Post by: catshere on January 23, 2005, 05:03:54 PM
Please tell me what I can do...
Logfile of HijackThis v1.99.0
Scan saved at 3:06:55 PM, on 1/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KNBVRK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\CALC.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [knbvrk] c:\windows\system\knbvrk.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com (http://\"http://Download.Windowsupdate.com\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll (http://\"http://www.otxresearch.com/OTXMedia/OTXMedia.dll\")
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab (http://\"http://chat.yahoo.com/cab/yuplapp.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeComm...s/WalletCab.CAB (http://\"http://idsm.citadelprocessing.com/SafeCommon/downloads/WalletCab.CAB\")
Post by: guestolo on January 23, 2005, 05:25:08 PM
Access your Add/Remove Programs via Control Panel
Uninstall if found
WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer
# Do not reboot until they have all been removed even if prompted.
# When you are uninstalling the last program you can then reboot when prompted
When your back in Windows
You said
Quote
My spyware program finds them but everytime i delete them they come backCan you let me know what Spyware program your using
I do trust these 2 spyware removal programs
Both have a free version
If your not using them could you please
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button\")
Ensure you have this version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
When Installing, please don't enable TEA TIMER, it's a great addon to Spybot but it can get in our way to do any manual fixes.. This can be enabled at a later time if you want it
After installation--Click the Update button on the left, in the window on the right click the
SEARCH FOR UPDATES button, Check and download all updates
Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX everything in RED---they should be checked by default
RESTART your computer to finish the Cleaning process
When your back In Windows, I just want to ensure you don't have VX2 infection
Download and save to desktop
VX2 Finder (http://\"http://downloads.subratam.org/VX2Finder9x(126).exe\")
Open it and click the
"Click to Find VX2.BetterInternet" button
Let it finish scanning>>Won't take long
When it's done make a log and post it back here
Could you also post back with a fresh Hijackthis log, thanks
Post by: catshere on January 24, 2005, 10:46:41 AM
I downloaded the VX2 finder and I am about to download the spybot program. One question.. What is this VX2 that you referred to, and what are the risks to my system and privacy with my not knowing it is on my pc?
ArchiveData(adwarequarantine.bckp)
Referencefile : SE1R25 11.01.2005
======================================================
IMISERVER IEPLUGIN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : C:\WINDOWS\SYSTB.DLL
obj[2]=Regkey : wbho.band.1
obj[3]=RegValue : wbho.band.1 ""
obj[4]=Regkey : wbho.band
obj[5]=RegValue : wbho.band ""
obj[6]=Regkey : typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9}
obj[7]=Regkey : interface\{3e589169-86ad-44fe-b426-f0bf105d5582}
obj[8]=RegValue : interface\{3e589169-86ad-44fe-b426-f0bf105d5582} ""
obj[9]=Regkey : clsid\{01f44a8a-8c97-4325-a378-76e68dc4ab2e}
obj[10]=RegValue : clsid\{01f44a8a-8c97-4325-a378-76e68dc4ab2e} ""
obj[11]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{01f44a8a-8c97-4325-a378-76e68dc4ab2e}
obj[54]=Regkey : software\intexp
obj[55]=RegValue : software\microsoft\internet explorer\toolbar "{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}"
obj[56]=File : C:\WINDOWS\wupdt.exe
obj[57]=File : C:\WINDOWS\systb.dll
obj[58]=File : C:\WINDOWS\redir.txt
obj[59]=File : C:\WINDOWS\lu.dat
VX2
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=Process : C:\WINDOWS\LOCALNRD.DLL
obj[12]=Regkey : typelib\{3fa866ac-40d7-4fe6-babf-78ee854a4325}
obj[13]=Regkey : localnrddll.localnrddllobj.1
obj[14]=RegValue : localnrddll.localnrddllobj.1 ""
obj[15]=Regkey : localnrddll.localnrddllobj
obj[16]=RegValue : localnrddll.localnrddllobj ""
obj[17]=Regkey : interface\{a42c0ef4-1c76-43cc-989f-eadc7e4b755d}
obj[18]=RegValue : interface\{a42c0ef4-1c76-43cc-989f-eadc7e4b755d} ""
obj[19]=Regkey : clsid\{00320615-b6c2-40a6-8f99-f1c52d674fad}
obj[20]=RegValue : clsid\{00320615-b6c2-40a6-8f99-f1c52d674fad} ""
obj[21]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{00320615-b6c2-40a6-8f99-f1c52d674fad}
obj[22]=RegValue : .DEFAULT\software\localnrd "LNI0d1OfSInst"
obj[40]=File : c:\WINDOWS\SYSTEM32\randreco.exe
obj[42]=File : c:\WINDOWS\TEMP\banner.exe
obj[60]=Regkey : software\localnrd
obj[61]=RegValue : software\localnrd "LNI0d1OfSInst"
obj[62]=RegValue : software\localnrd "LNC0n1trMsgSDisp"
obj[63]=RegValue : software\localnrd "LNI0d1OfSDist"
obj[64]=RegValue : software\localnrd "LNT0o1pListSPos"
obj[65]=RegValue : software\localnrd "LNs0t1icky1S"
obj[66]=RegValue : software\localnrd "LNs0t1icky2S"
obj[67]=RegValue : software\localnrd "LNs0t1icky3S"
obj[68]=RegValue : software\localnrd "LNs0t1icky4S"
obj[69]=RegValue : software\localnrd "LNC1o0d1eOfSFinalAd"
obj[70]=RegValue : software\localnrd "LNT0i1m2eOfSFinalAd"
obj[71]=RegValue : software\localnrd "LND0s1tSSEnd"
obj[72]=RegValue : software\localnrd "LN0N1a2tionSCode"
obj[73]=RegValue : software\localnrd "LNP0D1om"
obj[74]=RegValue : software\localnrd "LNI0n1ProgSCab"
obj[75]=RegValue : software\localnrd "LNI0n1ProgSEx"
obj[76]=RegValue : software\localnrd "LNI0n1ProgSLstest"
obj[77]=RegValue : software\localnrd "LNL0a1stSSChckin"
obj[78]=RegValue : software\localnrd "LNB0D1om"
obj[79]=RegValue : software\localnrd "LNC0u1rrentSMode"
obj[80]=RegValue : software\localnrd "LNC0n1tFyl"
obj[81]=RegValue : software\localnrd "LNM0o1deSSync"
obj[82]=RegValue : software\localnrd "LNT0h1rshSBath"
obj[83]=RegValue : software\localnrd "LNT0h1rshSysSInf"
obj[84]=RegValue : software\localnrd "LNT0h1rshSCheckSIn"
obj[85]=RegValue : software\localnrd "LNT0h1rshSMots"
obj[86]=RegValue : software\localnrd "LNL0n1Title"
obj[87]=RegValue : software\localnrd "LNI0g1noreS"
obj[88]=RegValue : software\localnrd "LND0s1tSCHost"
obj[89]=RegValue : software\localnrd "LND0s1tSCPath"
obj[90]=RegValue : software\localnrd "LNS0t1atusOfSInst"
obj[91]=RegValue : software\localnrd "LNL0a1stMotsSDay"
obj[92]=Regkey : software\vendor\xml
obj[93]=RegValue : software\vendor\xml ""
obj[94]=Regkey : software\vendor
obj[95]=Regkey : .default\software\localnrd
obj[96]=RegValue : .default\software\localnrd "LNC0n1trMsgSDisp"
obj[97]=RegValue : .default\software\localnrd "LNI0d1OfSDist"
obj[98]=RegValue : .default\software\localnrd "LNT0o1pListSPos"
obj[99]=RegValue : .default\software\localnrd "LNs0t1icky1S"
obj[100]=RegValue : .default\software\localnrd "LNs0t1icky2S"
obj[101]=RegValue : .default\software\localnrd "LNs0t1icky3S"
obj[102]=RegValue : .default\software\localnrd "LNs0t1icky4S"
obj[103]=RegValue : .default\software\localnrd "LNC1o0d1eOfSFinalAd"
obj[104]=RegValue : .default\software\localnrd "LNT0i1m2eOfSFinalAd"
obj[105]=RegValue : .default\software\localnrd "LND0s1tSSEnd"
obj[106]=RegValue : .default\software\localnrd "LN0N1a2tionSCode"
obj[107]=RegValue : .default\software\localnrd "LNP0D1om"
obj[108]=RegValue : .default\software\localnrd "LNI0n1ProgSCab"
obj[109]=RegValue : .default\software\localnrd "LNI0n1ProgSEx"
obj[110]=RegValue : .default\software\localnrd "LNI0n1ProgSLstest"
obj[111]=RegValue : .default\software\localnrd "LNL0a1stSSChckin"
obj[112]=RegValue : .default\software\localnrd "LNB0D1om"
obj[113]=RegValue : .default\software\localnrd "LNC0u1rrentSMode"
obj[114]=RegValue : .default\software\localnrd "LNC0n1tFyl"
obj[115]=RegValue : .default\software\localnrd "LNM0o1deSSync"
obj[116]=RegValue : .default\software\localnrd "LNT0h1rshSBath"
obj[117]=RegValue : .default\software\localnrd "LNT0h1rshSysSInf"
obj[118]=RegValue : .default\software\localnrd "LNT0h1rshSCheckSIn"
obj[119]=RegValue : .default\software\localnrd "LNT0h1rshSMots"
obj[120]=RegValue : .default\software\localnrd "LNL0n1Title"
obj[121]=RegValue : .default\software\localnrd "LNI0g1noreS"
obj[122]=RegValue : .default\software\localnrd "LND0s1tSCHost"
obj[123]=RegValue : .default\software\localnrd "LND0s1tSCPath"
obj[124]=RegValue : .default\software\localnrd "LNS0t1atusOfSInst"
obj[125]=RegValue : .default\software\localnrd "LNL0a1stMotsSDay"
obj[126]=RegValue : software\microsoft\internet explorer\toolbar\webbrowser "{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
obj[127]=File : C:\WINDOWS\inf\LOCALNRD.INF
obj[128]=File : C:\WINDOWS\TEMP\dummy.htm
POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[23]=RegData : Software\Microsoft\Internet Explorer\Main "Search Page"
obj[24]=RegData : Software\Microsoft\Internet Explorer\Main "Search Bar"
obj[25]=RegData : Software\Microsoft\Internet Explorer\Search "SearchAssistant"
obj[26]=RegData : Software\Microsoft\Internet Explorer\Search "CustomizeSearch"
obj[27]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\Main "Search Page"
obj[28]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\Main "Search Bar"
obj[29]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\SearchURL ""
TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[30]=IECache Entry : Cookie:[email protected]/
obj[31]=IECache Entry : Cookie:[email protected]/
obj[32]=IECache Entry : Cookie:[email protected]/
obj[33]=IECache Entry : Cookie:[email protected]/
obj[34]=IECache Entry : C:\WINDOWS\Cookies\cathy@apmebf[1].txt
obj[35]=IECache Entry : C:\WINDOWS\Cookies\cathy@overstock[2].txt
obj[36]=IECache Entry : C:\WINDOWS\Cookies\[email protected][2].txt
obj[37]=IECache Entry : C:\WINDOWS\Cookies\cathy@247realmedia[1].txt
obj[38]=IECache Entry : C:\WINDOWS\Cookies\cathy@seeq[1].txt
obj[39]=IECache Entry : C:\WINDOWS\Cookies\cathy@cgi-bin[2].txt
obj[43]=IECache Entry : c:\WINDOWS\Cookies\cathy@apmebf[1].txt
obj[44]=IECache Entry : c:\WINDOWS\Cookies\cathy@overstock[2].txt
obj[45]=IECache Entry : c:\WINDOWS\Cookies\[email protected][2].txt
obj[46]=IECache Entry : c:\WINDOWS\Cookies\cathy@247realmedia[1].txt
obj[47]=IECache Entry : c:\WINDOWS\Cookies\cathy@seeq[1].txt
obj[48]=IECache Entry : c:\WINDOWS\Cookies\cathy@cgi-bin[2].txt
obj[49]=IECache Entry : c:\WINDOWS\Cookies\cathy@advertising[1].txt
obj[50]=IECache Entry : c:\WINDOWS\Cookies\cathy@2o7[2].txt
obj[51]=IECache Entry : c:\WINDOWS\Cookies\[email protected][1].txt
obj[52]=IECache Entry : c:\WINDOWS\Cookies\cathy@doubleclick[1].txt
ELITUM.ELITEBARBHO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[41]=File : c:\WINDOWS\TEMP\THI3270.TMP\preInsln.exe
obj[53]=File : c:\WINDOWS\PREINSLN.EXE
Post by: guestolo on January 24, 2005, 11:38:42 AM
Can you please post back with a fresh hijackthis log
also the log from VX2 finder after you have ran spybot
The log you supplied is from Ad-aware
Post by: catshere on January 24, 2005, 11:56:56 AM
Logfile of HijackThis v1.99.0
Scan saved at 9:56:05 AM, on 1/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KNBVRK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\CALC.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [knbvrk] c:\windows\system\knbvrk.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com (http://\"http://Download.Windowsupdate.com\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll (http://\"http://www.otxresearch.com/OTXMedia/OTXMedia.dll\")
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab (http://\"http://chat.yahoo.com/cab/yuplapp.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeComm...s/WalletCab.CAB (http://\"http://idsm.citadelprocessing.com/SafeCommon/downloads/WalletCab.CAB\")
Post by: guestolo on January 24, 2005, 09:54:17 PM
Quote
sorry so many new programs to use
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> No worries, most of them you can hang onto, don't get rid of them
If your sure that the VX2 finder found nothing, not even a registry string you can manually delete it
One more small program if you don't mind, again, yours to hang onto
Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install it for now but >>Don't run a scan yet
A great little utility to assist in cleaning those temp folders, hold onto this
Set Windows To Show Hidden Files and Folders
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Click OK.
