« previous next »
Pages: [1]

Author Topic: Kickin' my computer to the curb...help!  (Read 1796 times)

Offline liptonite

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Kickin' my computer to the curb...help!
« on: March 03, 2005, 09:25:21 AM »
I have several problems... 1st my start page keeps going back to Daosearch.com and I have on average a popup from IE about once every 3 seconds.
 2cd- Errror message that says-Error hooking"connect" data then has a bunch of numbers and letters after it.Sometimes my whole screen has this message multiple times and the whole screen is covered with like a 100 error messages.
 I have mcafee from Email RemovedI have ad-aware and spybot and spysubtractor. mcafee found 22 new viruses(mostly downloaders and exploits)since yesterdays scan.
I spend all my time running scans and clicking off popups...can't enjoy computer.Was up all night trying to get help.Somebody please feel for me.LOl
 by the way I know next to nothing about computers
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Kickin' my computer to the curb...help!
« Reply #1 on: March 03, 2005, 05:42:02 PM »
Can you Download Hijackthis 1.99.1
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer

Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE or CLICK HERE
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log  here... Don't try and fix anything yet----It is all important
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline liptonite

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Kickin' my computer to the curb...help!
« Reply #2 on: March 04, 2005, 01:42:50 AM »
Logfile of HijackThis v1.99.1
Scan saved at 1:38:22 AM, on 3/4/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\e0j8pw6k\e0j8pw6k.exe
C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system\pijqcwsovj.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\sysmonnt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\e0j8pw6k\e0j8pw6k1\e0j8pw6k1.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\iestopen.exe
C:\WINDOWS\System32\iedctfrm.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daosearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {161DA101-8123-45C1-AAE4-7ADEB01E15D4} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: (no name) - {1DACC2C2-4FEE-4338-84B4-54AA14887325} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: SDWin32 Class - {2130EEE8-BAC6-4368-B896-9366D4EFFE50} - C:\WINDOWS\System32\evefz.dll
O2 - BHO: (no name) - {214B8E3A-5723-45F0-87D1-B5C8B3EB6270} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: SDWin32 Class - {5E628A36-6418-42F7-89CA-4D78ED339511} - C:\WINDOWS\System32\gbofd.dll
O2 - BHO: (no name) - {61D42E9C-C45B-4D18-9B21-C66703369E49} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {6FA09E69-83C1-431C-A62A-3A40832FE237} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {6FFD7092-A7A9-469F-9AE8-6DE9776526BF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {70A2742F-C332-40F8-84B5-3B99B8095F59} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {9F0C8B3A-89F7-4502-BDFF-1C2698DF0260} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {BC990AC2-6D29-4CF2-970E-F1191D9E9591} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {CBAB2061-0040-481F-AAAA-A49BA9B8004C} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {CCAB71F2-5F14-4668-A099-71A86EDAC5A5} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {D5017D4A-9852-4378-9441-57A08809AF69} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {D65D83BA-A249-43CD-8570-6EA57D56C312} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {ECBBFD71-AED6-45F6-8A7B-EB7132C3EFE5} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {F16A5A17-15EE-4C70-B1A0-B36939AB4EFE} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {F1AADC4F-D3C9-44C4-A3C4-FD3350D08706} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {FB28486E-4CEB-4641-BE8B-B490946D158D} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [crulfxn] c:\windows\system32\crulfxn.exe
O4 - HKLM\..\Run: [evefzc] C:\WINDOWS\System32\evefzc.exe
O4 - HKLM\..\Run: [e0j8pw6k] C:\Program Files\e0j8pw6k\e0j8pw6k.exe
O4 - HKLM\..\Run: [gbofdc] C:\WINDOWS\System32\gbofdc.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [lengh] C:\WINDOWS\lengh.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [r3tQ3sP] iedctfrm.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [a024Rij7R] iestopen.exe
O4 - HKCU\..\Run: [ptech] C:\WINDOWS\System32\ptech.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email Removed/help/engine/aolcinst.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0029.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

 Thank you in advance!
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Kickin' my computer to the curb...help!
« Reply #3 on: March 05, 2005, 12:17:37 AM »
Sorry for the delay

Let's try some cleanup

Download the Pocket Killbox
UNZIP it to a folder of your choice

Save the rest of these instructions to a Notepad file and leave it open on the desktop
Disconnect from the Internet
With just these instructions open

Open Hijackthis>>Open Misc tools section>>Open Process Manager
Kill these processes if still running
C:\Program Files\e0j8pw6k\e0j8pw6k.exe
C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system\pijqcwsovj.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\Program Files\e0j8pw6k\e0j8pw6k1\e0j8pw6k1.exe
C:\WINDOWS\System32\iestopen.exe
C:\WINDOWS\System32\iedctfrm.exe
C:\Program Files\CxtPls\CxtPls.exe


Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daosearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {161DA101-8123-45C1-AAE4-7ADEB01E15D4} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: (no name) - {1DACC2C2-4FEE-4338-84B4-54AA14887325} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: SDWin32 Class - {2130EEE8-BAC6-4368-B896-9366D4EFFE50} - C:\WINDOWS\System32\evefz.dll
O2 - BHO: (no name) - {214B8E3A-5723-45F0-87D1-B5C8B3EB6270} - C:\Program Files\e0j8pw6k\e0j8pw6k.d

O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: SDWin32 Class - {5E628A36-6418-42F7-89CA-4D78ED339511} - C:\WINDOWS\System32\gbofd.dll
O2 - BHO: (no name) - {61D42E9C-C45B-4D18-9B21-C66703369E49} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {6FA09E69-83C1-431C-A62A-3A40832FE237} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {6FFD7092-A7A9-469F-9AE8-6DE9776526BF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {70A2742F-C332-40F8-84B5-3B99B8095F59} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {9F0C8B3A-89F7-4502-BDFF-1C2698DF0260} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {BC990AC2-6D29-4CF2-970E-F1191D9E9591} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {CBAB2061-0040-481F-AAAA-A49BA9B8004C} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {CCAB71F2-5F14-4668-A099-71A86EDAC5A5} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {D5017D4A-9852-4378-9441-57A08809AF69} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {D65D83BA-A249-43CD-8570-6EA57D56C312} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {ECBBFD71-AED6-45F6-8A7B-EB7132C3EFE5} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {F16A5A17-15EE-4C70-B1A0-B36939AB4EFE} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {F1AADC4F-D3C9-44C4-A3C4-FD3350D08706} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {FB28486E-4CEB-4641-BE8B-B490946D158D} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll

O4 - HKLM\..\Run: [crulfxn] c:\windows\system32\crulfxn.exe
O4 - HKLM\..\Run: [evefzc] C:\WINDOWS\System32\evefzc.exe
O4 - HKLM\..\Run: [e0j8pw6k] C:\Program Files\e0j8pw6k\e0j8pw6k.exe
O4 - HKLM\..\Run: [gbofdc] C:\WINDOWS\System32\gbofdc.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [lengh] C:\WINDOWS\lengh.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [r3tQ3sP] iedctfrm.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe

O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [a024Rij7R] iestopen.exe
O4 - HKCU\..\Run: [ptech] C:\WINDOWS\System32\ptech.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0029.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis


Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.

In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE

Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select No.
Additionally, for any .dll file, select the "Unregister .dll before deleting" selection

Do the same for all these:

c:\windows\system32\crulfxn.exe

C:\WINDOWS\System32\evefzc.exe

C:\Program Files\e0j8pw6k\e0j8pw6k.exe

C:\WINDOWS\System32\gbofdc.exe

C:\WINDOWS\System32\netsync.exe

C:\WINDOWS\lengh.exe

C:\WINDOWS\System32\ntddetect.exe

C:\WINDOWS\System32\iestopen.exe

C:\WINDOWS\System32\iedctfrm.exe

C:\Program Files\CxtPls\CxtPls.exe

C:\Program Files\e0j8pw6k\e0j8pw6k.dll

C:\WINDOWS\cerbmod.dll

C:\WINDOWS\Helper101.dll

C:\WINDOWS\System32\AUNBHO.dll

C:\WINDOWS\System32\gbofd.dll

C:\WINDOWS\System32\evefz.dll

Finally, in Full Path of File to Delete, copy and paste the following:

C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
Restart your computer even if not prompted

When restarting please try and Restart your computer into safe mode
You can do this by tapping the F8 key as the system is booting up

In safe mode

Find and delete these folders if found
C:\Program Files\e0j8pw6k <--foldr
C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
C:\Program Files\CxtPls

Go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything

Restart back to Normal mode

When back in Windows, ignore any error messages if received

Go back and do another scan with Hijackthis and fix this entry if found
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll,DllInstall

Restart the computer again

Back in Windows

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

When the above has been completed, post back with a Fresh Hijackthis log
« Last Edit: March 05, 2005, 12:58:43 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline liptonite

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Kickin' my computer to the curb...help!
« Reply #4 on: March 05, 2005, 07:21:55 AM »
I had a couple problems while doing the things you told me.
1. I couldn't find the C:\programfiles\cxtpls after restaring in safe mode....I did find a file called cxtpls_loader in Windows\System32\cache but I left it alone.
2. after I restarted in normal mode and did highjack scan...I could not see the 04 HKLM:run:sp rundll .... in the list. Anyways my computer is at least running a little better and I am so thankful for your help so far.

Here is the latest highjack file:Logfile of HijackThis v1.99.1
Scan saved at 7:09:41 AM, on 3/5/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\Cache\cxtpls_loader.exe
C:\WINDOWS\system\pijqcwsovj.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\HEWLET~1\HPINST~1\common\MOTIVE~1.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\System32\wpabaln.exe
C:\hjt\HijackThis.exe

O2 - BHO: (no name) - {018FA0F5-A1F1-44FF-8E72-FBACEFFCBBF6} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {0A3F5242-3AA8-45D4-AD9C-EE1234606B9B} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {52677A1B-99AE-47FA-9E07-4C861D593793} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {78E2A86A-9E25-4DA0-AB08-CAB87445D6AD} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8C830D87-E0D2-4317-B525-F3A5D9082BB9} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8C8DD051-CFD2-4176-AF97-F4735CE80576} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8E297348-C6E9-4A72-9F53-1B742E93ACFF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {98DE1DC3-47FB-4E39-B725-702A9A6377EA} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {A3B8472C-3A26-4DC7-88B5-E6D43A8821F3} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {A608561D-C42E-457E-9CD6-29E3FE983EAF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {E5A10F8A-F508-4D90-8CEB-BB34653E7762} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {F67FC7D3-52B4-496C-A930-7E405768A260} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {FCAECA6F-9AB8-4BD5-9974-CD3D8A6EEF8D} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email Removed/help/engine/aolcinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Kickin' my computer to the curb...help!
« Reply #5 on: March 05, 2005, 03:22:41 PM »
Let's try this again,

Save the rest of these instructions to a Notepad file and leave it open on the desktop
Disconnect from the Internet
With just these instructions open

Open Hijackthis>>Open Misc tools section>>Open Process Manager
Kill these processes if still running
C:\WINDOWS\system32\Cache\cxtpls_loader.exe
C:\WINDOWS\system\pijqcwsovj.exe


Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {018FA0F5-A1F1-44FF-8E72-FBACEFFCBBF6} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {0A3F5242-3AA8-45D4-AD9C-EE1234606B9B} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {52677A1B-99AE-47FA-9E07-4C861D593793} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)

O2 - BHO: (no name) - {78E2A86A-9E25-4DA0-AB08-CAB87445D6AD} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8C830D87-E0D2-4317-B525-F3A5D9082BB9} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8C8DD051-CFD2-4176-AF97-F4735CE80576} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8E297348-C6E9-4A72-9F53-1B742E93ACFF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {98DE1DC3-47FB-4E39-B725-702A9A6377EA} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {A3B8472C-3A26-4DC7-88B5-E6D43A8821F3} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {A608561D-C42E-457E-9CD6-29E3FE983EAF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {E5A10F8A-F508-4D90-8CEB-BB34653E7762} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {F67FC7D3-52B4-496C-A930-7E405768A260} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {FCAECA6F-9AB8-4BD5-9974-CD3D8A6EEF8D} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis


Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.

In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\system32\Cache\cxtpls_loader.exe

Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select No.

