Author Topic: recurring spyware nightmare (Read 4565 times)

guestolo · « **Reply #20 on:** March 06, 2005, 05:08:31 PM »

When I asked you to do the below, what did you do?

Open the Remv3 folder you have unzipped
Inside it you will see a text file called
ver3.txt<<Open it

Add this to the list of files

sysobj.exe
wosys32.dll
woinst.exe
hdmoo.dll
hdyue.dll

Save the change and close it out

djkwik · « **Reply #21 on:** March 06, 2005, 11:35:02 PM »

FIRS TOFF...YOU SAID TO EITHER DELETE THAT FILE OR TELL YOU ABOUT IT..Also look for the ones recommended by Symantec's for removal
In the registry, you may also want to highlight MyComputer
Click EDIT>>FIND
Look for this entry, remove or let me know if found
69.50.184.84
.I TOLD YOU ABOUT IT...I DID CHECK IT IN THE HJT AND CLICKED FIX THOUGH SO IT SHOULD BE GONE.

SECOND: A LONG TIME AGO I SET UP MY XP TO BE LIKE CALSSIC WINDOWS...WHEN I OPEN MY CONTROL PANEL THERE IS NO LEFT SIDE TO THE PAGE THEREFORE NOTHING STATING CLASSIC VIEW...SINCE MY WHOLE WINDOWS IS SET UP TO CLASSIC STYLE!

I USED THE LINK YOU PROVIDED TO SYMANTEC AND READ THE ENTIRE PAGE AND LOOKED FOR THOSE THINGS IN MY REGISTRY...I COULD NOT FIND THEM!

I DID THE COPY AND PASTE OF THOSE FILES DIRECTLY TO THE DOCUMENT CALLED VER3.TXT. AND I SAVED THE CHANGES BEFORE EXITING IT. I DON'T KNOW WHAT ELSE TO TELL YOU! I MEAN REALLY....I TOLD YOU THREE TIMES NOW IT WOULD PROBABLY SAVE ME A HELL OF A LOT OF TIME AND FRUSTRATION JSUT DUMPING MY CORE AND RELOADING THE WINDOWS OPERATING SYSTEM FROM SCRATCH!

I HAVE TRIED TO DO EVERYTHING YOU SAY TO THE LETTER AND YET YOU SEEM TO THINK I'M NOT DOING IT?!

guestolo · « **Reply #22 on:** March 07, 2005, 01:46:24 AM »

Let's relax

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
I just realized you may have a Newer Rootkit infection

Download Rootkit Revealer here: http://www.sysinternals.com/ntw2k/freeware...kitreveal.shtml
Unzip it to a folder
Open the folder and launch RootkitRevealer.exe
Press the Scan button. Please give this time to run
When it's done
Go to FILE>>SAVE
Save the log and post it back here

Also post a Fresh Hijackthis log too

Can you also
Download the Registry Search Tool
from Here
http://www.billsway.com/vbspage/
UNZIP it for now, we'll need it later

djkwik · « **Reply #23 on:** March 07, 2005, 08:57:13 AM »

Sorry man, its just for one thing, this is difficult doing this on-line, second, this whole virus thing has just frustrated the lviing crap outa me, and third, I've NEVER been in my registry before all of this...so I am a bit nervous about what all of this is doing to my computer. One thing I'd like to say is that all the pop-ups have stopped (for now). The first hting I pasted below is that Ver3.txt that has those entries that you asked me to add to it:

