here
I think we almost have you running clean again
Let me know if Norton's is right up to date
I suggest installing the free one I havea link if you need it and want to uninstall Norton's
Let me know
I'll go back over our replies after you post back a new log and see if we can finalize
this thing
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Let me know how everything's running
Post by: Guest on December 02, 2004, 03:39:36 AM
1. AdAware seemed to work (found 16 objects)
2. Have downloaded spyblaster (most of the things I have downloaded - apart form the riched and notepad files - are on the desktop - is this where they should be?)
3. I think I updated the Norton Antivirus software when I first encountered these problems. AS far as I know it has to be run manually and doesn't run in the background (I've never had a prompt from it if it does). I'd be happy to go with what you suggest for AV software.
4. When you say delete the bad files I found with the AV checks do you mean the extra ipcfg and scans32 files I referred to? Or others?
5. When I try to run AboutBuster from the shortcut I had on the desktop it sya it has changed or moved so shortcut doesn't work. Then says nearest match is c:\\windows\Tempor...\8VE3UYCK - do I want to point to this?
Here's Hijack This log
Logfile of HijackThis v1.98.2
Scan saved at 08:39:48, on 02/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox (http://\"http://www.ntlworld.com/gearbox\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://www.ravantivirus.com (http://\"http://www.ravantivirus.com\")
O15 - Trusted Zone: http://www.pandasoftware.com (http://\"http://www.pandasoftware.com\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20011004/qtinstall.info.apple.com/qt503/uk/win/QuickTimeInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
Regards
Post by: guestolo on December 02, 2004, 11:10:54 PM
Some of those desktop Icons are shorcuts or the programs themselves
Here's what I do
Right click an empty spot on the desktop
Select NEW>>>FOLDER
Name the new folder something like Spyware
Drag some of those shortcut Icons into that new folder
Here's what you should remember
About:buster---you can just delete it---How did you get it to run if you didn't UNZIP(Extract) it?
Hold onto the backups that Hijackthis made until your happy with the way everything is running
STARTDRECK---You can delete the program
DLLCOMPARE--You can delete
LOP uninstaller--You can delete
missingfilesetup.exe--You can delete if you still have it on your desktop
Windows Cleanup---Hold onto it and use it to clean your temp folders and such every couple of weeks
Ad-Aware---Hold onto and check for updates every couple of weeks and run a Smart System Scan
SpywareBlaster--Hold onto it and check for updates every couple of weeks and Enable All protection
TrojanHunter---The trial version is good for 30 days from the day you installed it
When the trial version is over simply shut down TrojanGuard by the system Clock and use Add/Remove programs and Uninstall it
Let me know if I forgot about anything
What concerns me is that you say you have Norton's but I don't see it running, it may not be installed properly or it's not set to run on system startup
Let's do this
To ensure that no Nasties are restored in the event you use System Restorewe should Disable System Restore---RESTART your computer---Enable System Restore
The link will explain how to do this
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
After you restarted and enable system restore
When was the last time you Did a Disk Defragmentation
Here's what I suggest
Right click an empty spot on the desktop----Under the screen savers tab
Set the Screen Saver to NONE in the drop down menu
Under the Power Settings options---Put to Always ON under Power shemes
Restart your computer into Safe mode
Go to START>>>programs>>>accessories>>System Tools
Do a Scandisk for Errors--Set to Automatically fix
Next back in this location
START>>>programs>>>accessories>>System Tools
Select Disk Defragmenter
Let it Defrag your hard drive
If you haven't done this in awhile it may take a little time to complete
Restart back into Normal Mode
I would suggest that you install the Free version of this Anti-Virus, makes me nervous that I don't see one running on your machine
AVG free by Grisoft (http://\"http://free.grisoft.com/freeweb.php/doc/1/\")
After installation ensure it Checks for Updates and do A Full System Scan
This is free for personal use and free to update for the lifetime of the product
You should check for updates with it a couple times a week
Do a scan once a month
Post back one more fresh hijackthis log and let me know how everything is running
If you have any questions don't hesitate to ask
I would hold onto Mozilla Firefox, it's a great browser
If you need a Hand installing the flash and shockwave plugins for it let me know
It doesn't use the same installers as IE
I hope I haven't forgot anything
I don't care if we make this the longest thread ever
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> I'm still wondering if you have an UNZIPPING utility
If not we should get you a free one
Zipped files are compressed files, when downloaded you need an unzipping utility to extract it's contents
Go into your add/remove programs and see if you have an entry for Winzip
or some other zip program
If you do see it, that should mean you have an unzipping utility installed
If not, you should download and Install
IZArc (http://\"http://www.izsoft.dir.bg/download.htm\")
Talk to you later
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
Post by: Guest on December 03, 2004, 11:59:51 AM
Please help.
When on internet (worked fine yesterday) got a message ' Gbdash has caused an error in KERNEL32.DLL. Gbdash will now close'
Seems to slow down within a minute or so of booting up.
Don't think i can try the latest stuff you suggested with it going this slow.
PLease advise
Post by: Guest on December 03, 2004, 12:10:52 PM
Post by: Guest on December 03, 2004, 01:08:28 PM
I have deleted the other ispcg (or whatever it was) and scands32 files that I mentioned . THere are now no files of thiese names at all in the windows folder
Post by: Guest on December 03, 2004, 05:29:11 PM
Scan DIsk didn't find any errors
DEfragmenter took an hour or so.
Downloaded the AVG software - took an hour or so also.
How does this work - do I have to run it manually like the NAV every so often.? Should I now remove NAV?
