Author Topic: Hijackthis logfile (Read 5724 times)

ihc · « **on:** March 09, 2005, 04:18:09 PM »

PLEASE HELP GUESTOLO,

I have Win XP Home OS. I have ran Adaware and the computer is still running very slow. I have pop-ups all the time.

I downloaded hijacker per your instructions from another post. I created a new folder called HJT. I ran hijacker and saved a log file of it. I did not do anything to fix it - I will wait for your response.

Here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 9:13:56 PM, on 3/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\ocmlace.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\WINDOWS\System32\Ohyqxk.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\msnavc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\fxsdlyrt\jkpvrsp.exe
C:\WINDOWS\System32\atl70087.exe
C:\WINDOWS\System32\nyoiyxyj\vrtmucdy.exe
C:\WINDOWS\System32\taxot\mvcyf.exe
C:\WINDOWS\System32\bpovva\tabhcv.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINDOWS\system\gurmxwwege.exe
C:\WINDOWS\System32\ptcch.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\ptcch.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\ntsg6.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitesai32.exe
O4 - HKLM\..\Run: [sltirszszdv] C:\WINDOWS\System32\hhbqgu.exe
O4 - HKLM\..\Run: [x39P36T] ocmlace.exe
O4 - HKLM\..\Run: [zkrfkc] C:\WINDOWS\System32\zkrfkc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Woajpp.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Ohyqxk.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [rm2zcmb4] C:\Program Files\rm2zcmb4\rm2zcmb4.exe
O4 - HKLM\..\Run: [rivcsc] C:\WINDOWS\System32\rivcsc.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [fwrdto] C:\WINDOWS\System32\hhbqgu.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [sysdxvid] c:\windows\system32\sysdxvid.exe /nocomm
O4 - HKLM\..\Run: [jkpvrsp] C:\WINDOWS\System32\fxsdlyrt\jkpvrsp.exe
O4 - HKLM\..\Run: [ad7c74cb5448] C:\WINDOWS\System32\atl70087.exe
O4 - HKLM\..\Run: [vrtmucdy] C:\WINDOWS\System32\nyoiyxyj\vrtmucdy.exe
O4 - HKLM\..\Run: [mvcyf] C:\WINDOWS\System32\taxot\mvcyf.exe
O4 - HKLM\..\Run: [tabhcv] C:\WINDOWS\System32\bpovva\tabhcv.exe
O4 - HKLM\..\Run: [nrwxref] C:\WINDOWS\System32\whvinc\nrwxref.exe
O4 - HKLM\..\Run: [uipf] C:\WINDOWS\System32\iyiqaurg\uipf.exe
O4 - HKLM\..\Run: [jfwiup] C:\WINDOWS\System32\sjwo\jfwiup.exe
O4 - HKLM\..\Run: [hysi] C:\WINDOWS\System32\fmud\hysi.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O4 - HKCU\..\Run: [wiashext] C:\WINDOWS\System32\wiashext.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [safrdm] C:\WINDOWS\System32\safrdm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [g0qFRWfni] ntsg6.exe
O4 - HKCU\..\Run: [ptcch] C:\WINDOWS\System32\ptcch.exe
O4 - HKCU\..\RunOnce: [ptcch] C:\WINDOWS\System32\ptcch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Homepage Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc/r1-r4BdpROtvMceE.chm::/on-line.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

THANK YOU FOR YOUR VALUABLE TIME.

IHC

guestolo · « **Reply #1 on:** March 09, 2005, 08:42:02 PM »

Let's make sure that you run some tools on your computer before we tackle your log

I recommend that you PRINT the rest of these instructions out, they are all important

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Back in Windows
Download and Install Spybot S&D 1.3
When Installing, please don't enable TEA TIMER, it's a great addon to Spybot but it can get in our way to do any manual fixes.. This can be enabled at a later time if you want it
After installation--Click the Update button on the left, in the window on the right click the
SEARCH FOR UPDATES button, Check and download all updates
Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX everything in RED---they should be checked by default

