TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Kotomi on July 27, 2006, 07:12:44 PM

Title: Missing File.
Post by: Kotomi on July 27, 2006, 07:12:44 PM

Hi,

My friend is having a bit of a problem with her laptop. About a year ago she had to get her laptop fixed and they erased all of her stuff. She said they were deleting files out and seemed to messed with the file. I had her search her computer and two files come up, one in C:\I386 and one in C:\WINDOWS\SYSTEM32. Now she says when she starts her computer a message comes up saying somethingl like 'We cannot run of find csrss.new.exe' or something like that. When she clicked on the file in system32 it said 'The C:\WINDOWS\SYSTEM32\CSRSS.EXE application cannot be run in the Win32 mode.'. So does anyone know how to fix this?

Title: Missing File.
Post by: guestolo on July 27, 2006, 07:29:20 PM

From my signature below, download and save too a permanent folder of it's own onto your harddrive
Hijackthis 1.99.1
Open Hijackthis.exe

Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log  here... Don't try and fix anything yet----It is all important

Title: Missing File.
Post by: Kotomi on July 27, 2006, 08:12:19 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:53:37 PM, on 7/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\isnotify.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\ismon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\abeae62d.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\rac\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway (http://\"http://www.dell4me.com/myway\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gfcxueaxfycgvxligh.net/Tnpd6TLH...zl0CqYmEUIp.asp (http://\"http://www.gfcxueaxfycgvxligh.net/Tnpd6TLHgsQo5rlqGjpP6Np2h6o81lig44OM4V014AWlDg0XxjlM6zl0CqYmEUIp.asp\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zutmdhcivgecdcmawaxgjg.com/Tnpd...ChD034Qo0YU.asp (http://\"http://www.zutmdhcivgecdcmawaxgjg.com/Tnpd6TLHgsTJG7BNf75BUTOE/u643sxlChD034Qo0YU.asp\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway (http://\"http://www.dell4me.com/myway\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway (http://\"http://www.dell4me.com/myway\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\WINDOWS\System32\jqfmlqsvk\csrss.new.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\jqfmlqsvk\csrss.new.exe
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt0.dll
O2 - BHO: (no name) - {BC041340-B56E-566D-ADE0-9F813CD4C39B} - C:\DOCUME~1\rac\APPLIC~1\GREATB~1\Base delete.exe
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [16 Bat Meet Curb] C:\Documents and Settings\All Users\Application Data\htmjump16bat\active 4.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [abeae62d.exe] C:\WINDOWS\System32\abeae62d.exe
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKCU\..\Run: [view 32] C:\DOCUME~1\rac\APPLIC~1\RDRGPL~1\Chin Once.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [abeae62d.exe] C:\Documents and Settings\rac\Local Settings\Application Data\abeae62d.exe
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL (http://\"http://kl.bar.need2find.com/KL/menusearch.html?p=KL\")
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125525808814 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125525808814\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab (http://\"http://ak.imgag.com/imgag/cp/install/AxCtp2.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7B02858-3F51-45F8-B281-238FC9B483EA}: NameServer = 172.16.24.34,172.16.24.35
O18 - Protocol: bw+0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {B9E9983D-A32F-4EEB-BDF7-57FF4E7C8CD1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\PROGRA~1\RXTOOL~1\sfcont.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINDOWS\System32\yephk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


This is what she got.

Title: Missing File.
Post by: guestolo on July 27, 2006, 08:23:49 PM

Can I see a few more logs please, then we will have to do some fixes on this computer

Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents please

Also, Download [color=\"red\"]SmitfraudFix[/color] (http://\"http://siri.urz.free.fr/Fix/SmitfraudFix.zip\")[/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

[color=\"#3366FF\"]Note[/color] : [color=\"#FF0000\"]process.exe[/color] [color=\"#3366FF\"]is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.[/color]

Also
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as findjobs.bat

Save this file on the desktop

 

Code: [Select]

dir %Windir%\tasks /a h > files.txt
notepad files.txt
Double click on findjobs.bat, a text file will open, please copy>>paste back here the whole contents please

Title: Missing File.
Post by: Kotomi on July 27, 2006, 09:04:17 PM

Okay, I got all of those from her. She's not a computer expert, but I think she did it right.

Uninstall list.

AccessDirect
Adobe Photoshop 7.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20030807.3)
BCM V.92 56K Modem
Broadcom Advanced Control Suite
Combined Community Codec Pack 2005-09-23 (Remove Only)
CXP Plug-In
Dell Digital Jukebox Driver
Dell Solution Center
Dell Support 5.0.0 (766)
DS21Patch
DVDSentry
EarthLink Setup Files
Haali Media Splitter
HijackThis 1.99.1
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
Ink
Intel® Extreme Graphics Driver
Internet Explorer Default Page
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 3
Jasc Paint Shop Photo Album
Java 2 Runtime Environment, SE v1.4.2
Learn2 Player (Uninstall Only)
LimeWire 4.10.9
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam
Logitech® Camera Driver
Macromedia Flash Player 8
Macromedia Shockwave Player
Matroska Pack
MatroskaProp (remove only)
Messenger Plus! 3 & Sponsor
Microsoft .NET Framework 1.1
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office 2000 Premium
Modem Helper
Mozilla Firefox (1.5.0.5)
MSN Messenger 7.5
MSN Music Assistant
MUSICMATCH® Jukebox
Need2Find Bar
PowerDVD
QuickSet
QuickTime
RealOne Player
Safety Bar
Shockwave
Sonic DLA
Sonic Update Manager
SpyWare Killer Pro
StuffPlug-NG (Messenger Plus! Plugins)
Synaptics Pointing Device Driver
SystemDoctor 2006 1.1.72.1
Tablet
Trend Micro Antivirus
Update for Windows XP (KB898461)
Viewpoint Media Player
Winamp (remove only)
WindowBlinds
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB842773
WinRAR archiver
WinZip
WordPerfect Office 11
Yahoo! Messenger

Smitfraud

SmitFraudFix v2.76

Scan done at 21:50:01.75, Thu 07/27/2006
Run from C:\Documents and Settings\rac\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\yephk.dll FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\rac\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\rac\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SpyQuake2.com\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"coursings"="{f8d02387-789a-4c0f-a1d8-8a93f33ee4df}"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Findjobs.bat thing

 Volume in drive C has no label.
 Volume Serial Number is 0829-615D

 Directory of C:\WINDOWS\tasks

05/20/2006  11:23 PM    <DIR>          .
05/20/2006  11:23 PM    <DIR>          ..
07/27/2006  09:00 PM               242 BBCB43A590F0EA31.job
08/29/2002  07:00 AM                65 DESKTOP.INI
08/18/2005  05:24 PM               258 ISP signup reminder 1.job
07/27/2006  07:23 PM                 6 SA.DAT
               4 File(s)            571 bytes

 Directory of C:\Documents and Settings\rac\Desktop

Title: Missing File.
Post by: guestolo on July 27, 2006, 09:50:29 PM

She did fine, now we have to do some fixes
Can you have her do the following please

Access her add/remove programs via control panel

Remove all the following if she can, if not, carry on
Her version of Java is outdated, we will update it later for security reasons
Remove
J2SE Runtime Environment 5.0 Update 3
and
Java 2 Runtime Environment, SE v1.4.2

Continue to remove
Need2Find Bar
Safety Bar
SystemDoctor 2006
Viewpoint Media Player

I would also recommend to here to remove
SpyWare Killer Pro
I hope she didn't pay for it, we will get her free tools that do a much better job
Please don't install any more anti-spyware programs unless recommended
I'll link you to them later

Finally, she has installed Messenger Plus 3 with the SPONSOR
The Sponsor is not required for MSN Plus to work properly, and it installs spyware on users computer
Have her do the following
In add/remove programs Select Messenger Plus! 3 & Sponsor
Click the Remove button
# two options are displayed: both of them will uninstall the sponsor, however, if you want to keep Messenger Plus! installed on your computer, choose the first option  
# Press "Next" or "Uninstall" depending on the option you chose (see above). If you chose to uninsstall Messenger Plus! as well, another set of options will be displayed. These options are related to Messenger Plus! only are will not affect the uninstallation of the sponsor.
# The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed.
# To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer

If she has any problems removing the Sponsor, in hopes of keeping MSN Plus 3 installed
Have her remove all of MSN Plus 3 and the Sponsor
She can reinstall it AFTER we have verified she is all clean,
But she MUST NOT choose to install the SPONSOR

Make sure she has rebooted the computer

EDIT to include the following between dotted lines
=============================================
Please Download MsnVirRem.exe to your desktop from one of the following mirrors.

• Mirror 1 (http://\"http://downloads.malwareremoval.com/MsnVirRem.exe\")
  
• Mirror 2 (http://\"http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item9\")
  
• Mirror 3 (http://\"http://www.greyknight17.com/spy/MsnVirRem.exe\")
  
• First close any other programs you have running as this will require a reboot
• Double click MsnVirRem.exe to run it
  
• Once open, click the button labelled "[color=\"red\"]Search and Destroy[/color]"
  <<Your computer will now be scanned for Infected Files>>
  
• When scanning is finished you will be prompted to reboot only if infected, Click OK
  
• Now click the "[color=\"red\"]REBOOT[/color]" Button.
  
• After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
• [color=\"blue\"]A Message should popup from MsnVirRem if not, double click the program again and it will finish[/color]
  

It will produce a log at C:\msnvirrem.log, I'll need to see it later
=============================================

Back in Windows
Let's run some tools on her computer to help get it clean
==Download and install Windows CleanUp! 4.5.2 (http://\"http://www.stevengould.org/downloads/cleanup/CleanUp452.exe\")

CleanUp! attempts to delete files from various temporary directories (including download directories/caches), as well as emptying the Recycle Bins.
If you make a habit of saving files that you wish to keep in any of these places,  they will be deleted when CleanUp! is run.
Please move them too a different location before we run this tool if the above is true
Note: It is generally considered poor practice to use temporary folders or the Recycle Bin to store files you intend to keep.

==Download, install, and update  Ewido anti-spyware (http://\"http://www.ewido.net/en/download/\")[list=1]

• Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
• Close Ewido. Do not run it yet.
  

Print and/or save the rest of these instructions to a text file saved to desktop

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as remjob.bat

Save this file on the desktop>>We will need it later

 

Code: [Select]

%systemdrive%
cd C:\WINDOWS\tasks
attrib -r -s -h BBCB43A590F0EA31.job
del BBCB43A590F0EA31.job

Make sure she completely follows along with these instructions
We're going to have her restart the computer into Safe mode without Network support

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.
Sign in with your normal user account

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer
NOTE: The first time you run CleanUp! it may prompt to run in Demonstration mode
Deny this, we want to run the actual cleanup!!

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Find and delete the following files/folders, manually search for them
Only remove exact file names and folders please
Files:
C:\Documents and Settings\rac\Local Settings\Application Data\abeae62d.exe <-this file
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\csrss.lnk <-this file

Folders:
C:\Program Files\Safety Bar <-this folder
C:\Program Files\RXToolbar <-this folder
C:\Program Files\Need2Find <-this folder
C:\Documents and Settings\All Users\Application Data\htmjump16bat <-this folder
C:\WINDOWS\System32\jqfmlqsvk <-this folder
C:\Documents and Settings\rac\Application Data\GREATB~1 <-this folder, I'm not sure of the Exact name, but it will start with 'GREATB'
C:\Documents and Settings\rac\Application Data\RDRGPL~1 <-again, I'm not sure of the Exact name of this folder, but it will start 'RDRGPL'

==Double click on remjob.bat a dos window will open then close, this is normal

==Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process.  A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt

If a reboot was required, reboot back to safe mode
If it wasn't required, remain in safe mode

Ewido Scan

• Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan.  This scan can take quite a while to run, so be prepared.
  
• Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  
• Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).

Do a "System scan only" with Hijackthis and put a check next to these entries:
Not all the below may be found, but check what she's sees from below

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gfcxueaxfycgvxligh.net/Tnpd6TLH...zl0CqYmEUIp.asp (http://\"http://www.gfcxueaxfycgvxligh.net/Tnpd6TLH...zl0CqYmEUIp.asp\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zutmdhcivgecdcmawaxgjg.com/Tnpd...ChD034Qo0YU.asp (http://\"http://www.zutmdhcivgecdcmawaxgjg.com/Tnpd...ChD034Qo0YU.asp\")

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\WINDOWS\System32\jqfmlqsvk\csrss.new.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\jqfmlqsvk\csrss.new.exe
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)

O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\System32\ixt0.dll
O2 - BHO: (no name) - {BC041340-B56E-566D-ADE0-9F813CD4C39B} - C:\DOCUME~1\rac\APPLIC~1\GREATB~1\Base delete.exe
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [16 Bat Meet Curb] C:\Documents and Settings\All Users\Application Data\htmjump16bat\active 4.exe

O4 - HKLM\..\Run: [abeae62d.exe] C:\WINDOWS\System32\abeae62d.exe
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKCU\..\Run: [view 32] C:\DOCUME~1\rac\APPLIC~1\RDRGPL~1\Chin Once.exe
O4 - HKCU\..\Run: [abeae62d.exe] C:\Documents and Settings\rac\Local Settings\Application Data\abeae62d.exe
O4 - Startup: csrss.lnk = ?
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL (http://\"http://kl.bar.need2find.com/KL/menusearch.html?p=KL\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7B02858-3F51-45F8-B281-238FC9B483EA}: NameServer = 172.16.24.34,172.16.24.35
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\PROGRA~1\RXTOOL~1\sfcont.dll


After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode
Let's update Java
Access the following link
http://www.java.com/en/download/manual.jsp (http://\"http://www.java.com/en/download/manual.jsp\")
Download and Save too desktop the Windows (Offline Installation)
Double click on the installer and follow the prompts
After it has been installed she can delete the installer from desktop

Post back the following please
1. Run Hijackthis again and post back a fresh log
2. Post the whole report from Ewido's
3. Post the log from Smitfraudfix>>C:\Rapport.txt
4. Double click on findjobs.bat again and post the results
5. Post the log from MsnVirRem.exe>>this log C:\msnvirrem.log

It may take more than one reply to include all the info

Title: Missing File.
Post by: guestolo on July 28, 2006, 08:46:48 AM

Kotomi, I mistakenly asked you to have her fix this entry with Hijackthis
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7B02858-3F51-45F8-B281-238FC9B483EA}: NameServer = 172.16.24.34,172.16.24.35

It could very well be a legit entry related to Internet connection
If she has problems with Internet, can you have her Open Hijackthis>>View a list of backups
Check ONLY that entry and click the Restore button

Close hijackthis then reboot the computer
Sorry, if that caused any troubles, if she hasn't started the fixes yet, have her Omit ONLY that one entry from the fixes with Hijackthis