Author Topic: Major Problems (Read 4981 times)

SahDu · « **on:** December 05, 2004, 08:16:21 PM »

Ok, this is gonna be a long one. Thanks in advance for help. So I was having problems with my Windows XP freezing at startup, so I attempted to reinstall Windows from my disk. About half way through the installation it froze and was unable to reinstall after several attempts. After some searching on the internet I was able to chack the start up files using the Recovery Console, thought, to my knowledge, there were some glitches in this, specifically the fact that when I typed "copy C:\Windows\system32\config\sam" it said it was ubable to find the file, the same problem happening with both "config\security" and "config\default". Though I new this was a problem, I attempted the reinstallation anyway and was able to successfully, but with problems. Throughout the installation Windows kept popping up that several files were missing. I clicked "OK" as there was no other choice. Upon reinstalling Windows I was asked to enter users, and the main user I selected does not show up on logon. Luckily, I was able to retain all my files on my HD, but there are problems with these. Whenever attempting to open (most) programs I get one of two errors: "Windows is unable to find C:\Program Files\Mozilla\Firefox.exe. Please check to determine if the path is correct...." or "Windows is unable to find 'rundll32.exe'. Please check to determine if the path is correct...". I attempted to reinstall "rundll32.exe" from site where I was able to download it, but there was no change. Any ideas? I would attempt to run HijackThis and such, but with the inability to open programs... Any ideas? Thanks for reading, and in advance for any help. Thanks again!

Jeff

guestolo · « **Reply #1 on:** December 05, 2004, 08:33:32 PM »

I'm a little confused, would you consider trying a clean install of Windows
this would ensure you start out fresh---you will want to backup any needed files first
Can you see rundll32 in your
C:\Windows\system32 folder?
Just curious, do you see any other files in the system32 folder that begin with run

Have you tried SFC>>>System File checker?
With your cd in the drive

I'm just on my way out

Try download this registry fix
http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

Save it and UNZIP it to your desktop
Double click on xp_exe_fix.reg and Allow it to merge to the registry

Restart your computer and try sending me a Hijackthis log

If no go
Download this Zipped file xp_fileassoc.zip
UNZIP it to your desktop and Double click on the
xp_fileassoc.bat to run it
Follow the prompts

RESTART your computer afterwards

This may not solve your problems, If you can post a Hijackthis log afterwards, go ahead

I'll try to help later when I get back if no others are able too

did you try an online Virus scan

You may want to try Trend Micro's--set to Autoclean
http://housecall.trendmicro.com/

Guest · « **Reply #2 on:** December 05, 2004, 08:47:18 PM »

So I attempted the registry key fix and that helped a lot. I am now able to open programs and all so thanks so much. The next problem: I am unable to log onto my original user account. It still existst because I can see it when I go under Control Panel, yet when at the logon screen after a restart or trying to switch a user it doesnt show my original account. This is kind of a problem, because I cant access some of my files from the user account I am using now. Here is my current HijackThis log. Thanks for your help.

------------------------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 7:55:45 PM, on 12/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hitlgh.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [Mode axis] C:\PROGRA~1\Online slow ping\SETTINGS LONG HEART.exe
O4 - HKLM\..\Run: [msbb] C:\DOCUME~1\Jeff\LOCALS~1\Temp\msbb.exe
O4 - HKLM\..\Run: [BFS] C:\WINDOWS\BFS.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [PGStub.exe] C:\Program Files\MYIE2\dp-b23011805.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [SQConfigChecker] C:\Program Files\Sqwire\cc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW Prefix: ehttp.cc?
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50039/QDow.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/downlo...38106/clean.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/bridge-c5.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...b?rand=20033300
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.music-holic.com/mp3search.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFullSInst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB} (FastSeekerToolbar Control) - http://www.fastseeker.com/toolbar/download...eekerSetup5.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/dlaccell.CAB
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstaller.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - (no file)
O18 - Filter: text/html - {2DE94081-9FE6-4227-BC59-B7A80CC8308C} - c:\program files\clientman\run\searchrepe44a84f2.dll
O20 - AppInit_DLLs: cpan.dll
O21 - SSODL: Web Event Logger - {79FB9088-19CE-715D-D85A-216290C5B738} - C:\WINDOWS\System32\Hpdqnc32.dll (file missing)
O21 - SSODL: SysTray.Ex - {F5B7D0BE-5f02-4222-96DB-386DFA244900} - (no file)

---------------------------------------

Thanks again!