logogdi.exe
ipv9x.exe
hostnameip.exe
unlodctl.exe
spnping.exe
sharenet.exe
scardsvrhr.exe
rsvph.exe
rdpclips.exe
rasaoutu.exe
qappsrvc32.exe
pentxpl.exe
openconf.exe
nlsfuncs.exe
hrlink.dll
nasll.dll
elswap.dll
dx9vbc.dll
dnsaquota.dll
dnsauth.dll
taskopen.exe
iecust.dll
iecust.exe
setvers.exe
ifcfg.exe
snnpapi.exe
snnpapi.dll
hlp32.exe
Microsoft.hta
chmredir.chm
winuptd.exe
servises.exe
tasknngr.exe
rpcnt4.dll
tksvr99.exe
w32sxp.exe
wncust.exe
tlntadmnx.exe
vwipxspnt.exe
winmsdc.exe
usrshutd.exe
tcpsvcss.exe
ms_update.exe
wmplayer.exe
amax.exe
CustIE32.dll
deski.exe
doul.exe
etile.exe
[censored]sex.exe
iesp1.dll
ipvcx6.exe
mspax.dll
nbtrstat.exe
netupd32.exe
od.exe
protect32.dll
rdspclips.exe
rexece32.exe
sethcd.exe
smbdins.exe
sprestrst.exe
tsmsetup.exe
upncont.exe
wmplayer.exe
wowdbe.exe
ywde.exe
iesp2.dll
sp2chek.exe
connmie.exe
dxconf.exe
iecustme.exe
iecustom32.dll
mxbkup.exe
truettf.exe
update.exe
sfcman32.dll
qwsxp.dll
winwiz32.exe
sp2chk.exe
sprmover.exe
msmkd.dll
sysobj.exe
wosys32.dll
woinst.exe
hdmoo.dll
hdyue.dll

OK..I have downloaded the RootKitReveal and its log is next:

C:\$AttrDef   11/1/2003 2:05 PM   2.50 KB   Hidden from Windows API.
C:\$BadClus   11/1/2003 2:05 PM   0 bytes   Hidden from Windows API.
C:\$BadClus:$Bad   11/1/2003 2:05 PM   37.27 GB   Hidden from Windows API.
C:\$Bitmap   11/1/2003 2:05 PM   1.16 MB   Hidden from Windows API.
C:\$Boot   11/1/2003 2:05 PM   8.00 KB   Hidden from Windows API.
C:\$Extend   11/1/2003 2:05 PM   0 bytes   Hidden from Windows API.
C:\$Extend\$ObjId   11/1/2003 2:06 PM   0 bytes   Hidden from Windows API.
C:\$Extend\$Quota   11/1/2003 2:06 PM   0 bytes   Hidden from Windows API.
C:\$Extend\$Reparse   11/1/2003 2:06 PM   0 bytes   Hidden from Windows API.
C:\$LogFile   11/1/2003 2:05 PM   64.00 MB   Hidden from Windows API.
C:\$MFT   11/1/2003 2:05 PM   48.28 MB   Hidden from Windows API.
C:\$MFTMirr   11/1/2003 2:05 PM   4.00 KB   Hidden from Windows API.
C:\$Secure   11/1/2003 2:05 PM   0 bytes   Hidden from Windows API.
C:\$UpCase   11/1/2003 2:05 PM   128.00 KB   Hidden from Windows API.
C:\$Volume   11/1/2003 2:05 PM   0 bytes   Hidden from Windows API.

Next. When you wanted me to look for those files..you didn't specify to physically go into my System32 file to look for them. I copy and pasted each one into my start>>find and it looked in the System 32 folder and found 2 of that whole list. Lately, when I physically go into System 32, it doesn't list all of the files that appear on the EZ Antivirus' list for System 32, so I don't know what thats all about. I will go back to your post and physically look for those particular files again and delete them.

Regarding my Contol Panel....I guess you didn't realize that my entire Windows XP os was set up to be like classic windows when I very first got this computer...I hate the XP styling and did that first thing. But seriously, when I went into the network yesterday, the folder was empty...this morning, I just this second went into it and now I have:Local Area Connection under the heading "LAN or High Speed Internet" and two icons: New Connecton Wizard and Network Setup Wizard under the Wizard heading...will have to refer back to your previous post to see what you wanted done there again...the Obtain DNS server address automatically IS checked and in the advanced, under the DNS tab, the "Append primary and connection specific DNS suffixes" is checked as well as its sub category "Append parent suffixes of the primary DNS suffix"

Ok, you also wanted a fresh HJT log, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 7:52:24 AM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", engine://C%3A%5CProgram%20Files%5CNetscape%5
CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall -
{2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/pr
oducts/housecall_pre.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001
/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -
http://de.trendmicro-europe.com/file_downloads/
common/housecall/HouseCallButton.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MS
SurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurroundObject) - http://autos.msn.com/components/ocx/exterior/
Outside.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed AttachmentsControl) - http://by9fd.bay9.Email Removed.msn.com/activex/HMA
tchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