RESTART your computer to finish the Cleaning process

I recommend you run each of those in safe mode after they have been updated
RESTART the computer in between running each one

Afterwards, restart back to Normal mode

Ensure all other Users on the computer are logged out

Can you access your Internet options via Control Panel
Under the Security tab..Custom level
ensure these are marked
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

Go to this link >>>Online virus scan at Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm
Don't start it yet
Now, this is VERY IMPORTANT
Close out all unnecessary programs running in the background
Close out all Windows

Bring up the Task Manager(right click the bottom taskbar and select Task Manager)
End process on these if you can

"Explorer.exe", all instances, should be only one <---this will cause all your Icons and taskbar to disappear

Then try and end process on these if you can and if still running, not all make exist anymore
===============================
ocmlace.exe
ptcch.exe <--all instances
wintask.exe
tabhcv.exe
vmss.exe
Ohyqxk.exe
rundll32.exe <--all instances
msnavc32.exe
WToolsA.exe
WSup.exe
sysmonnt.exe
atl70087.exe
wsxsvc.exe
vrtmucdy.exe
ntsg6.exe
jkpvrsp.exe
mvcyf.exe
===============================

After that is done you will have only the Task Manager and the page from Panda's open
Click the SCAN MY PC button>>>This should bring up a pop up window from Panda's
Close down the IE page that I linked you to Panda's but keep their popup window open

Now you have Panda's popup window open and the Task Manager

Click the NEXT button>>If prompted at any time to install an Active X allow it
Supply an email address
Let it load the activex control and load the virus definitions

To start the scan ensure you select My Computer or My whole computer
Something like that

Let it completely finish scanning, don't use the computer at all

When the scan is done>>Save the log

When the scan is complete
In Task Manager click FILE at the top
Then Click NEW TASK (Run)
In the open field type in
"explorer.exe" without the quotes and then click OK

This should bring back up the Desktop Icons and Taskbar

Come back to the forum and post the report from Panda's

And once again post back a new Hijackthis log

ihc · « **Reply #2 on:** March 10, 2005, 06:13:24 PM »

I cannot get my computer to browse the internet. Before I posted here, I deleted the following directory because I am a moron:
C:\Windows\Prefetch

Does this have something to do with an internet connection?
Anytime I click on IE, I receive the cannot find server or DNS error.

Do I need to put in my ISP DNS IP addresses? I have a Win 98 Pc and don't have too.

What else would cause me to not connect to the internet?

Please Help Jason

guestolo · « **Reply #3 on:** March 10, 2005, 06:26:09 PM »

With all other windows closed
Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure "Obtain DNS server address automatically' is selected. OK your way out.

Go to START>>RUN>>type in cmd
At the prompt type

ipconfig /flushdns

Hit Enter, note the space between ipconfig and /
Restart your computer afterwards

Could you also open Hijackthis>>Open Misc Tools Section
Open Uninstall Manager
Click the "Save List" button
Save the list on desktop and then post it back here

ihc · « **Reply #4 on:** March 10, 2005, 08:30:54 PM »

Here is the uninstall list as you requested:

ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat 4.0
Broadcom Management Programs
CC_ccStart
ccCommon
Context Display
DA920EN
Dell AIO Printer A920
Dell Digital Jukebox Driver
Dell Media Experience
Dell ResourceCD
Dell Solution Center
Dell Support
D-helper Web Driver
DirectX 9 Hotfix - KB839643
DMVlite
DVDSentry
E2give Plug-in
FinePixViewer Ver.4.0
FUJIFILM USB Driver
HijackThis 1.99.1
IE Host R3
ImageMixer VCD for FinePix
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics Driver
Internet Explorer Default Page
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
MicroStaff WINASPI NT
Modem Event Monitor
Modem Helper
Modem On Hold
MSRedist
MUSICMATCH® Jukebox
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Ofoto Easy Upload ActiveX Control
Pacific Poker
PC Health Plan 1.4.1.0
PowerDVD
QuickTime
RealOne Player
RON Display
RSyncMon
Shockwave
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
sww_SearchTool
Symantec Script Blocking Installer
SymNet
sysdxvid
System Monitor for Windows 98/NT/XP/2000/2003
URL Display
Win-dh
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows ServeAd
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Win-Tools Easy Installer (by WebSearch)
WordPerfect Office 11

A couple more things.
When Win XP starts up I always get the following two errors;
1. Netsync.exe - Unable to locate component. This application unable to start because commcoss.dll was not found. Reinstall the application may fix the problem.
2. SysCheckBop32 - Runtime Error 13 - type mismatch

Thank you very much for your time.
Jason

ihc · « **Reply #5 on:** March 10, 2005, 08:32:45 PM »

I forgot to mention that after I click OK to the two errors, and then open task manager the following program is always already running without me clicking on anything;

Desktop Search

guestolo · « **Reply #6 on:** March 10, 2005, 08:52:42 PM »

Go into Add/Remove Programs and Remove if you can
Restarting your computer in between removal of each one
Not all will be capable of Removal

sww_SearchTool
Win-dh
Win-Tools Easy Installer (by WebSearch)
sysdxvid
DMVlite
E2give Plug-in
RON Display
URL Display
Windows ServeAd
D-helper Web Driver

After you are done removing what you can and Restarting your computer, let me know if you can browse the Internet with IE

Also post back a fresh Hijackthis log

EDIT>>>If any can't be removed in Normal mode, try in SAFE MODE

Also try and Remove
Context Display
RSyncMon

If you don't use the next one remove it too
Pacific Poker

ihc · « **Reply #7 on:** March 10, 2005, 10:01:57 PM »

Wow - this process took forever
sww_SearchTool - locked up the computer when I tried to remove - no help in safe mode
Win-dh - removed with no problems
Win-Tools Easy Installer (by WebSearch) - removed with no problems
sysdxvid - removed with no problems
DMVlite - locked computer - needed internet connection to remove - could not find server
E2give Plug-in - could not remove it did nothing
RON Display - removed with no problems
URL Display - removed with no problems
Windows ServeAd - removed with no problems
D-helper Web Driver - locked up the computer when I tried to remove - no help in safe mode

Browse IE - could not get on the internet

Here is the new highjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:58:30 PM, on 3/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\ocmlace.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\msnavc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\fxsdlyrt\jkpvrsp.exe
C:\WINDOWS\System32\atl70087.exe
C:\WINDOWS\System32\nyoiyxyj\vrtmucdy.exe
C:\WINDOWS\System32\taxot\mvcyf.exe
C:\WINDOWS\System32\bpovva\tabhcv.exe
C:\WINDOWS\system\gurmxwwege.exe
C:\WINDOWS\System32\ptcch.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\ptcch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ntsg6.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitesai32.exe
O4 - HKLM\..\Run: [sltirszszdv] C:\WINDOWS\System32\hhbqgu.exe
O4 - HKLM\..\Run: [x39P36T] ocmlace.exe
O4 - HKLM\..\Run: [zkrfkc] C:\WINDOWS\System32\zkrfkc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [rm2zcmb4] C:\Program Files\rm2zcmb4\rm2zcmb4.exe
O4 - HKLM\..\Run: [rivcsc] C:\WINDOWS\System32\rivcsc.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [fwrdto] C:\WINDOWS\System32\hhbqgu.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [sysdxvid] c:\windows\system32\sysdxvid.exe /nocomm
O4 - HKLM\..\Run: [jkpvrsp] C:\WINDOWS\System32\fxsdlyrt\jkpvrsp.exe
O4 - HKLM\..\Run: [ad7c74cb5448] C:\WINDOWS\System32\atl70087.exe
O4 - HKLM\..\Run: [vrtmucdy] C:\WINDOWS\System32\nyoiyxyj\vrtmucdy.exe
O4 - HKLM\..\Run: [mvcyf] C:\WINDOWS\System32\taxot\mvcyf.exe
O4 - HKLM\..\Run: [tabhcv] C:\WINDOWS\System32\bpovva\tabhcv.exe
O4 - HKLM\..\Run: [nrwxref] C:\WINDOWS\System32\whvinc\nrwxref.exe
O4 - HKLM\..\Run: [uipf] C:\WINDOWS\System32\iyiqaurg\uipf.exe
O4 - HKLM\..\Run: [jfwiup] C:\WINDOWS\System32\sjwo\jfwiup.exe
O4 - HKLM\..\Run: [hysi] C:\WINDOWS\System32\fmud\hysi.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O4 - HKCU\..\Run: [wiashext] C:\WINDOWS\System32\wiashext.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [safrdm] C:\WINDOWS\System32\safrdm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [g0qFRWfni] ntsg6.exe
O4 - HKCU\..\Run: [ptcch] C:\WINDOWS\System32\ptcch.exe
O4 - HKCU\..\RunOnce: [ptcch] C:\WINDOWS\System32\ptcch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Homepage Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc/r1-r4BdpROtvMceE.chm::/on-line.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you for your time!!
Jason

guestolo · « **Reply #8 on:** March 10, 2005, 11:18:50 PM »

Print this out or save to a Notepad file on your desktop

Restart back into safe mode

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Access Add/Remove Programs and remove if you can
Context Display
RSyncMon

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\System32\ic2_win.dll (file missing)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitesai32.exe
O4 - HKLM\..\Run: [sltirszszdv] C:\WINDOWS\System32\hhbqgu.exe
O4 - HKLM\..\Run: [x39P36T] ocmlace.exe
O4 - HKLM\..\Run: [zkrfkc] C:\WINDOWS\System32\zkrfkc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32

O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [rm2zcmb4] C:\Program Files\rm2zcmb4\rm2zcmb4.exe
O4 - HKLM\..\Run: [rivcsc] C:\WINDOWS\System32\rivcsc.exe

O4 - HKLM\..\Run: [fwrdto] C:\WINDOWS\System32\hhbqgu.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe

O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [sysdxvid] c:\windows\system32\sysdxvid.exe /nocomm
O4 - HKLM\..\Run: [jkpvrsp] C:\WINDOWS\System32\fxsdlyrt\jkpvrsp.exe
O4 - HKLM\..\Run: [ad7c74cb5448] C:\WINDOWS\System32\atl70087.exe
O4 - HKLM\..\Run: [vrtmucdy] C:\WINDOWS\System32\nyoiyxyj\vrtmucdy.exe
O4 - HKLM\..\Run: [mvcyf] C:\WINDOWS\System32\taxot\mvcyf.exe
O4 - HKLM\..\Run: [tabhcv] C:\WINDOWS\System32\bpovva\tabhcv.exe
O4 - HKLM\..\Run: [nrwxref] C:\WINDOWS\System32\whvinc\nrwxref.exe
O4 - HKLM\..\Run: [uipf] C:\WINDOWS\System32\iyiqaurg\uipf.exe
O4 - HKLM\..\Run: [jfwiup] C:\WINDOWS\System32\sjwo\jfwiup.exe
O4 - HKLM\..\Run: [hysi] C:\WINDOWS\System32\fmud\hysi.exe
O4 - HKCU\..\Run: [prutqct] C:\WINDOWS\System32\prutqct.exe
O4 - HKCU\..\Run: [wiashext] C:\WINDOWS\System32\wiashext.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [safrdm] C:\WINDOWS\System32\safrdm.exe

O4 - HKCU\..\Run: [g0qFRWfni] ntsg6.exe
O4 - HKCU\..\Run: [ptcch] C:\WINDOWS\System32\ptcch.exe
O4 - HKCU\..\RunOnce: [ptcch] C:\WINDOWS\System32\ptcch.exe

