Author Topic: new hjt log (Read 1284 times)

madelina9937 · « **on:** February 01, 2005, 09:44:48 PM »

Logfile of HijackThis v1.98.2
Scan saved at 9:42:49 PM, on 2/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\apiiw32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\winfc.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\cabinet.exe
C:\WINDOWS\System32\??chost.exe
C:\Documents and Settings\Hello\Application Data\rrup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WebSiteViewer\125209.dlr
C:\Documents and Settings\Hello\Desktop\hijackthis1982\HijackThis.exe
C:\WINDOWS\System32\winpack.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Outlook Express\msimn.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Hello\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lubmk.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Hello\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Hello\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Hello\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23422573-6529-05F3-758A-83DFD576733B} - C:\WINDOWS\sdkhx32.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [winfc.exe] C:\WINDOWS\winfc.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\bgswpkuc.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cabinet] C:\WINDOWS\System32\cabinet.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [Zlnexnb] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Hello\Application Data\rrup.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.1.0.39/popf...u-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.1.0.39...s-ob-assets.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {19B6C07F-7AA5-4170-88A9-EF184DC2EC40} - http://38.144.58.94/install.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D68CA5BC-E420-42CB-8E47-39DBDB068555}: NameServer = 205.152.144.23 205.152.37.23
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Epiplaij.dll
O21 - SSODL: mtklefa - {999235FE-D844-441D-B583-5EACD401F201} - C:\WINDOWS\System32\jzfqrt32.dll

madelina9937 · « **Reply #1 on:** February 01, 2005, 09:54:47 PM »

REMOVED EMAIL ADDRESS ~guestolo

please help with hijackthis log smart security has killed my computer

guestolo · « **Reply #2 on:** February 01, 2005, 11:15:21 PM »

Let's see what we can clean from your computer this round madelina9937
We're going to do this in steps
Let's not worry about your Task Manager at this time
We'll get it fixed later

So let's start step 1

You've informed me you can't run Hijackthis 1.99
So let's stick with 1.98.2 for now

Please Print this out or save it to a Notepad file on the desktop

I need you to Stay off the Internet soon
Also know how to start in safe mode
Here is a link------How to Start your Computer in SAFE MODE
Don't restart yet in safe mode yet, but know how to

I'm going to ask you to edit your registry
So beforehand can you make a fresh Restore point
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Name it and click Create
No worries, this is just for backup purposes

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Close down all Windows, including this one
Open Hijackthis>>Config>>Misc Tools>>Open Process manager
Kill this process if still running
C:\WINDOWS\System32\kernels32.exe

Open Registry Editor. Click Start>Run, type REGEDIT
then press Enter.
# In the left panel, expand(+) the following
+HKEY_CURRENT_USER
+Software
+Microsoft
+Internet Explorer
+Desktop
+Components
# Still in the left panel, locate and Right click on and delete the subkey:
0
# Close Registry Editor.

Open Hijackthis >>Click the Config button>>Open Misc Tools Section>>Click the Delete file on Reboot
Copy and paste the whole bolded path of file to delete to the File name box

C:\windows\system32\kernels32.exe

Then click the Open Button
Hijackthis will prompt you that the file will be deleted and you must restart your computer, DON'T restart your computer yet
Instead exit Hijackthis and then

Do another scan with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer into SAFE MODE at this time
Ensure this file is gone
C:\WINDOWS\System32\kernels32.exe <--this file

Also, look for these others related too Smart Security
They are in bold, also do a search for them, delete them if found

C:\WINDOWS\desktop.html '
C:\WINDOWS\Web\desktop.html
C:\WINDOWS\SSICO.ICO
C:\Documents and Settings\Hello\Desktop\! Protect Your Data.url
C:\Documents and Settings\Hello\Favorites\! Smart Security.url
C:\Documents and Settings\Hello\Recent\! Smart Security.url
C:\Documents and Settings\Hello\Start Menu\! Secure Yourself.url

*I'm assuming the user account \Hello\ is the one with the desktop problem from Smart Security
Look for the files to delete in the user account having the problems

RESTART back to Normal mode

Access your Add/Remove Programs via Control Panel
Uninstall if found
WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer

# Do not reboot until they have all been removed even if prompted.

# When you are uninstalling the last program you can then reboot when prompted

When your back in Windows

NEXT:
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode to finish the cleaning process