THe AVG found 2 viruses both TRojan Horses - 1 in explorer.exe, the other in nionisgzogg.exe.tcf - it got rid of the second one bi not the first TRojan Horse Dialler 11.AY cos it said it was an embedded object.??
here is HIjack LOg
Logfile of HijackThis v1.98.2
Scan saved at 22:38:24, on 03/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox (http://\"http://www.ntlworld.com/gearbox\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://www.ravantivirus.com (http://\"http://www.ravantivirus.com\")
O15 - Trusted Zone: http://www.pandasoftware.com (http://\"http://www.pandasoftware.com\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20011004/qtinstall.info.apple.com/qt503/uk/win/QuickTimeInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
Regards.
P.S other than the above embedded file problem the computer seems to be running fine
Post by: guestolo on December 03, 2004, 10:21:35 PM
Do you know what the file name was in the Explorer folder?
Can you also run this file thru that online malware scan
c:\program files\internet explorer\connection wizard\netcheck.exe <--file
Here's the link to the scan
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Post back one more hijackthis log afterwards and the info on that file
We may try to remove it with hijackthis but save the backup
Post by: Guest on December 04, 2004, 04:20:43 AM
Service load:
0% 100%
File: netcheck.exe
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected:
None
AntiVir
No viruses found (0.17 seconds taken)
Avast
No viruses found (1.51 seconds taken)
BitDefender
No viruses found (0.39 seconds taken)
ClamAV
No viruses found (0.38 seconds taken)
Dr.Web
No viruses found (0.54 seconds taken)
F-Prot Antivirus
No viruses found (0.07 seconds taken)
Kaspersky Anti-Virus
No viruses found (0.74 seconds taken)
mks_vir
No viruses found (0.23 seconds taken)
NOD32
No viruses found (0.43 seconds taken)
Norman Virus Control
No viruses found (4.03 seconds taken)
2. How do I know what the file name was? It just said explorer.exe I think. THis file sits on the c:dri ve and the properties file says it's a cabinet file which opens with internet explorer?
Regards
Post by: guestolo on December 04, 2004, 01:42:41 PM
Let me know how everythings running after that
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
Post by: Guest on December 05, 2004, 03:24:13 AM
1. Fixed the suggested entry with Hijack This
2. whilst browsing this morning using Mozilla - got an AVG report up (must have initiated itself in background?) - looked similar to last time - fixed 6 problems but not the embedded object. File Name appeared to be c:\explorer.cab:\explorer.exe
Post by: guestolo on December 05, 2004, 03:56:15 AM
Double click on the AVG icon by the clock and Check for updates
This is just to make sure it's right up to date
Disable System Restore
Restart your computer into safe mode
Do another scan with AVG in Safe mode
Navigate to and delete this file
c:\explorer.cab explorer.exe
The legitimate copy of explorer.exe is in your Windows folder
Just delete the above file for now, send it to ther recycle bin
Restart back into Normal mode
Enable System Restore
Post back one more Hijackthis log
I think we got it all now
You said that AVG fixed 6 problems
Could you open AVG by clicking the icon next to the clock
Click on TEST CENTER
Open Virus Vault
Under the Program button in the menu bar could you export the file list and save it and post it back here
That is, if there are files in your virus vault
I'm just on my way to bed, I guess I'll see the results tomorrow
Post by: Guest on December 05, 2004, 02:39:23 PM
2. When checking for the xplorer file in the windows folder found it - but also found next to it a file called ExeDialler.exe (unknown application - TCF file). THe picture for it looks like a virus with a danger sign over it!!!!!!! Should I delete this?
3. Here's hijackthis log
Logfile of HijackThis v1.98.2
Scan saved at 19:42:58, on 05/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox (http://\"http://www.ntlworld.com/gearbox\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://www.ravantivirus.com (http://\"http://www.ravantivirus.com\")
O15 - Trusted Zone: http://www.pandasoftware.com (http://\"http://www.pandasoftware.com\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20011004/qtinstall.info.apple.com/qt503/uk/win/QuickTimeInstaller.exe\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
4. There were no files in the virus vault
Regards
Post by: guestolo on December 05, 2004, 02:49:03 PM
It's legitimate
Not sure about this file
ExeDialler.exe
It looks fishy
/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' /> Why don't you run it through that Online File Virus scan
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Post back the results if your not sure what to do with it, but if found bad remove it
I don't think I need to see another Hijackthis log, your log looks good
Let me know how everythings running
Post by: Guest on December 06, 2004, 11:26:19 AM
Things seem to be runing fine.
Thanks for all your help
Post by: Guest on December 10, 2004, 01:20:25 PM
Ran the AVG software as a matter of course and it found a virus and 4 infected files
c:\ied.exe_s7m.cab (another cab file?) and 3 files in c:restore/ called A0001408.CPY and two others with different numbers. All trojan downloader infections. THe cab file was a downloader.mediket.D? Put the cab file through the Jottis program and it said it was infected /malware - can I delete it? And the others?
Regards
Post by: guestolo on December 11, 2004, 09:34:47 PM
But first, you won't be able to remove any entries in this location
c:restore
That's your system Restore folder and AV software can't touch that folder, just detect it
Do this
Check for updates with AVG
Disable system Restore
Link will explain how
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
RESTART into SAFE MODE
Do a Full System Virus scan with AVG
Let it fix what if finds or try and delete what it can't
Restart back into Normal Mode
Enable System Restore
I better see one more hijackthis log, why do you keep getting infected?
Hmmm
Post by: Squashjunky on December 19, 2004, 11:21:15 AM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />