TheTechGuide Forum
General Category => Tech Clinic => Topic started by: hbkisurf on April 03, 2005, 05:33:22 PM
-
I've been beating my head against the wall trying to remove daosearch from my computer this afternoon. I downloaded MS Antispyware, Adaware, and AVG. I got rid of a lot of stuff but not dao search. Here's my Hijack log.
Logfile of HijackThis v1.99.1
Scan saved at 5:30:12 PM, on 4/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\Dit.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\X1002142005.exe
C:\windows\system32\taskmg.exe
C:\WINDOWS\System32\Services\{19367764-4E1A-4C50-8617-7932B4F01202}\SVCHOST.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\windows\system32\gtrnupr.exe
C:\WINDOWS\System32\apphelp2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\occo.exe
C:\WINDOWS\System32\n?tepad.exe
C:\windows\lfpodef.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\windows\system32\packager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Misc\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a (http://\"http://daosearch.com/index.php?id=585&said=nicket_a\")
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {2720B0EE-0E7E-53F6-23A0-5710A712CEC9} - C:\WINDOWS\System32\hkdjlh.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsz12.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SysMon] C:\windows\system32\mswkrvw32.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\System32\X1002142005.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{19367764-4E1A-4C50-8617-7932B4F01202}\SVCHOST.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gtrnupr] c:\windows\system32\gtrnupr.exe
O4 - HKLM\..\Run: [aa737f432195] C:\WINDOWS\System32\apphelp2.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Epar] C:\WINDOWS\System32\occo.exe
O4 - HKCU\..\Run: [Oqreuxl] C:\WINDOWS\System32\n?tepad.exe
O4 - HKCU\..\Run: [oqxsmlt] c:\windows\mjfjqmq.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://ny.contentmatch.net (http://\"http://ny.contentmatch.net\") (HKLM)
O15 - Trusted IP range: 213.159.118.228
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.1.4.29/aces...s-ob-assets.cab (http://\"http://game1.pogo.com/applet-6.1.4.29/aces/aces-ob-assets.cab\")
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/jigs...w-ob-assets.cab (http://\"http://game3.pogo.com/applet-6.0.2.21/jigsaw/jigsaw-ob-assets.cab\")
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.1.0.39/gin/gin-ob-assets.cab (http://\"http://gin.pogo.com/applet-6.1.0.39/gin/gin-ob-assets.cab\")
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.1.5.28/lott...o-ob-assets.cab (http://\"http://game1.pogo.com/applet-6.1.5.28/lottso/lottso-ob-assets.cab\")
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.2.21/pino...e-ob-assets.cab (http://\"http://game4.pogo.com/applet-6.0.2.21/pinochle/pinochle-ob-assets.cab\")
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.2.29...s-ob-assets.cab (http://\"http://squelchies.pogo.com/applet-6.0.2.29/squelchies/squelchies-ob-assets.cab\")
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.2.21/w...g-ob-assets.cab (http://\"http://wordjong.pogo.com/applet-6.0.2.21/wordjong/wordjong-ob-assets.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O21 - SSODL: NTDBGTOOL - {C6653EF2-B653-4B23-AA84-706BDF2C6EFD} - C:\WINDOWS\System32\mfcsicda.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Any help would be appreciated. Thanks.
-
Please take the time too Register to the forum and supply a fresh Hijackthis log, thanks
-
Sorry about that. Registered now. Here's the latest log.
Logfile of HijackThis v1.99.1
Scan saved at 7:07:00 PM, on 4/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\Dit.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\X1002142005.exe
C:\windows\system32\taskmg.exe
C:\WINDOWS\System32\Services\{19367764-4E1A-4C50-8617-7932B4F01202}\SVCHOST.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\windows\system32\gtrnupr.exe
C:\WINDOWS\System32\apphelp2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\occo.exe
C:\WINDOWS\System32\n?tepad.exe
C:\windows\lfpodef.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\windows\system32\packager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Misc\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a (http://\"http://daosearch.com/index.php?id=585&said=nicket_a\")
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {2720B0EE-0E7E-53F6-23A0-5710A712CEC9} - C:\WINDOWS\System32\hkdjlh.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsz12.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SysMon] C:\windows\system32\mswkrvw32.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\System32\X1002142005.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{19367764-4E1A-4C50-8617-7932B4F01202}\SVCHOST.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gtrnupr] c:\windows\system32\gtrnupr.exe
O4 - HKLM\..\Run: [aa737f432195] C:\WINDOWS\System32\apphelp2.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Epar] C:\WINDOWS\System32\occo.exe
O4 - HKCU\..\Run: [Oqreuxl] C:\WINDOWS\System32\n?tepad.exe
O4 - HKCU\..\Run: [oqxsmlt] c:\windows\mjfjqmq.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://ny.contentmatch.net (http://\"http://ny.contentmatch.net\") (HKLM)
O15 - Trusted IP range: 213.159.118.228
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.1.4.29/aces...s-ob-assets.cab (http://\"http://game1.pogo.com/applet-6.1.4.29/aces/aces-ob-assets.cab\")
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/jigs...w-ob-assets.cab (http://\"http://game3.pogo.com/applet-6.0.2.21/jigsaw/jigsaw-ob-assets.cab\")
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.1.0.39/gin/gin-ob-assets.cab (http://\"http://gin.pogo.com/applet-6.1.0.39/gin/gin-ob-assets.cab\")
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.1.5.28/lott...o-ob-assets.cab (http://\"http://game1.pogo.com/applet-6.1.5.28/lottso/lottso-ob-assets.cab\")
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.2.21/pino...e-ob-assets.cab (http://\"http://game4.pogo.com/applet-6.0.2.21/pinochle/pinochle-ob-assets.cab\")
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.2.29...s-ob-assets.cab (http://\"http://squelchies.pogo.com/applet-6.0.2.29/squelchies/squelchies-ob-assets.cab\")
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.2.21/w...g-ob-assets.cab (http://\"http://wordjong.pogo.com/applet-6.0.2.21/wordjong/wordjong-ob-assets.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O21 - SSODL: NTDBGTOOL - {C6653EF2-B653-4B23-AA84-706BDF2C6EFD} - C:\WINDOWS\System32\mfcsicda.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Thanks in advance.
-
Can you do me a favor please
Open Hijackthis>>Open Misc Tools Section>>Open Uninstall Manager
Click the "Save List" button
Save to your desktop and copy and paste back the contents
-
Here's the uninstall list. Thanks.
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Photoshop 6.0
Adobe Photoshop 7.0
Adobe Premiere 6.0
Advanced RealMedia Export Plug-in for Premiere 6.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free Edition
Cleaner 5 EZ
EPSON Printer Software
HijackThis 1.99.1
hp instant support
hp officejet 6100 series
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp officejet 6100 series
I.E. Host
Ink Monitor
LexarMedia ImageRescue Software
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Office XP Professional
ML-1430 Series
Multi-Card Reader & Flash Disk
MyDVD
PowerStrip 3 (remove only)
Quicken 2005
ScanWizard 5
ShowBiz
Sonic DLA
Sonic RecordNow DX
Sonic Simple Backup
Sonic Update Manager
TurboTax Deluxe 2004
VIA Audio Driver Setup Program
Visual Element FX
WingMan Software
WinZip
-
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
Download CWShredder.exe from my link below in my signature and save it too desktop
Don't run it yet
Download and save too desktop
FixBinet.exe by Symantec (http://\"http://securityresponse.symantec.com/avcenter/FixBinet.exe\")
Don't run it yet
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a (http://\"http://daosearch.com/index.php?id=585&said=nicket_a\")
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {2720B0EE-0E7E-53F6-23A0-5710A712CEC9} - C:\WINDOWS\System32\hkdjlh.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsz12.dll
O4 - HKLM\..\Run: [SysMon] C:\windows\system32\mswkrvw32.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\System32\X1002142005.exe
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{19367764-4E1A-4C50-8617-7932B4F01202}\SVCHOST.EXE
O4 - HKLM\..\Run: [gtrnupr] c:\windows\system32\gtrnupr.exe
O4 - HKLM\..\Run: [aa737f432195] C:\WINDOWS\System32\apphelp2.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [Epar] C:\WINDOWS\System32\occo.exe
O4 - HKCU\..\Run: [Oqreuxl] C:\WINDOWS\System32\n?tepad.exe
O4 - HKCU\..\Run: [oqxsmlt] c:\windows\mjfjqmq.exe
O15 - Trusted Zone: http://ny.contentmatch.net (http://\"http://ny.contentmatch.net\") (HKLM)
O15 - Trusted IP range: 213.159.118.228
O21 - SSODL: NTDBGTOOL - {C6653EF2-B653-4B23-AA84-706BDF2C6EFD} - C:\WINDOWS\System32\mfcsicda.dll
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Access your Add/Remove programs and remove "Visual Element Fx"
If you don't remember installing it
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
by tapping the F8 key as the system is restarting or use the link for a more detailed explanation
In safe mode
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Find and delete these files of folders if found
C:\WINDOWS\System32\SearchBar.htm <-file
C:\WINDOWS\dlmax.dll
C:\WINDOWS\System32\hkdjlh.dll
C:\WINDOWS\System32\nsz12.dll
C:\windows\system32\mswkrvw32.exe
C:\WINDOWS\System32\X1002142005.exe <-file if Visual Element Fx wasn't purposely installed, or you don't know what it is
c:\windows\system32\taskmg.exe <-file, Notice the spelling, don't delete anything else because it looks similiar
c:\windows\system32\gtrnupr.exe
C:\WINDOWS\System32\apphelp2.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\System32\mfcsicda.dll
C:\WINDOWS\System32\occo.exe
c:\windows\mjfjqmq.exe
C:\Program Files\Bpt <-folder
C:\WINDOWS\System32\Services\{19367764-4E1A-4C50-8617-7932B4F01202} <-folder
Stay in safe mode and run FixBinet.exe
Let it scan your drive and fix what it finds
Afterwards
Run CWShredder and click the FIX button, the scan won't take long, let it fix what it finds
Restart back to Normal mode
Post back a fresh Hijackthis log
Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Save this file on the desktop
Double click on Export.bat, a text file will open, copy and paste back the contents
dir C:\WINDOWS\System32\n?tepad.exe /a h > files.txt
notepad files.txt
Also let me know what else you see in this folder
C:\WINDOWS\System32\Services <--let me know what's inside
-
I followed all of the instructions. The following 2 files were not present:
c:\windows\system32\x1002142005.exe - probably b/c I uninstalled Visual Element Fx b/c I didn't know what it was
c:\windows\system32\occo.exe
FixBinet.exe deleted one file and CWShredder removed CWS.IEengine.
Here's the new log:
Logfile of HijackThis v1.99.1
Scan saved at 9:48:35 PM, on 4/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\Dit.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Misc\HijackThis.exe
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SysMon] C:\windows\system32\mswkrvw32.exe
O4 - HKLM\..\Run: [gtrnupr] c:\windows\system32\gtrnupr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [oqxsmlt] c:\windows\mjfjqmq.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.1.4.29/aces...s-ob-assets.cab (http://\"http://game1.pogo.com/applet-6.1.4.29/aces/aces-ob-assets.cab\")
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/jigs...w-ob-assets.cab (http://\"http://game3.pogo.com/applet-6.0.2.21/jigsaw/jigsaw-ob-assets.cab\")
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.1.0.39/gin/gin-ob-assets.cab (http://\"http://gin.pogo.com/applet-6.1.0.39/gin/gin-ob-assets.cab\")
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.1.5.28/lott...o-ob-assets.cab (http://\"http://game1.pogo.com/applet-6.1.5.28/lottso/lottso-ob-assets.cab\")
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.2.21/pino...e-ob-assets.cab (http://\"http://game4.pogo.com/applet-6.0.2.21/pinochle/pinochle-ob-assets.cab\")
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.2.29...s-ob-assets.cab (http://\"http://squelchies.pogo.com/applet-6.0.2.29/squelchies/squelchies-ob-assets.cab\")
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.2.21/w...g-ob-assets.cab (http://\"http://wordjong.pogo.com/applet-6.0.2.21/wordjong/wordjong-ob-assets.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Here's the text from running export.bat
Volume in drive C has no label.
Volume Serial Number is 2CA9-E7A1
Directory of C:\WINDOWS\System32
09/03/2002 11:49 AM 66,048 notepad.exe
03/28/2005 08:59 AM 417,792 n?tepad.exe
Directory of C:\WINDOWS\System32
2 File(s) 483,840 bytes
0 Dir(s) 108,783,419,392 bytes free
Here's what's in the c:\windows\system32\services folder
{586B925B-8D0E-475D-921F-8C9A69322C87} folder which contains:
svchost32.dll
svchost.dll
svchost.exe
Thanks for your help.
-
Go ahead and delete this folder
{586B925B-8D0E-475D-921F-8C9A69322C87}
In the c:\windows\system32\services folder
Also
as you can see by these entries from Export.bat
09/03/2002 11:49 AM 66,048 notepad.exe <--good guy
03/28/2005 08:59 AM 417,792 n?tepad.exe <--bad guy
Manually navigate to your
C:\WINDOWS\System32 folder
You will have to track down the bad guy, it may even be in disguise as the legitimate
notepad.exe
Right click on it and left click properties
Too identify the correct bad guy
Look for a Creation date of 03/28/2005
and a size of about 417kb
Delete only the bad guy
Afterwards
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O4 - HKLM\..\Run: [SysMon] C:\windows\system32\mswkrvw32.exe
O4 - HKLM\..\Run: [gtrnupr] c:\windows\system32\gtrnupr.exe
O4 - HKCU\..\Run: [oqxsmlt] c:\windows\mjfjqmq.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer and post back a fresh Hijackthis log
Can you also let me know if FixBinet found anything when you ran it, thanks
-
I had no luck finding the bad guy. There is no file on my computer created 3/28/2005 and nothing resembling a notepad file name in the system32 directory.
I ran Hijack again and fixed the items you mentioned. Here's the new log.
Logfile of HijackThis v1.99.1
Scan saved at 10:46:33 PM, on 4/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\Dit.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Misc\HijackThis.exe
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.1.4.29/aces...s-ob-assets.cab (http://\"http://game1.pogo.com/applet-6.1.4.29/aces/aces-ob-assets.cab\")
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/jigs...w-ob-assets.cab (http://\"http://game3.pogo.com/applet-6.0.2.21/jigsaw/jigsaw-ob-assets.cab\")
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.1.0.39/gin/gin-ob-assets.cab (http://\"http://gin.pogo.com/applet-6.1.0.39/gin/gin-ob-assets.cab\")
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.1.5.28/lott...o-ob-assets.cab (http://\"http://game1.pogo.com/applet-6.1.5.28/lottso/lottso-ob-assets.cab\")
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.2.21/pino...e-ob-assets.cab (http://\"http://game4.pogo.com/applet-6.0.2.21/pinochle/pinochle-ob-assets.cab\")
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.2.29...s-ob-assets.cab (http://\"http://squelchies.pogo.com/applet-6.0.2.29/squelchies/squelchies-ob-assets.cab\")
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.2.21/w...g-ob-assets.cab (http://\"http://wordjong.pogo.com/applet-6.0.2.21/wordjong/wordjong-ob-assets.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab (http://\"http://cdn.digitalcity.com/_media/dalaillama/ampx.cab\")
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
The FixBinet deleted 1 file when it ran. Thanks.
Do you think I'm clean now...even though I can't find the bad notepad file? Do you think using Firefox instead of IE would have prevented this problem?
-
I always use Firefox, well almost always
I have to use IE when I check Windows Updates
You may want to go back to your System32 folder
Make sure your set to show hidden files and folders
In the System32 folder
Click VIEW at the top and then click DETAILS
After details is selected
Arrange the files by name
Then look for the file n?tepad.exe
Correct size and date
As mentioned it may be called notepad.exe
Don't delete the legit one
If you still can't find it
Let's do some final cleanup
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
-
I double checked the system folder again and still found no file matching the description...hopefully it is gone.
I went ahead and followed the rest of your instructions. Things seem to be working just fine now. Thanks for all of your help.