Jeff

SahDu · « **Reply #3 on:** December 05, 2004, 08:51:06 PM »

Sorry, above reply was me, I just forgot to log in. By the way, when Windows starts up it comes up with the error that says it can't find "bridge.dll". Any way that is causing problems? Thanks!

Jeff

guestolo · « **Reply #4 on:** December 05, 2004, 11:35:18 PM »

Hi again, just got back in

Let's try some fixes on your computer

Do as much of the below as you can before posting back
The user account you have now
Can you Restart into safe mode and by going to
START>>>RUN>>type in msconfig
Under the boot tab put a check in Safeboot
Apply
Restart
Log in the Administrator account
Go to START>>RUN type in control userpasswords2
and give the user your using now full Administrative controls?
Highlight the User and click properites
Group Membership
from the drop down menu choose Administrators and Apply
This should give your user more control

RESTART back into Normal Mode
Access your Add/Remove programs and Remove if found
WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer

Do not reboot until they have all been removed even if prompted.

When you are uninstalling the last program you can then reboot when prompted.

When your back in Windows
If you can, I need you to download and install some tools to help cleanup your log

===Could Download and Install the free version of Ad-Aware SE Personal 1.05
After installation-CHECK FOR UPDATES
Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen.
Don't run this yet, but ensure to update

===Download and install Windows CleanUp! by Steve Gould
This will help you to clean you temporary files, cookies, prefetch folder
Don't run it yet

===Download and save to desktop the StandAlone version of
CWShredder
Again--Don't run it yet

==Could you also download and save to desktop
LSPfix.exe
Don't run this, this is just in case of lost internet access
I see no reason that we need it, but let's have it just in case
It's a small download

==Last download, could you also download and save to desktop
This Lop Uninstaller
Don't run it yet

You may want to Print the rest of this out, if you don't have a printer save this to a Notepad file on your desktop, I need you to restart into safe mode in the near future
Link will explain how to start in Safe Mode
Or Simply start tapping the F8 key on your keyboard when your computer is booting up
Don't start into safe mode yet, I'll let you know when
----------------------------------------------------------------
Let's try some fixes, do what you can before posting back

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe

O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [Mode axis] C:\PROGRA~1\Online slow ping\SETTINGS LONG HEART.exe
O4 - HKLM\..\Run: [msbb] C:\DOCUME~1\Jeff\LOCALS~1\Temp\msbb.exe
O4 - HKLM\..\Run: [BFS] C:\WINDOWS\BFS.exe

O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [PGStub.exe] C:\Program Files\MYIE2\dp-b23011805.exe

O4 - HKLM\..\Run: [SQConfigChecker] C:\Program Files\Sqwire\cc.exe

O13 - WWW Prefix: ehttp.cc?

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50039/QDow.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/downlo...38106/clean.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/bridge-c5.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...b?rand=20033300

O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.music-holic.com/mp3search.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab

O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFullSInst.cab

O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB} (FastSeekerToolbar Control) - http://www.fastseeker.com/toolbar/download...eekerSetup5.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/dlaccell.CAB
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstaller.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - (no file)

O20 - AppInit_DLLs: cpan.dll
O21 - SSODL: Web Event Logger - {79FB9088-19CE-715D-D85A-216290C5B738} - C:\WINDOWS\System32\Hpdqnc32.dll (file missing)
O21 - SSODL: SysTray.Ex - {F5B7D0BE-5f02-4222-96DB-386DFA244900} - (no file)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

==Open CWShredder and let it FIX all problems

==Double click on the Lop Uninstaller and follow the prompts

RESTART your Computer in Safe Mode

Access your Add/Remove Programs and remove if present

mscman

Set Windows to Show Hidden files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete these files or folders if they exist
they are in bold
FILES
C:\WINDOWS\BFS.exe
C:\WINDOWS\System32\bridge.dll
C:\WINDOWS\System32\a.exe
C:\Program Files\MYIE2\dp-b23011805.exe
C:\WINDOWS\System32\cpan.dll
C:\WINDOWS\svchost.exe <--file, delete just this one, DON'T try and delete any other svchost.exe in the System32 folder, just the one in the Windows folder

FOLDERS
C:\PROGRAM FILES\Online slow ping
C:\Program Files\Sqwire
C:\Program Files\AutoUpdate

==Open up Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

==Open Cleanup and click on the Cleanup button
Let it finish scanning for files
It will prompt you that a couple files have to be deleted on restart

Restart your computer back into Normal mode

==If you can, could you at this point Download and Install Spybot S&D 1.3
After installation--SEARCH FOR UPDATES
Download all updates
Check for Problems---FIX everything in RED
RESTART your computer again to fininsh the cleaning process

The above should clean out quite a bit
Do as much of it as you can before posting back

It seems like a bit of work, but it's not that bad
A few of the programs I advise you to keep, there yours for free

One last download

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

==Download and save to Desktop VX2 Finder (126)
Open it and press the
"Find VX2.Betterinternet"
Let it scan, when it's done
Click the "Make Log"

==Copy and paste that log back here along with a fresh hijackthis log

EDIT>>In case you didn't see it, I added svchost.exe to the fixes, sorry I missed it the first time

Guest · « **Reply #5 on:** December 06, 2004, 01:19:23 AM »

Okay, I was working on this but encountered several problems. The biggest being that I still cannot access one of the users. It still exists because I can see it when I go to users through Control Panel, but I cant find anyway to actually log into it. Plus, there is one folder that I cant open and it is basically the folder that holds all my important files. I keep getting an error saying access is denied, though I have full administrative privledges. PLEASE HELP!! Thanks!!

Jeff

guestolo · « **Reply #6 on:** December 06, 2004, 01:30:59 AM »

Jeff, do as much as you can of what I mentioned above, then post those logs I asked for

We'll worry about taking ownership of that folder after

Guest · « **Reply #7 on:** December 06, 2004, 01:35:34 AM »

Alright, I apologize. Just the whole frustration factor. It's getting late, I will work on it more tomorrow, finished everything up to the AdAware. Thanks for all your help!

Jeff

Guest · « **Reply #8 on:** December 06, 2004, 01:36:56 AM »

No problem, I'm on my way to bed
So I probably won't see your reply till I get off work

Later

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

SahDu · « **Reply #9 on:** December 06, 2004, 09:03:19 PM »

Aight, home and finished your check list. Here is the VX2 log:

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
MyIE2 IEAK

-------------------------------------------------------

And the new Hijack log:

Logfile of HijackThis v1.98.2
Scan saved at 8:12:11 PM, on 12/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Active Data Recovery Software\Active UNDELETE\Undelete.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab

--------------------------------------------

By the way, I did some looking and I found that the information in that folder I was trying to access was deleted. I ran a program I have called "Active@ Undelete" and it found the folder and said I would be able to restore it. Is there anyway to do this safely otherwise...I dont want to use the program and end up ruining more components of my computer (I also dont know if I'm ready for this step so tell me if I'm jumping the gun here). Thanks for your help!

Jeff

EDIT: By the way, when I looked for those files you found (meaning anything in the Add/Remove Programs and the hidden files you asked me to look for) I was unable to find any of them. I'm hoping this is a good thing but I figured I would let you know. Thanks.

guestolo · « **Reply #10 on:** December 06, 2004, 09:27:57 PM »

Go ahead and try do restore your deleted files
I've never used this program
the ones I've used recommend restoring to a different partition if available
You may not have this available, so try saving it to a spot other than the original spot you deleted them from

Next:
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>>SAVE AS

Name the file as search.reg
Important>>Change the Save as Type to All Files.
Save this file on the desktop for now
This will help to restore your search settings back to defaults

Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Do another scan with Hijackthis and put a check next to these entries

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R3 - Default URLSearchHook is missing

After your ticked the above, close down all other open windows, including this one
Leave hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double click on search.reg and allow it to merge to the registry

RESTART your computer

If you don't plan on doing a clean install

Ensure you get over to Windows Updates and get all latest Critical Updates{High Priority}
Don't get SP2 right now but ensure to install all others
Restart your computer and go back and visit windows updates to ensure you got them all except for Recommended updates and SP2

This line in your log
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Indicates that you are either controlling startup items with msconfig
or possibly you have posted a hijackthis log in Safe mode

Can you ensure to do a Normal startup in msconfig and post back a fresh log from Hijackthis in Normal mode

SahDu · « **Reply #11 on:** December 07, 2004, 05:24:41 PM »

Hey, I was looking at the Windows Updates...which of these should I get:

Windows XP 32-Bit Editions

Service Pack 2 - Do not apply any other updates until this is installed otherwise it will cause you problems - Added 11/8/2004.

Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution - Added 15/09/2004.

Programs That Connect To IP Addresses That Are In The Loopback Address Range May Not Work - Added 18/09/2004.

Windows Script 5.6 - Added 19/09/2004.

Root Certificates Update - Updated 26/09/2004.

Cumulative Security Update for Internet Explorer - Added 13/10/2004.

-----------------------------------------------

I completed everything except those updates, so here is my Hijack log:

Logfile of HijackThis v1.98.2
Scan saved at 4:34:25 PM, on 12/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\mswuqkm.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\wcrkaw.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Pulse\Pulse.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\GADWIN~1\PRINTS~1\PrintScreen.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [vUui] C:\WINDOWS\mswuqkm.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [sysu] "C:\progra~1\ddm\sysu.exe"
O4 - HKLM\..\Run: [sys] regedit -s sysdllwm.reg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qmerikyz] C:\WINDOWS\usekne.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mstpinit.exe] C:\WINDOWS\System32\mstpinit.exe
O4 - HKLM\..\Run: [lcn] C:\WINDOWS\lcn.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KeenValue] C:\Program Files\Common files\KeenValue\KeenValue.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [bhp] C:\WINDOWS\System32\bhp.exe 1070043435
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe
O4 - HKCU\..\Run: [Pulse] C:\Program Files\Pulse\Pulse.exe -splash
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\PROGRA~1\GADWIN~1\PRINTS~1\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Jeff\Application Data\ttuh.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Norton Internet Security.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab

----------------------------------------------------------------

One more question. So I "undeleted" that folder from before and I'm able to access it nd everything. Is it safe to delete the original folder where it supposedly was and then just copy and paste the accessible folder and rename it to the original title? Thanks for all of your help!

Jeff

guestolo · « **Reply #12 on:** December 07, 2004, 07:35:30 PM »

HI Jeff, go ahead and copy over if the files seem intact

BUT---You have to do some major cleanup on your machine

IF you do everything I ask you to do we can get you clean and you will notice an improvement on your system performance
First---Did you pay for SpyHunter
This is why I don't recommend it
Read this link
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Did you install The latest version of Spybot and Ad-Aware?
If not, do it now and follow the instructions I gave you to run them

DO NOT INSTALL SERVICE PACK 2 right now

Let's do some cleaning on your machine first
Microsoft recommends that your computer is Spyware and Virus free before installing the latest service pack
I meant for you to go to Windows update and get All other Critical updates and Service Pack 1 including updating IE
Just do this download for now
http://www.microsoft.com/downloads/details...&DisplayLang=en
Restart your computer when prompted
I meant for you to check for any other Critical (High Priority) updates
EXCLUDING SERVICE PACK 2 and recommended updates

I need you to install Spybot and Ad-Aware,if you haven't done so already, update them and run scans as I mentioned above.
I recommend that after you update them you should Restart into safe mode to run the scans
Restarting your computer in between back into safe mode---
Then restart back into Normal mode
You have many problems that need taken care of

Make sure you followed the directions I first posted

Open Spybot--Click on HELP>>>ABOUT
Let me know Spybot version and latest detection update date

Open Ad-Aware>>>Click on Details
Let me know Reference NO. and Internal build

Could you also do Free Online Virus scans
At Housecall's---Set to Autoclean
http://housecall.trendmicro.com/
and I recommend that you also do one at Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm

Jeff, we can get you clean, but please follow what I asked you to do

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

We we manually clean your log afterwards

Can you do me one more favor please
I see you have Trojan Remover installed
I've never used it, but I do trust Trojan Hunter, it comes highly recommended
Download the Trial version of TrojanHunter from this link
http://www.trojanhunter.com/trojanhunter/
This is good for 30 days

After installation you will have to manually update the Latest Ruleset
Go to this link
http://www.trojanhunter.com/trojanhunter/updating/
Download the Latest Ruleset to desktop

Unzip it to your Trojan Hunter folder
Allow to overwrite if prompted
The default location should be C:\Program Files\TrojanHunter

Run a full system scan
Let it clean what it finds and then restart your computer

Post back a fresh hijackthis afterwards, we'll get the rest and your computer will be much happier
Also, let me know that information about Spybot and Ad-Aware
There are a few things in your log that both should of taken care of

SahDu · « **Reply #13 on:** December 08, 2004, 02:04:53 AM »

Hmmm....when I clicked on that update and attempted to install, I received the error message "This procedure entry point InternetGetConnectedState could not be located in the dynamic link library WININET.dll." Unsure what this means? As for Ad-Aware and Spybot S and D, I did run both of those with (what I assumed) were the most current updates. And dont get me wrong, I'm not intentionally screwing up your instructions

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />. As for SP2, I am pretty sure it was installed on the computer before Windows initially failed, so I am unsure whether it is still on this, seeing as how some files transferred over and some did not. I didn't continue with any more instructions, seeing as how I was unable to complete number one. Should I skip and continue? Thanks!