When your back in Windows

Download and Install Spybot S&D 1.3
When Installing, please don't enable TEA TIMER, it's a great addon to Spybot but it can get in our way to do any manual fixes.. This can be enabled at a later time if you want it
After installation--Click the Update button on the left, in the window on the right click the
SEARCH FOR UPDATES button, Check and download all updates
Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX everything in RED---they should be checked by default

RESTART your computer to finish the Cleaning process

If you can't run any of those scanners in Normal mode
Restart into safe mode and run a scan

Post back with a fresh hijackthis log afterwards
Don't try and surf too much on the Internet until we get you completely clean
Do what you can and then post back a fresh log regardless

This is just Step 1, don't worry, we should get it all

====================================
Could you also Download and save to Desktop DLLCompare

Start the Program and click the Run Locate.com
Default settings should work---C:\WINDOWS\system32\directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button
Post back this log too, thanks

madelina9937 · « **Reply #3 on:** February 02, 2005, 04:47:44 AM »

Logfile of HijackThis v1.99.0
Scan saved at 4:59:02 AM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\??chost.exe
C:\Documents and Settings\Hello\Application Data\rrup.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Hello\Desktop\hijackthis.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\winpack.exe
C:\WINDOWS\System32\cabinet.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lubmk.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D29EFCA0-2D0C-D1C4-542A-6C9791FA8293} - C:\WINDOWS\atlcr32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [winfc.exe] C:\WINDOWS\winfc.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104608376\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\bgswpkuc.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cabinet] C:\WINDOWS\System32\cabinet.exe
O4 - HKCU\..\Run: [Zlnexnb] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Hello\Application Data\rrup.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~2.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.1.0.39/popf...u-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.1.0.39...s-ob-assets.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {19B6C07F-7AA5-4170-88A9-EF184DC2EC40} - http://38.144.58.94/install.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D68CA5BC-E420-42CB-8E47-39DBDB068555}: NameServer = 205.152.144.23 205.152.37.23
O21 - SSODL: mtklefa - {999235FE-D844-441D-B583-5EACD401F201} - C:\WINDOWS\System32\jzfqrt32.dll
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\apiiw32.exe (file missing)

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

1,298 items found: 1,298 files (9 H/S), 0 directories.
Total of file sizes: 234,816,331 bytes 223.94 M

Administrator Account = True

--------------------End log---------------------
thank you for your help so far so good
and my task manager is working,you are brillant

guestolo · « **Reply #4 on:** February 02, 2005, 01:19:09 PM »

madelina9937 I've merged your latest log with this thread
Please don't start new topics, keep all responses to this post, thanks

guestolo · « **Reply #5 on:** February 02, 2005, 01:41:14 PM »

I want to check on a couple things

I need you too first
Make sure that Windows is set to Show Hidden files and folders

I've uploaded a file called RKfiles.zip , the link is at the bottom of this reply
Can you download and save the zipped file to your desktop
IMPORTANT>>Create a new folder and UNZIP the contents to that new folder

Again, all is important, for this too work properly you must
RESTART your computer into safe mode

In safe mode
Open that new folder you created
Double click on rkfiles.bat to run it.
Sit back and WAIT until the dos Window closes>>this may take a little time

RESTART back to Normal mode
rkfiles.bat should of created a new .txt file
C:\log.txt
IMPORTANT>>Copy and paste back the contents of log.txt

Could you also Download ServiceFilter.zip
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Please don't restart your computer again after supplying the Post_This.txt

Also post back a fresh Hijackthis log

KEEP all responses to this post

[attachment=3:attachment]

madelina9937 · « **Reply #6 on:** February 03, 2005, 08:29:50 PM »

C:\Documents and Settings\Hello\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\bgswpkuc.exe: UPX!
C:\WINDOWS\system32\ftpupd.exe: UPX!
C:\WINDOWS\system32\vxh8jkdq2.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\netia.dll: UPX!
C:\WINDOWS\WebSrcLoader.dll: UPX!
-------------------------------------------------------------------------------
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Feb 3, 2005 8:35:03 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: AOL TopSpeedMonitor
Display Name: AOL TopSpeed Monitor
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\common files\aol\topspeed\2.0\aoltsmon.exe
State: Running
Process ID: 1536
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: brmfrmps
Display Name: Brother Popup Suspend service for Resource manager
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "c:\windows\system32\brmfrmps.exe" -service
State: Running
Process ID: 1552
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: Brother XP spl Service
Display Name: BrSplService
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\brsvc01a.exe
State: Running
Process ID: 1376
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

Unknown Service #4
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{64f06ae9-86b8-4284-8131-1e0e20b47675}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 5
Service Name: %AFå¤¶À¨
Display Name: Network Security Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\apiiw32.exe /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 83 Win32 services on this machine.
5 were unrecognized.

Script Execution Time: 1.765625 seconds.
Finished
bye

madelina9937 · « **Reply #7 on:** February 03, 2005, 08:40:31 PM »

NEW HJT LOG, IT MIGHT TAKE ME SOME TIME TO REPLAY TO NIGHT i AM FINISHING OFF A PROJECT i STARTED A YEAR AGE
THANK YOU AGAIN FOR YOUR HELP, MADELINA9937
Logfile of HijackThis v1.99.0
Scan saved at 8:39:59 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\??chost.exe
C:\Documents and Settings\Hello\Application Data\rrup.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cabinet.exe
C:\WINDOWS\System32\winpack.exe
C:\Documents and Settings\Hello\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lubmk.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D29EFCA0-2D0C-D1C4-542A-6C9791FA8293} - C:\WINDOWS\atlcr32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [winfc.exe] C:\WINDOWS\winfc.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104608376\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\bgswpkuc.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cabinet] C:\WINDOWS\System32\cabinet.exe
O4 - HKCU\..\Run: [Zlnexnb] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Hello\Application Data\rrup.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~2.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.1.0.39/popf...u-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.1.0.39...s-ob-assets.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {19B6C07F-7AA5-4170-88A9-EF184DC2EC40} - http://38.144.58.94/install.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D68CA5BC-E420-42CB-8E47-39DBDB068555}: NameServer = 205.152.144.23 205.152.37.23
O21 - SSODL: mtklefa - {999235FE-D844-441D-B583-5EACD401F201} - C:\WINDOWS\System32\jzfqrt32.dll
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\apiiw32.exe (file missing)

guestolo · « **Reply #8 on:** February 03, 2005, 10:03:55 PM »

A little bit of work ahead of you, much of this will be in Safe mode
But, Please do not Restart your computer until prompted

Please print this out or save to a Notepad file on the desktop

===Download and save to desktop LSP fix
Just leave it there for now

===At the bottom of this reply, I've uploaded a Zipped file "cwsserviceremove.zip"
Please save it to desktop and UNZIP the contents to desktop

===Create a New folder on your Desktop, call it AboutBuster
Download to desktop ABOUT:BUSTER.zip
by RubbeR Ducky
Unzip it to that new folder===Open About:Buster and Check for Updates
Don't run a Scan yet

===Download and Save to desktop
The StandAlone version of CWShredder
Don't run it yet

===Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf and save it to desktop
We'll need this later

===Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

===Please Disconnect from the Internet and Reboot into SAFE MODE at this time

===Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Network Security Service <--look carefully, there are others that are similiar, but not exact name
Double click on it--- STOP the service
In the drop down menu, change the startup type to Disabled

===Open Hijackthis>>Open Misc Tools Section>>Open Process Manager
Kill this process if running
C:\WINDOWS\System32\??chost.exe
C:\Documents and Settings\Hello\Application Data\rrup.exe
C:\WINDOWS\System32\cabinet.exe
C:\WINDOWS\System32\winpack.exe

===Stay in safe, find and delete these files or folders if they exist
C:\Documents and Settings\Hello\Application Data\rrup.exe <--this file
C:\WINDOWS\System32\cabinet.exe <--file
C:\WINDOWS\System32\winpack.exe
C:\WINDOWS\atlcr32.dll
C:\WINDOWS\winfc.exe
C:\WINDOWS\netia.dll
C:\WINDOWS\WebSrcLoader.dll
C:\WINDOWS\system32\ossproxy.exe
C:\WINDOWS\System32\bgswpkuc.exe
C:\WINDOWS\system32\ftpupd.exe
C:\WINDOWS\system32\vxh8jkdq2.exe

===In safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\lubmk.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {D29EFCA0-2D0C-D1C4-542A-6C9791FA8293} - C:\WINDOWS\atlcr32.dll

O4 - HKLM\..\Run: [winfc.exe] C:\WINDOWS\winfc.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program

O4 - HKLM\..\Run: [OSS] C:\WINDOWS\system32\ossproxy.exe -boot

O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\bgswpkuc.exe

O4 - HKCU\..\Run: [cabinet] C:\WINDOWS\System32\cabinet.exe
O4 - HKCU\..\Run: [Zlnexnb] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Hello\Application Data\rrup.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe <--not needed on startup