I went into System32 folder and looked for the files you told me to look for :
C:\WINDOWS\system32\date.dat
C:\WINDOWS\system32\menu.txt
C:\WINDOWS\system32\mslcy.dll
C:\WINDOWS\system32\sysobj.exe
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\connmie.exe
C:\WINDOWS\system32\ctbasxt.exe
C:\WINDOWS\system32\dxconf.exe
C:\WINDOWS\system32\hdmoo.dll
C:\WINDOWS\system32\sprmover.exe
C:\WINDOWS\system32\wosys32.dll
C:\WINDOWS\system32\woinst.exe

The only ones I found in there were the first 2: date.dat and menu.txt and i deleted them both.

Is there a way of emptying ALL the tem/temp internet files/history from all users at once? I don't have any secondary users set up on this computer...but 've got folders that say Administrator, all users, default user, home, local service, network service, AND owner. Takes 4ever to go into al of these and try to delete everything...some don't even have a Local Settings folder. And the "local Service" user won't let me delte anything at all. HEY: is "index.dat" an important file...its always in my cookies folder and it shows up in all these other fodlers and refuses to be delted...says that windows is using it. Just wondering.

Just to let you know. I work third shift. I won't get a chance to check for your post until after 6pm tonight (monday march 7) Hope what I sent in this post helps you to help me....and i don't mind working in the registry..jsut nervous about it...I want to do whatever it takes to get my computer to a point where I can set a restore point....OH BTW... what about that virus that hides in the System Volume Info file?

? I had that once and system restore became something that I don't even use anymore...took me forever to figure out how to get it out of htat folder, and now, my computer refuses to allow me access to the System Volume Information folder at all. Any ideas on that??? HAve a good one...and thanks for being patient with me.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

djkwik · « **Reply #24 on:** March 07, 2005, 09:16:24 AM »

messed up, ignore this post

guestolo · « **Reply #25 on:** March 07, 2005, 08:25:17 PM »

Let's try a different route now that your log looks clean

Open the Remv3 folder you have unzipped
Inside it you will see a text file called
ver3.txt<<Open it
Add this to the list of files
hdguz.dll

Once that is done save it and close it out

Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe
Install it and Restart your computer when prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database

IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3

If your unsure how to update it follow the instructions from this link
http://tds.diamondcs.com.au/index.php?page=update
Follow the Manual update procedure
Again, don't run a scan yet

Print this out or save to a Notepad file for easy access

Disable System Restore, don't enable it until prompted
This link will explain how to disable it if unsure
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Restart into Safe mode without Network connection
You can do this by tapping the F8 key as The system is booting up

Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Detections will appear in the lower pane of tds window after the scan is finished Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later

After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

Stay in safe mode
Run Remv3.bat again

Restart back to Normal mode
Re-enable System Restore

Post back a fresh Hijackthis log and the Scandump.txt
and the log from Remv3.bat

Please just copy and paste the Hijackthis log as it appears in Notepad
Don't alter it in anyway when posting it, thanks

djkwik · « **Reply #26 on:** March 07, 2005, 09:59:12 PM »

OK, i ran the TDS3 thing, it only found one Positive Identification...from my kodak camera files...the udater...I deleted it anywyas because you said to delete anything that had a positive ID. Its scandump.txt is the first one of the three below.

I ran the remV3 again...I don't know why, but it no longer is saving the files as ver1.txt, ver2.txt, or whatever. anyways, the scan I did just run I saved it to a notepad file on my desktop and the results are below (follows the scandump.txt)

I also ran a HJT again. I have never altered the notepad log before copying and pasting it here...I think what is happening is that I don't have the window fully maximized when I copy and past...this time I maximized the notepad window and then did a copy a paste below (the last thing posted below)

I turned back on System restore BUT DID NOT SET A RESTORE POINT YET...I am waiting for you to tell me to do that. Hope to hear back from you soon. I leave for work at 10:30 pm (cst) otherwise will log back on here again Tuesday morning about 730am. thanks again.