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://bin.wordsx.cc/r1-r4BdpROtvMceE.chm::/on-line.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Find and delete these files or folders if they exist, they are in bold
FILES
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\System32\AUNBHO.dll
C:\windows\system32\elitesai32.exe
C:\WINDOWS\System32\hhbqgu.exe
ocmlace.exe
C:\WINDOWS\System32\zkrfkc.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\Woajpp.exe
C:\WINDOWS\SysCheckBop32
C:\WINDOWS\System32\Ohyqxk.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\System32\netsync.exe
C:\WINDOWS\System32\rivcsc.exe
C:\WINDOWS\System32\hhbqgu.exe
C:\WINDOWS\System32\exp.exe
C:\windows\system32\msnavc32.exe
E6F1873B.DLL
D9EBC318C
D0CE0C16B1
c:\windows\system32\sysdxvid.exe
C:\WINDOWS\System32\atl70087.exe
C:\WINDOWS\System32\prutqct.exe
C:\WINDOWS\System32\wiashext.exe
C:\WINDOWS\System32\sysmonnt
C:\WINDOWS\System32\safrdm.exe
ntsg6.exe
C:\WINDOWS\System32\ptcch.exe
c:\counter.cab

FOLDERS
C:\WINDOWS\isrvs
C:\Program Files\Windows ServeAd
C:\WINDOWS\System32\vmss
C:\Program Files\Common files\SearchUpgrader
C:\Program Files\rm2zcmb4
C:\WINDOWS\System32\wsxsvc
C:\WINDOWS\System32\fxsdlyrt
C:\WINDOWS\System32\nyoiyxyj
C:\WINDOWS\System32\taxot
C:\WINDOWS\System32\bpovva
C:\WINDOWS\System32\whvinc
C:\WINDOWS\System32\iyiqaurg
C:\WINDOWS\System32\sjwo
C:\WINDOWS\System32\fmud
C:\Program Files\Common Files\WinTools

Navigate to your Temp folders and delete the WHOLE contents, or whatever you can
But don't delete the temp directories themselves
C:\Windows\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Access Internet Options via Control Panel
Under the Connections tab
Click Settings under Dialup and/or LAN settings and ensure that Proxy Server is not checked

Restart back to Normal mode>>Keep any browser closed down
Check your Connections tab again, ensure Proxy Server is unchecked

Come back here and post a fresh Hijackthis log

ihc · « **Reply #9 on:** March 11, 2005, 06:51:28 PM »

Hi Guestolo,

The computer seems to be running alot better.
Here is the new log you requested;

Logfile of HijackThis v1.99.1
Scan saved at 6:47:55 PM, on 3/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system\gurmxwwege.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ptcch] C:\WINDOWS\System32\ptcch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Homepage Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you for your time.
Jason

guestolo · « **Reply #10 on:** March 12, 2005, 01:09:42 AM »

Your still not 100%,
Can you now go to what I asked you do to from first reply\\
Including the scan at Pandas
and how to run it
Please post back the log from Pandas

Also, post back a Hijackthis log afterwards

ihc · « **Reply #11 on:** March 12, 2005, 06:15:43 PM »

I did everything you mentioned in your first post.

Here is the panda active scan:

Incident Status Location

Virus:Trj/Startpage.SJ No disinfected Operating system
Adware:Adware/eZula No disinfected C:\WINDOWS\System32\ezPopStub.exe
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Adware:Adware/PortalScan No disinfected C:\Program Files\Common Files\slmss
Adware:Adware/CWS No disinfected C:\Documents and Settings\Andrea\Desktop\Virus Hunter Security.lnk
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\System32\SWRT??.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM32\SWRT01.dll
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Bundles
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.