Jeff

EDIT: By the way, I am unsure how "Trojan Remover" ended up on my computer...I dont recall every downloading it. And thanks for the information about SpyHunter. Luckily, I used it but a few times. Thanks again.

guestolo · « **Reply #14 on:** December 08, 2004, 08:30:35 AM »

just on my way to work
Yes, do everything else and then post back a fresh hijackthis log
Or do whatever you can

guestolo · « **Reply #15 on:** December 09, 2004, 12:02:28 AM »

I read your last reply, I want to be sure that those Spyware removers are doing their jog
Don't just tell me you think you updated them
Please post this information

Quote

Open Spybot--Click on HELP>>>ABOUT
Let me know Spybot version and latest detection update date

Open Ad-Aware>>>Click on Details
Let me know Reference NO. and Internal build

P.S. once you tried to Reinstall Windows Xp you probably lost all you Windows updates

Your Hijackthis log reads this
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

No SP2 installed
Again, I remind you, don't install SP2 right now, you have to many issues to deal with
and the update to SP2 will not go well

SahDu · « **Reply #16 on:** December 09, 2004, 02:39:51 AM »

Okay, completed what I believed to be everything you asked. First:

Spybot - Search & Destroy 1.3
Last Detection Update: 2004-12-02

Ad-Aware SE Personal Build 1.05
Reference Number : SE1R21 03.12.2004

I believe thats what you asked for. Current Hijack Log:

Logfile of HijackThis v1.98.2
Scan saved at 1:48:45 AM, on 12/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wcrkaw.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\GADWIN~1\PRINTS~1\PrintScreen.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [sysu] "C:\progra~1\ddm\sysu.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [qmerikyz] C:\WINDOWS\usekne.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lcn] C:\WINDOWS\lcn.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [vUui] C:\WINDOWS\mswuqkm.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe
O4 - HKCU\..\Run: [Pulse] C:\Program Files\Pulse\Pulse.exe -splash
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\PROGRA~1\GADWIN~1\PRINTS~1\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Jeff\Application Data\ttuh.exe
O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Norton Internet Security.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102294515357
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab

-----------------------------------------------

As for side information, several trojans were found throughout those scans you had me do, and I believe all were either deleted or renamed. The TrojanGuard does not seem to be giving me any trojan detections, so I'm hoping this is a good thing

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />. Thanks for all your help. What comes next? Also, let me know when I am ready to deal with that folder, because I was unable to delete it due to restrictions, so whenevr I'm in the clear to, as you say, "take control of the folder" let me know. Honestly, thank you so much for all your help and cooperation through all of this. Really good of you.

Jeff

guestolo · « **Reply #17 on:** December 09, 2004, 09:27:48 AM »

Just on my way to work, we'll do some cleanup in your log later

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Some has been cleaned up already

Can you let me know what version of Windows XP your running
PRO or HOME
If your not sure go to START>>RUN>>type in winver and hit Enter

SahDu · « **Reply #18 on:** December 09, 2004, 05:02:39 PM »

Currently using XP Pro. Thanks.

Jeff

guestolo · « **Reply #19 on:** December 10, 2004, 12:30:18 AM »

Do another scan with Hijackthis and put a check next to these entries

O4 - HKLM\..\Run: [sysu] "C:\progra~1\ddm\sysu.exe"

O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe

O4 - HKLM\..\Run: [qmerikyz] C:\WINDOWS\usekne.exe

O4 - HKLM\..\Run: [lcn] C:\WINDOWS\lcn.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE

O4 - HKLM\..\Run: [vUui] C:\WINDOWS\mswuqkm.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe

O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe

O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Jeff\Application Data\ttuh.exe

After you have ticked the above entries, close down ALL other windows including this one,
Leave Hijackthis open and click FIX CHECKED
Yes to the prompt and exit Hijackthis

RESTART your computer

Post back with a fresh hijackthis log afterwards, I'll get a better look at your logfile tomorrow when you post back and we should get some Preventive tools on your computer
Sorry I don't have time to go thru your whole log at the moment
But please fix the above and post back a new log
Did you run the standalone version of CWShredder? If not get it from the link I
supplied and run it as I described

News:

Author Topic: Major Problems (Read 4981 times)

Guest

Guest

Guest

Guest