THREE LOGS:

SCANDUMP.TXT LOG:

Scan Control Dumped @ 20:38:06 07-03-05
Positive identification: Riskware.ProcessRestart
File: c:\program files\kodak\kodak software updater\7288971\6.1.4.37-7288971l\program\restart.exe

REMV3 LOG:

Files Found.................
----------------------------------------
hdguz.dll

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll

HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 8:43:36 PM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");

(C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft

Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia

Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} -

http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program

Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -

http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) -

http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) -

http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) -

http://by9fd.bay9.Email Removed.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company -

C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. -

C:\WINDOWS\System32\VetMsgNT.exe

(again, I did not do anything to the hijack this log. i maximized my notepad window, select all, copy, and came to this post window and pasted it...I don't know why it keeps splitting lines up and inserting blank lines...It doesn't look like this in the notepad window...sorry)

djkwik · « **Reply #27 on:** March 07, 2005, 10:48:49 PM »

Hey...just for the hell of it, when I got done with the previous post, I emptied all temp/temp internet files/history, emptied the recycle bin, did a restart (staying in normal mode) then I ran a HouseCall Online scan again. AGAIN while it was scanning the SYSTEM FILES, a notification popped up that it found a MalWar_Trojan and deleted it. So apparantly, there is still something hiding in my computer?

? I cleared everything once again, did another restart and ran Housecall a second time, but it didn't find anything on the second pass (I thought perhaps it was a trojan that activates during start-up) but its not there. I just thought you should know that it DID find something in the System Files though that first scan tonight....just like yesterday when you asked me to run a HouseCall scan. What do you think???

guestolo · « **Reply #28 on:** March 07, 2005, 11:17:12 PM »

Your log looks clear, but just for the heck of it, instead of trying one at TrendMicros

Can you try one at Panda's
Save the log afterwards, if it finds anything post it back here
http://www.pandasoftware.com/activescan/co...n_principal.htm

Could you also Navigate too these directories
C:\WINDOWS folder and
C:\WINDOWS\SYSTEM32

Do you see Notepad.exe in both locations?
Don't delete them, just curious if they are both there

djkwik · « **Reply #29 on:** March 08, 2005, 11:12:21 AM »

Hi. I fell asleep dUring that Panda Scan. When I came around, I looked at the screen, and there was something that said "New Profile" and the word Outlook was in the field, so I clicked OK, I thought it had to do with the Panda Scan. After I clicked ok, then I was clear to click the See Report button on the Panda Scan. Dammit! Now I am thinking that the "new profile" thing was something unrelated! I was NOT online when the new profile window popped-up since Panda Scan said I could go offline while it performed the scan, but had to go back online to get the results. So...I don't know what the hell that was all about. I did a start>>search for the word Outlook and did find one listing that shows it was modified today, during the time the scan was running. the file in question is "Outlook.pst" I DID have the scan configured to check email messages too....does that have something to do with it???

At any rate... You asked me to see if Notepad.exe was in both Windows AND windows system 32....YES it is.

Here is the Panda scan...it said it found 2 viruses. (man that scan takes forever) here is the log from that scan:

Incident Status Location

Adware:Adware/Comet No disinfected C:\WINDOWS\Downloaded Program Files\dm.inf
Spyware:Spyware/FastSearchWeb No disinfected Windows Registry

I would think its easy to just go in and manually delete the first one but I won't until you tell me how to do it, besides, when I did physically go into C:\WINDOWS\Downloaded Program Files to see if I could see it listed in there....the only thing in there were icons for ActiveX controls....I right clicked on each icon (individually), clicked properties, then "dependency" tab and not one of them lists that "dm.inf" file.

As for the Windows Registry...didn't we already look in there?

SO there are still 2 files on my sytem and I am getting to the point where Iam just fed the hell up with all of this hours and hours and hours of scanning and never getting my system completely clean. Of all the threads on this forum that I looked at before registering and starting my own, I've never seen anyone go through THIS many hoops and not have a final thank you post for having a totally clean system. Can't figure out why my computer is such a problem! I'm tired, I'm going to bed, hopefully you can figure this mess out because I don't know what to do.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />

guestolo · « **Reply #30 on:** March 08, 2005, 08:45:09 PM »

Find and delete this file if it exists
C:\Windows\System32\iecust.dll

Just in case, look for this one again and delete it too
C:\Windows\System32\menu.txt

I'll copy and paste these next set of instructions from Symantecs
Here's a link from what I'm referring too
http://securityresponse.symantec.com/avcen...tsearchweb.html
Enter your Registry

Manually look for and delete the entries I have bolded below

Navigate to both these keys
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\

In the right pane delete these values if they exist
"Search Bar" = "res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%72%63%70%69%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
"Search Page" = "res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%72%63%70%69%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6"

Navigate to the keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\

In the right pane, delete the value:

"SearchAssistant" = "res://%43%3a%5c%57%49%4e%4e%54%5c%53%79%73%74%65%6d%33%32%5c%72%63%70%69%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"

Navigate to and delete the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain

Navigate to the following keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search

In the right pane, delete the values:

"Default_Page_URL" = "about:blank"
"Default_Search_URL" = "about:blank"
"Customize_Search" = "about:blank"

Navigate to and delete the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"Freshbar" = {06ABAA2D-34AB-4902-A326-409BD9B9A7A5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"Apartment" = {06ABAA2D-34AB-4902-A326-409BD9B9A7A5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\"Apartment" = {0EC7A55C-77D4-40E9-A4A0-9463B12B31E5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19E25DD9-89F9-49FD-A5FC-1B7862BB8167}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{69063189-5F20-4361-BB5F-30EF8526284D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D825EF86-59BB-46EA-924F-12088D928D6C}

Exit the Registry

Once that is done
Go to START>>RUN>>type in cmd
Hit OK
At the prompt type the following
cd\WINDOWS\Downloaded Program Files (hit Enter)
del dm.inf (hit Enter)

Don't type (hit Enter) <<this indicates hitting Enter on your keyboard
also notice the single space between del and dm.inf

Exit out of the command prompt

Post back here a fresh Hijackthis log

If you have another user on the computer, post a log from their account too

djkwik · « **Reply #31 on:** March 08, 2005, 09:33:03 PM »

Hey, while waiting for a fresh post form you, i ddi some googing regarding the fastsearchweb that panda found. I found a page at TrendMicro that had very detailed instructions for going into te registry to remove this. I followed those instructions (I'm getting a bit more comfortable doing the registry deletes) and I actually got rid of the damn thing. However!! When I ran my next scan with panda, NOW I have one from GloboSearch. I googled that and found TrendMicro's page for deleting that one as well. I followed all of their instructions again, only this time I could not find ANY of the entries they told me to look for. at the bottom of the TrendMicro page it says that if I can't delete the Globosearch by following the above instructions, I need to restart my system. I restarted and ran another panda scan and it was STILL THERE.

I looked for everything you mentiond in your very recent post and did not find ANY of the items you listed (a good thing?) I also did the cmd and deleted that "dm.inf" and when I ran one more Panda scan...it was gone!!! HOOORAH!!! But that damn GloboSearch is still sitting inmy system and as far as I can tell, its the only one left to get rid of (are we finally almost to a clean PC???) Oh, BTW I turned System Restore back off as it was suggested that I do so for the Panda Scan to run the most accurate and thorogh scan.

SO Globoearch is still on my system and I need help getting rid of it. SECOND...from what I can see of their advertisements, PandaScan offers the most comprehensive program for sale to actually protect and delete these things itself when it finds them....my question...I am not above paying for a system protection IF IT WORKS!!! - - - Would you recommend the Panda products?

? I rally am spending WAY too much time doing all of this manually and would gladly pay $50 to have a program do all of this for me, but i want the BEST one...Panda claims to scan for over 90,000 viruses and updates DAILY...sounds good to me.

Here is the HJT log you requested and following it is the most recent Panda scan shwing NO dm.inf and the GloboSearch file that I could not find any of the registry values for but its still there. What next?

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:18:07 PM, on 3/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\VetMsgNT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\home\Application Data\Mozilla\Profiles\default\tt64smx3.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise...usecall_pre.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by9fd.bay9.Email Removed.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe

PandaScan log:

Incident Status Location

Adware:Adware/GloboSearch No disinfected Windows Registry

PS, the HJT log shows all those Active X controls except for three..the one I am concerned about....whenI go into its properties, it says its damaged...here are the particulars:

This is the id for that ActiveX thats damaged. What are your thoughts on this??? {9F1C11AA-197B-4942-BA54-47A8489BB47F}
In the Dependency tab, it shows three files...one of them C:\Windows\system32\IUCTL.DLL is also damaged.

The other two have the following ID's:

{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} YInstStarter Class

{D27CDB6E-AE6D-11CF-96B8-444553540000} Shock wave Flash Object

Should I be concenrned with any of this stuff at all?

guestolo · « **Reply #32 on:** March 09, 2005, 12:55:04 AM »

Don't worry about the Active X controls
The one damaged can be removed, related to an old Microsoft Windows Update control

The Registry Search Tool
You Downloaded and unzipped earlier
Run "RegSrch.vbs"
Copy and paste this in the dialog box:
GloboSearch

Click OK
After a while a prompt will come up.(About 10 seconds or a bit longer)
Click OK to open in Notepad or Wordpad
Post back the results that are found

Do the same for this entry
popup_bl

Could you also look in your C:\WINDOWS\system32 folder
If
popup_bl.dll is found, delete it

Also look for
systr.dll in the same folder, if found delete it

One quick download
Download and save to Desktop
Silent Runners.vbs

Double click to run it
Wait about 10 seconds to prompt you of it's findings, post the log it produces

djkwik · « **Reply #33 on:** March 09, 2005, 11:44:58 AM »

Hey. I ran the RegSrch tool and it found nothing for either one of those. this is really frustrating since Panda seems to think the globosearch is on my computer, but it can't be found anywhere.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> There was no log created in either notepad or wordpad....I am assuming that is because it didn't find anything.

I looked in the system32 folder for those two you told me to look for...neith one of them were there...One came close...there is a file called "popup.ocx" but not one with a .dll

The silent runner scan log follows:"Silent Runners.vbs", revision 32, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"Default" = (no data)
"VetTray" = "C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe" ["Computer Associates International, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"LWBKEYBOARD" = "C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe" [empty string]
"FLMOFFICE4DMOUSE" = "C:\Program Files\Browser MOUSE\mouse32a.exe" [empty string]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{1CE2AA40-1317-11D3-9922-00104B0AD431}" = "CA_AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ScsiAccess, ScsiAccess, "C:\WINDOWS\System32\ScsiAccess.EXE" [null data]
VET Message Service, VETMSGNT, "C:\WINDOWS\System32\VetMsgNT.exe" ["Computer Associates International, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

guestolo · « **Reply #34 on:** March 09, 2005, 10:24:05 PM »

I don't know where Panda's is finding this

=====Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup
Open CleanUp!
START>>ALL Programs>>CleanUp
Click the CleanUp button
Let it finish scanning for files, when it's done Restart your computer

EDIT>>Could you also

===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat
Save this file on the desktop

Quote

cd\WINDOWS\Downloaded Program Files
dir /a /Q * >C:\dpflist.txt
start C:\dpflist.txt

Double click on Export.bat
and post back the log that produced

Let's get some extra protection on your computer

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

djkwik · « **Reply #35 on:** March 10, 2005, 10:31:25 AM »

OK, here is the log you requested.

I already installed IE-Spyad yesterday and enabled maimum protection...quick question...does htis thing actually stop a webpage form opening if its one of the list? Its not the same thing as the windows firewall message bar that springs to life when a pop-up has been blocked....some of the download links you have sent me to, i have to "temporarily allow pop-ups" to get the page to open or to get the download to start.

I just finished installing SpywareBlaster, updated and enabled all protection. Lets hope this does the trick. Let me know if there is a problem with anything on the above log, or if you think my computer is finally clean. Any other scans to run to make sure?? PS: cna i start getting rid of all these things all over my desktop (killbox, rootkitreveal,regsrch, iefix, silent runner, etc) I know I can get rid of the shortcuts, but I saved a lot of the zipfiles directly to the desktop so i din't have to go hunting for them....which ones should i keep installed on my system and which ones can i get rid of if any?

Volume in drive C has no label.
Volume Serial Number is FC93-C619

Directory of C:\WINDOWS\Downloaded Program Files

03/08/2005 08:17 PM <DIR> BUILTIN\Administrators .
03/08/2005 08:17 PM <DIR> BUILTIN\Administrators ..
02/08/2005 10:52 AM 110,592 YOUR-KGOHY9AU97\home asinst.dll
02/08/2005 10:54 AM 525 YOUR-KGOHY9AU97\home asinst.inf
10/11/2000 03:49 PM 49,152 YOUR-KGOHY9AU97\home CPSurVid.dll
11/01/2003 03:23 PM 65 BUILTIN\Administrators desktop.ini
03/12/2004 05:24 PM 113,008 YOUR-KGOHY9AU97\home HMAtchmt.ocx
05/09/2003 08:15 AM 77,824 YOUR-KGOHY9AU97\home HouseCallButton.dll
03/21/2003 11:36 AM 3,276 YOUR-KGOHY9AU97\home HouseCallButton.INF
08/25/2003 06:12 PM 1,096 YOUR-KGOHY9AU97\home iuctl.inf
11/20/2003 12:22 AM 740 YOUR-KGOHY9AU97\home jinstall-1_4_2_03.inf
02/06/2001 10:30 AM 302 YOUR-KGOHY9AU97\home MSSurVid.inf
10/11/2000 03:49 PM 110,592 YOUR-KGOHY9AU97\home MSSurVid.ocx
02/06/2001 10:30 AM 189 YOUR-KGOHY9AU97\home Outside.inf
02/05/2001 03:50 PM 86,016 YOUR-KGOHY9AU97\home Outside.ocx
12/08/2003 01:58 PM 3,759 YOUR-KGOHY9AU97\home swflash.inf
06/09/2004 04:51 PM 1,777 YOUR-KGOHY9AU97\home xscan.inf
06/09/2004 04:56 PM 435,712 YOUR-KGOHY9AU97\home xscan53.ocx
01/26/2004 06:42 PM 856 YOUR-KGOHY9AU97\home yinst.inf
01/26/2004 06:40 PM 133,120 YOUR-KGOHY9AU97\home yinsthelper.dll
18 File(s) 1,128,601 bytes
2 Dir(s) 28,093,751,296 bytes free

guestolo · « **Reply #36 on:** March 10, 2005, 11:54:23 PM »

Not seeing anything bad, how's everything running?

killbox,rootkitreveal,regsrch, iefix, silent runner, Remv3.zip . Rootkit.bat,Export.bat,

You can Manually delete the above

Hold onto TDS3 for the 30 days, before your time expires do a manual update again and run another scan
Then you can uninstall it

djkwik · « **Reply #37 on:** March 11, 2005, 09:33:29 AM »

Everything seems to be running fine, no pop-ups, nothing added to my favorites list. I am going to turn System Restore back on and set a restore point now....hopefully that will save me from having to go through all of this nightmare again just in case one of these protection programs fails me.

Thanks again for all your help and patience. I have to say that it really does make me sick knowing how many sicko-thieving-nosey bastards are out there working so hard at trying to get into peoples' computers! Oh well...thats the world these days.

Guest · « **Reply #38 on:** March 11, 2005, 11:16:22 PM »

Awww.... a happy ending. I'm only posting on this topic so that I can remember the name of this site once this same damn problem gets too out of control for me. (Just to make it easier for me to find my post on Google or something when I decide to come back: conmie, dxconf, truettf, 302, sccfull). Ok then.

guestolo · « **Reply #39 on:** March 13, 2005, 01:13:28 PM »

Thanks for posting back

I'll lock this thread as your problems appear resolved
If you need it reopened please PM a Mod or the site Admin and supply a link to this thread

Take Care

News:

Author Topic: recurring spyware nightmare (Read 4565 times)

Guest