Please print the rest of this out or save to a notepad file on the desktop
I need you to
Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
Find and delete these files or folders if they exist
C:\WINDOWS\ZSERV.DLL <--file
c:\windows\system\knbvrk.exe <--file
Do another scan with Hijackthis and put a check next to these entries:
Not all may be shown in safe mode but fix what I ask if you see them
I'm also including redclientapps.. Appears safe but is related to Red Sheriff spyware
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O4 - HKLM\..\Run: [knbvrk] c:\windows\system\knbvrk.exe
If you didn't intentionally install the next ones, fix them too
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
Open Windows CleanUp! and click the Cleanup button
Let it finish scanning for files, when it's done restart back to Normal mode
I see that your not running any Anti-Virus software
This is not too safe
If I'm mistaken and you have it disabled or you need a free solution
I very highly recommend that you immediately Download and Install the Free version of AVG 7 free
We must get your system more secure or you will be open for more infections
AVG is yours for free and will update for the life of the product
http://free.grisoft.com/freeweb.php/doc/2/ (http://\"http://free.grisoft.com/freeweb.php/doc/2/\")
From that link scroll down to
avg70free_300a419.exe
Save the installer to desktop
Install it and allow it to Update and run a Full System scan
Let it fix whatever it finds
Restart your computer afterwards
Post back a fresh hijackthis log afterwards
Post by: Guest_catshere on January 25, 2005, 09:14:13 AM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Thank you Guestolo!Safemode worked as far as being able to delete those persistant files. But I have a few questions.
I have Norton 2002 Corporate Edition that I run at least once a week, as many imes as I have used it, it never finds anything. So I go to the Trend "housecalls" website and do the free scan about once a week as a backup measure. About a week ago I found a worm virus and deleted it from my system. Norton did not detect this worm, but the trend free program did. I only have 64 ram so my systrem runs very slow when i have too many processes running. Thats why I do not normally keep the antivirus in my system tray. I have not downloaded the AVD program you suggested yet, but I plan too when I get home from work tonight. My question is this:
Is this AVG better than the Norton that I have? If so I would gladly remove Norton from my system, as it isn't really doing me any good if it cannot detect those ugly worms and trojans. It is a pain to have to go to the Trend site... It takes forever to go through the process on my pc.
I did all that you sugested otherwise in your post and here is the HJT log file I ran afterwards. I want to know if there is anything else here that is, or will cause me problems. I play party poker alot, and do not want to remove it from my system, so if I remove the files you suggested concerning it, will my program still run ok? Are these files required to run the program on my pc?
This file" O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe" in the scan log. This file seems questionable to me and I want to know whether is ok to have on my pc or not. It has a tendency to pop back into my start up folder whenever it wants to...
Also There are files on my pc called "farmmext" I have heard refences to this file in other posts, is this something bad and I should delete it, as I don't remember ever downloading anything to do with this filename.
Logfile of HijackThis v1.99.0
Scan saved at 6:34:21 AM, on 1/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscan.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com (http://\"http://Download.Windowsupdate.com\")
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll (http://\"http://www.otxresearch.com/OTXMedia/OTXMedia.dll\")
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab (http://\"http://chat.yahoo.com/cab/yuplapp.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeComm...s/WalletCab.CAB (http://\"http://idsm.citadelprocessing.com/SafeCommon/downloads/WalletCab.CAB\")
Thanks again for all your help, you are a lifesaver!