Adware:Adware/DealHelper No disinfected C:\WINDOWS\System32\DealHelper
Adware:Adware/ISearch No disinfected Windows Registry
Adware:Adware/Comet No disinfected C:\WINDOWS\Downloaded Program Files\dm.inf
Adware:Adware/TopRebates No disinfected C:\WINDOWS\bundles\WebRebates*.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/EliteBar No disinfected C:\WINDOWS\EliteSideBar
Adware:Adware/Beginto No disinfected Windows Registry
Spyware:Spyware/Search3 No disinfected C:\Program Files\Search3 Toolbar
Adware:Adware/BTGrab No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bundles\bs5-vwqouc.exe
Adware:Adware/MyDailyHoroscopeNo disinfected C:\WINDOWS\bundles\setup_silent_17123.exe
Adware:Adware/TopRebates No disinfected C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\abasa5jrp_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\hochkaod3_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\hochkaod3_.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\lkir8l2gm_.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\alchem.inf
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\btgrab.inf
Virus:Trj/Downloader.GK Disinfected C:\WINDOWS\INF\polall1r.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inst\3p_1.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\qavbfx.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\SYSTEM\gurmxwwege.exe
Virus:Trj/Downloader.AWZ Disinfected C:\WINDOWS\SYSTEM32\Cache\20001.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM32\Cache\cxtpls_loader.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM32\Cache\dr.exe
Adware:Adware/HuntBar No disinfected C:\WINDOWS\SYSTEM32\Cache\EDow_AS2.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM32\Cache\ezStubseedcorn.exe
Virus:Trj/Delf.EB Disinfected C:\WINDOWS\SYSTEM32\Cache\HelperInstaller.exe
Virus:Trj/Downloader.BBA Disinfected C:\WINDOWS\SYSTEM32\Cache\MTE1NDE6ODoxMg.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\SYSTEM32\Cache\SSK_B5.EXE
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM32\Cache\videoinst.exe
Adware:Adware/TopRebates No disinfected C:\WINDOWS\SYSTEM32\Cache\WebRebates_Auto_InstallSilent.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\SYSTEM32\elitelje32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\SYSTEM32\elitevmf32.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\hochkaod3.ini
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM32\id113.exe
Virus:Trojan Horse Disinfected C:\WINDOWS\SYSTEM32\id114.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM32\rivcs.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM32\rivcsf.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\SplWbr.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM32\SWRT01.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\u6f6uftuc.ini
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM32\zkrfkf.exe
Here is the latest Highjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:09:19 PM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ptcch] C:\WINDOWS\System32\ptcch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Homepage Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you again for your time!

Also, how can I learn to do what you do on this website? How do you know what steps to take to clean computers?

Jason

guestolo · « **Reply #12 on:** March 12, 2005, 06:36:04 PM »

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKCU\..\Run: [ptcch] C:\WINDOWS\System32\ptcch.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Can you restart into safe mode please

Find and delete any of those files or folders found bad by Panda's that could not be disinfected and delete them, in the exact locations indicated by the Incident report

Make sure to delete these folders
C:\WINDOWS\bundles
C:\WINDOWS\SYSTEM32\Cache

Check over the Panda report and delete all bad files or folders

Also clean out your Temp folders again

Let me know what you couldn't find and also post back a fresh Hijackthis log

When you ran the scan at Panda'a did you first end process on Explorer.exe
All Icons and task bar disappear?

We'll also do a bit of registry cleaning when you post back

ihc · « **Reply #13 on:** March 12, 2005, 08:36:09 PM »

Here are the viruses and files that I couldn't find from the panda report:

Incident Status Location
Virus:Trj/Startpage.SJ No disinfected Operating system
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\System32\SWRT??.dll
Adware:Adware/ISearch No disinfected Windows Registry
Adware:Adware/Comet No disinfected C:\WINDOWS\Downloaded Program Files\dm.inf
Adware:Adware/Beginto No disinfected Windows Registry
Adware:Adware/BTGrab No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\abasa5jrp_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\hochkaod3_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\hochkaod3_.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\lkir8l2gm_.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.ini
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\SYSTEM\gurmxwwege.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\SYSTEM32\elitelje32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\SYSTEM32\elitevmf32.exe
Virus:Trojan Horse Disinfected C:\WINDOWS\SYSTEM32\id114.exe
Here is the new highjackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:32:08 PM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Homepage Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

When you ran the scan at Panda'a did you first end process on Explorer.exe?
Yes
All Icons and task bar disappear?
Yes

Thanks,
Jason

guestolo · « **Reply #14 on:** March 13, 2005, 12:46:23 AM »

Just some cleanup
Let's create a fresh restore point first
START>>All Programs>>Accessories>>System Tools>>System Restore
Create a new restore point
Name it and click Create
When that's done