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

O16 - DPF: {19B6C07F-7AA5-4170-88A9-EF184DC2EC40} - http://38.144.58.94/install.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Again, in safe mode
===Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time.
Save the log to a convenient location, I will want to see it later. Then hit exit

===Double click on cwsserviceremove.reg you unzipped to desktop earlier
and Allow it to merge to the Registry

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

===Open CWShredder and click ONLY the FIX button, let it fix all problems

Restart your computer back to Normal mode

===Open Ad-aware>>Check for updates and Connect to download them if any
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode to finish the cleaning process

===Run a scan again with About:buster again and save the log

===Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

===Look in your C:\Windows\system32 folder for shell.dll
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

===# Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

===I would advise you to do an online Virus scan at Trend Micro's>>Set to Autoclean
http://housecall.trendmicro.com/

===Do another scan with hijackthis and save the log and post it back here
Also post back with the about:buster logs

======Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Findfile.bat

Quote

dir C:\WINDOWS\System32\??chost.exe /a h > files.txt
notepad files.txt

Save this on the desktop>>Double click on Findfile.bat
It will produce a log called files.txt
Copy and paste the whole contents of files.txt back here

If for some reason you have problems with your internet connection after
Go into IE's Internet Options--Connections tab---Click settings under your connection
Ensure there isn't a check in use Proxy
If there is uncheck it>>Ok out of there
Restart your browser and try again
If no go, UNZIP LSP fix and double click on lspfix.exe and click just the Finish button
Restart your computer

Do as much as you can from the above, all if possible, let me know what you couldn't accomplish, but post back with a fresh hijackthis log regardless

===Could you also open Hijackthis>>>Open Misc tools section>>Open Hosts file manager>>Click the "Open In Notepad" button
Copy and paste back here the whole contents of the hosts notepad file

[attachment=5:attachment]

madelina9937 · « **Reply #9 on:** February 05, 2005, 06:30:23 PM »

Logfile of HijackThis v1.99.0
Scan saved at 6:29:17 PM, on 2/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Hello\Desktop\hijackthis.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104608376\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~2.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.1.0.39/popf...u-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.1.0.39...s-ob-assets.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D68CA5BC-E420-42CB-8E47-39DBDB068555}: NameServer = 205.152.144.23 205.152.37.23
O21 - SSODL: mtklefa - {999235FE-D844-441D-B583-5EACD401F201} - C:\WINDOWS\System32\jzfqrt32.dll
O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE
Scanned at: 5:02:19 PM on: 2/5/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

Removed Data Streams:
C:\WINDOWS\Q814033.log:vlhdc

Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

Removed Data Streams:
C:\WINDOWS\Q814033.log:vlhdc

Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 5:29:55 PM on: 2/5/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

PART2 ALMOST DONE

Volume in drive C has no label.
Volume Serial Number is 2C7E-7243

Directory of C:\WINDOWS\System32

08/29/2002 07:00 AM 12,800 svchost.exe
01/11/2005 09:13 AM 401,408 ??chost.exe
2 File(s) 414,208 bytes

Directory of C:\Documents and Settings\Hello\Desktop

PART 2 COMPLETE
THANKS AGAIN
MADELINA9937

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #10 on:** February 05, 2005, 08:24:05 PM »

Can you navigate to your System32 folder

I want you to look for a file
But please be careful
08/29/2002 07:00 AM 12,800 svchost.exe <--this is a legitimate file, DON'T delete it
You should be able to right click on it, left click properties

Size will be 12 to 14 kb and the date is posted above

One bad guy we're after

01/11/2005 09:13 AM 401,408 ??chost.exe <--this one
You probably won't see the ? (question marks, but take a look)
May even be disguised as the same name svchost

But if you right click on it and choose properties
Date created should be 01/11/2005
And the size about 400 kb
Delete that one only

After you have done that can you open up About:Buster and CHECK FOR UPDATES
After updating run another scan, allow it to scan twice
Save the logs

I missed one in Hijackthis
Do another scan with Hijackthis and put a check next to these entries:

O21 - SSODL: mtklefa - {999235FE-D844-441D-B583-5EACD401F201} - C:\WINDOWS\System32\jzfqrt32.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Restart your computer
Delete this file if it exists
C:\WINDOWS\System32\jzfqrt32.dll <--this file