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: guestolo on January 25, 2005, 10:02:03 PM
I would shut it down in the Task Manager and then Uninstall it
Restart your computer to ensure it's removed
Install AVG's Anti-Virus software
Let it update and run a full system scan
EDIT>>If you have problems updating AVG, it's on their end
They say it will be fixed shortly, their servers are swamped
We can manually update if need be
But try the Automatic update a few times before giving up
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
Check out this link
http://computercops.biz/startuplist-1116.html (http://\"http://computercops.biz/startuplist-1116.html\")
or this one
http://www.pacs-portal.co.uk/startup_pages...starter_exe.htm (http://\"http://www.pacs-portal.co.uk/startup_pages/starter_exe.htm\")
If this file is still around delete it
C:\WINDOWS\FARMMEXT.exe <--file
Leave the Party Poker Entries alone
Let me know if AVG finds anything bad
Post back a fresh hijackthis log and let me know if everything is running fine now
P.S.
I have a couple programs for you to Install afterwards to prevent these type of infections from happening again
Both don't run in the background, using up valuable resources
What does concern me is you not running the AV on startup----You may be asking for trouble
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' /> Be very careful
Also, how are you connected to the Internet
Cable or DSL?
Are you connected directly through the modem or through a Hardware Firewall(Nat Router)
Your log indicates you may be connected directly to the Modem
Not safe being without a Firewall, this can prevent Hackers and other malicious activity from accessing your machine
I know, I know, you only have 64mb
Ram's quite cheap, you may want to upgrade---get at least another 128
If your Motherboard allows it.....
I'll leave that up to you
Post by: Guest on January 27, 2005, 12:19:22 AM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> I did all that you asked. I am leaving the AVG running as you advised me to, it is in my system tray. Norton has been uninstalled, but I had to do it through Rnav2003.exe as it wouldn't uninstall any other normal way. I found the link through searching with google.
I took a look at the pages on the ensonique mixer, but didn't know whether or not you saw this program as a good thing or not, so I didn't try to delete it. I am open to advice on this subject.
I am on 56k dial up and my 64 ram slows me down quite a bit with it. I can't afford to upgrade right now, but I plan to as soon as I can.
I did delete the farmmext, and ran all programs as you requested. here is the HJT log
Logfile of HijackThis v1.99.0
Scan saved at 9:59:21 PM, on 1/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://\"http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com (http://\"http://Download.Windowsupdate.com\")
Also I ran the AVG and it found a virus "Trojan horse Dropper.Agent.2.R" it has been locked up in the AVG virus vault.
Thank you again for your help,
Catshere
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on January 27, 2005, 08:39:39 PM
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' /> You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free!
If you find that a scan with Hijackthis takes a lot longer after installing IE-Spyad
Not to worry, both SpywareBlaster and IE-Spyad adds a long list to your Restricted sites
Hijackthis checks these areas in the registry
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Both of the above programs don't run in the background
Consider them Silent Spyware Blockers
Hold onto Spybot and Ad-Aware and check for updates every couple of weeks and run a scan
For a little extra protection with Spybot
Open it
Click Immunization>>OK>>Immunize at the top
Hold onto Windows cleanup and clean those temp folders regularly
At least every couple of weeks
Keep AVG enabled
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: Chukesgirl on January 31, 2005, 12:30:29 PM
I have been monitoring this post because I had a similar problem such as Catshere's on my Windows 98 SE machine. I've been battling this thing for a month and I managed to clean up pretty good with Spybot and Ad-aware. I am currently running AVG as the Virus Protection on that machine, but the trojan horse [color=\"red\"]Dropper.Agent.2.R keeps popping up. I connect to the Internet through cable. Is there a way to eliminate it completely? [/color]
Post by: guestolo on January 31, 2005, 01:09:47 PM
Can you please start your own post in this forum
Simply CLICK HERE (http://\"http://www.thetechguide.com/forum/index.php?showforum=4\")
and then click the NEW TOPIC
Also include a Hijackthis log
Can you Download Hijackthis 1.99
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
Download Hijackthis from CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Post by: guestolo on February 04, 2005, 03:37:26 AM
If you need it reopened, please PM the site Admin or a MOD
Supply a link to this thread
Anyone else with similiar problems please start your own topic and include a Hijackthis log