Can you download and save to Desktop
This removal tool from Symantec's
Just to see if it picks up any leftover Registry entries
http://securityresponse.symantec.com/avcenter/FxHuntbr.exe
Don't run it yet

Can you download and save to desktop CleanAll.Zip
REMOVED ATTACHMENT ~guestolo~

Unzip the contents to desktop
You should now have
iSearch.reg>>Begin.reg>>Btgrab.reg>>Elite.reg
On your desktop

Print or save the rest of these instructions too notepad
Close down all windows and run FxHuntbr.exe
Let it scan your drive, when it's done, if it gives you an option too save a report,
Could you, thanks

Restart into safe mode
Double click on each of the following and allow them to merge to the registry
iSearch.reg>>Begin.reg>>Btgrab.reg>>Elite.reg

Stay in safe mode
Go to START>>RUN>>type in
cmd
This should open a command prompt

At the prompt type in>>>Don't type in (hit Enter) that indicates hitting Enter on your Keyboard, also notice the single space between del and file name

cd\WINDOWS\Downloaded Program Files (hit Enter)
del dm.inf (hit Enter)
del abasa5jrp_.exe (hit Enter)
del hochkaod3_.exe (hit Enter)
del hochkaod3_.ini (hit Enter)
del lkir8l2gm_.dll (hit Enter)
del u6f6uftuc_.exe (hit Enter)
del u6f6uftuc_.ini (hit Enter)

Type exit

Restart back to Normal mode

===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat
Save this file on the desktop

Quote

dir C:\WINDOWS\System32\SWRT??.dll /a h > files.txt
notepad files.txt

Double click on Export.bat and copy and paste back the results

Could you also post back the report from the FxHuntbr tool, thanks

ihc · « **Reply #15 on:** March 13, 2005, 11:21:05 AM »

Here is the fxHuntbr log file:

Symantec Adware.Huntbar Removal Tool 1.2.3

registry: HKEY_USERS\S-1-5-21-2452291741-575372065-3859627959-1008\SOFTWARE\WinTools (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI (key deleted)

Adware.Huntbar has not been found on your computer.

Here is the Export.bat file results:

Volume in drive C has no label.
Volume Serial Number is 8438-15DB

Directory of C:\WINDOWS\System32

Directory of C:\Documents and Settings\Andrea\Desktop

What do I need to do, install, run to keep my computer from getting this bad in the future?

Thanks for your time.

Jason

guestolo · « **Reply #16 on:** March 13, 2005, 12:44:07 PM »

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

If your interested in a small program that will give you realtime protection for Spyware. I like using Spyware Guard
Install and let it run on system startup, check for updates after you install it
It won't, and doesn't have to update that much, but check for updates once a month anyways
Here's a link
http://www.javacoolsoftware.com/spywareguard.html

Of course hold onto Ad-Aware and Spybot
Check for updates every 2 or 3 weeks and run scans
A little added protection
Open Spybot>>Click on Immunize>>OK>>Immunize at the top

If your interested in reading Hijackthis logs, the best place to start is by looking at your own log
Do a scan every couple of weeks, make sure nothing changes, if it does ensure it's a legit entry
You can learn to read logs by reading this tutorial
http://aumha.org/a/hjttutor.php

Keep reading logs on the Net
Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I've PM'ed you too

TheTechGuide Forum

News:

Author Topic: Hijackthis logfile (Read 5724 times)

ihc

Hijackthis logfile

guestolo

Hijackthis logfile

ihc

Hijackthis logfile

guestolo

Hijackthis logfile

ihc

Hijackthis logfile

ihc

Hijackthis logfile

guestolo

Hijackthis logfile

ihc

Hijackthis logfile

guestolo

Hijackthis logfile

ihc

Hijackthis logfile

guestolo

Hijackthis logfile

ihc

Hijackthis logfile

guestolo

Hijackthis logfile

ihc

Hijackthis logfile

guestolo

Hijackthis logfile

ihc

Hijackthis logfile

guestolo

Hijackthis logfile