Post back here the about:buster logs and a new hijackthis log

EDIT

Quote

===Could you also open Hijackthis>>>Open Misc tools section>>Open Hosts file manager>>Click the "Open In Notepad" button
Copy and paste back here the whole contents of the hosts notepad file

madelina9937 · « **Reply #11 on:** February 05, 2005, 09:07:00 PM »

Scanned at: 5:02:19 PM on: 2/5/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

Removed Data Streams:
C:\WINDOWS\Q814033.log:vlhdc

Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

Removed Data Streams:
C:\WINDOWS\Q814033.log:vlhdc

Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 5:29:55 PM on: 2/5/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 8:42:05 PM on: 2/5/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.99.0
Scan saved at 8:47:02 PM, on 2/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Hello\Desktop\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104608376\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.1.0.39/popf...u-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.1.0.39...s-ob-assets.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O23 - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\System32\ScsiAccess.EXE

#copyright © 1993-1999 Microsoft Corp.
#
#This is a sample HOSTS file used by microsoft TCP/IP for Windows
#
# This file contains the mappings of IP addresses to host names.Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
#The IP address and the host name should be separated by at least one
#space
#
#Additionally, comments (such as these) may be inserted on individual
#lines or following the machine name denoted by a '#' symbol
#
#For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

I could not get the last thing to work (quote), so I just hand typed what I saw in the hjt box. I hope that is o.k. ( when I checked open in notebook, it did nothing)

guestolo · « **Reply #12 on:** February 05, 2005, 10:01:35 PM »

Your log looks good, but your still not Updating About:Buster before you run it
Please open About:Buster
Click the UPDATE button
Then click the CHECK FOR UPDATES button

Then run another scan>>let it scan twice and post the logs
Restart your computer if anything removed

Could you also look for NOTEPAD.exe in these locations and let me know if they exist

C:\WINDOWS folder
and the
C:\WINDOWS\System32 folder

Sorry you had to handtype that all in, you should of informed me it wouldn't open in Notepad

We still need some final cleanup measures, do the above and then we'll finish the final cleanup and get some free tools to help prevent this in the future

madelina9937 · « **Reply #13 on:** February 05, 2005, 10:49:44 PM »

Scanned at: 10:46:15 PM on: 2/5/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

I could not find notepad.exe in either location

guestolo · « **Reply #14 on:** February 05, 2005, 10:58:39 PM »

I've uploaded a file
Can you download the attachment at the bottom of this reply and save it to your desktop
Notepad_XP.zip>>>Removed Attachment

First UNZIP it to your C:\WINDOWS folder
and then unzip it to your
C:\WINDOWS\System32 folder

Restart your computer to be on the safe side

Open Hijackthis>>Misc tools>>Host manager
Click to open in Notepad

Does it open in Notepad?

Post the contents back here if you can, don't retype it

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

madelina9937 · « **Reply #15 on:** February 05, 2005, 11:16:26 PM »

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
finally got it to work
Thank you
madelina9937

guestolo · « **Reply #16 on:** February 05, 2005, 11:40:46 PM »

You had trouble before because one of the infections deleted your copies of Notepad.exe
Now you have them restored

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Let's try some final steps
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Post back and let me know how everythings running
Can you also
At the top toolbar in IE click on HELP>>About
Let me know the version number of IE

madelina9937 · « **Reply #17 on:** February 06, 2005, 12:41:32 AM »

I am having trouble finding the version number. When I go to help, I only get optionsfor help and support center, is this copy of windows legal?, and about windows. There is nothing about IE

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />
Hey besides what was mentioned above everything is running fast and great. I [color=\"red\"]really really [/color]thank you for everything, and I hope that you know that you are really a great person to take the time to help so many people with computer problems.
thanks again

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Madelina9937

guestolo · « **Reply #18 on:** February 06, 2005, 03:01:45 AM »

Quote

is this copy of windows legal?

Not sure, only you can answer that....

But your log looks good
Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

EDIT.>>Forgot one thing
===If you have SPYBOT 1.3 installed
Look for SDHelper.dll in your C:\Program Files\Spybot - Search & Destroy folder
If it's not there download this zip file SDHelper13.zip
Save the Zip file to your desktop and Unzip it to your C:\Program Files\Spybot - Search & Destroy folder
To ensure it's enabled...Open Spybot>>Immunize
Put a tick next to "Enable Permanent blocking of bad addresses in IE"

A little added protection in Spybot
Click Immunize>>OK>>Immunize at the top
Do this after every update

News:

Author Topic: new hjt log (Read 1284 times)

madelina9937