Do the same for this file

C:\WINDOWS\system\pijqcwsovj.exe

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
Restart your computer even if not prompted

Restart into safe mode

Could you navigate to this folder please
C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}
Open it and if you see svchost.dll can you remove it
Let me know later what else you see in this subfolder
{09FAB745-06F7-4489-9964-62476ED2A383}

Also make sure these 2 files are gone
C:\WINDOWS\system32\Cache\cxtpls_loader.exe
C:\WINDOWS\system\pijqcwsovj.exe

and this folder
C:\Program Files\e0j8pw6k

Restart back to Normal mode

Post back a fresh hijackthis log

Let me also know what else you see in this folder
C:\WINDOWS\system32\Cache
« Last Edit: March 05, 2005, 04:10:26 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline liptonite

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Kickin' my computer to the curb...help!
« Reply #6 on: March 05, 2005, 06:51:55 PM »
Windows\system32\services{09FAB745-06F7-4489-996462476EDZA383} Not Found
Only one subfolder in Services. it was 434AA898-D5EF-46DC-B2FO-C8DA3C008F97.There was a svchost and svchost.dll in that folder but I did not delete because it was not in the folder you named.

cxtpls_loader.exe..Not Found
eoj8pw6k   Not Found
pijqcwsovj...Not Found

Files in Windows\system32\cache
20001
Blazevcm7
desktrf-fran-162813
mswinstall
setup66
tvmk14
adl_dh(main MFC Application)
CSv13P108
InstallAPS
pounder(system monitor for Win9...Microsoft Inc)
smartdownload
webrebate_auto_installsilent
AUNIcons
mstub-pal_nmw_a353_r15950
roxydownloader(DL Helper module)
thin-8-1-x-x(www.abetterinternet.com_UT...Better Internet, INC)
wrapperouter

Logfile of HijackThis v1.99.1
Scan saved at 6:30:38 PM, on 3/5/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\mcidet~1.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\tftgrcoi.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\HEWLET~1\HPINST~1\common\MOTIVE~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [r3tQ3sP] mcidet~1.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - HKCU\..\Run: [a024Rij7R] tftgrcoi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email Removed/help/engine/aolcinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Kickin' my computer to the curb...help!
« Reply #7 on: March 05, 2005, 07:01:39 PM »
Reboot back into Safe mode

Delete these subfolders
Windows\system32\services\434AA898-D5EF-46DC-B2FO-C8DA3C008F97
and this one
Windows\system32\cache

and these files
C:\WINDOWS\System32\mcidet~1.exe
C:\WINDOWS\System32\tftgrcoi.exe

In safe mode

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [r3tQ3sP] mcidet~1.exe

O4 - HKCU\..\Run: [a024Rij7R] tftgrcoi.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode and post back a fresh log

Could you also let me know what else you see in this subfolder
Windows\system32\services
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest_Liptonite_*

  • Guest
Kickin' my computer to the curb...help!
« Reply #8 on: March 06, 2005, 04:45:19 AM »
There are no subfolders left  in Windows\system32\Services

I've had to run Ad-aware,spybot and spysubtract about 3 times today because of something called PeopleOn Page.As soon as I take it off it comes back but I sent it to the blacklist file now so we'll see what happens. Haven't had any popups though http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logfile of HijackThis v1.99.1
Scan saved at 4:43:19 AM, on 3/6/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\cmcga11n.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\usrbkend.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\hjt\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [r3tQ3sP] cmcga11n.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - HKCU\..\Run: [a024Rij7R] usrbkend.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email Removed/help/engine/aolcinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Kickin' my computer to the curb...help!
« Reply #9 on: March 06, 2005, 02:59:57 PM »
Let's try again
Open Ad-Aware and ensure to check for updates

First access your Add/Remove programs and remove if found
POP if found

Save this too a Notepad file on the desktop

Open Hijackthis>>Open Misc tools section>>Open Process Manager
Kill these processes if still running
C:\WINDOWS\System32\usrbkend.exe
C:\WINDOWS\System32\cmcga11n.exe


Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [r3tQ3sP] cmcga11n.exe

O4 - HKCU\..\Run: [a024Rij7R] usrbkend.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis


Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.

In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\System32\usrbkend.exe

Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select No.

Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\System32\cmcga11n.exe

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
Restart your computer even if not prompted

Restart into Safe mode
Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
Click the SHOW LOGFILE button
Right click and click the SAVE option
Name the file and save it on your desktop
Click the Critical Objects tab
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode

Post back with a Fresh Hijackthis log
Could you also open the  Saved Ad-Aware log that you save to your desktop
Copy and paste back the contents too, thanks

Come back here and post a fresh Hijackthis log
« Last Edit: March 06, 2005, 03:00:31 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest_Liptonite_*

  • Guest
Kickin' my computer to the curb...help!
« Reply #10 on: March 07, 2005, 10:00:03 AM »
the items you told me to look for are not there but there are some like it.  04 HKLM...[r3TQ3SP]scccedit.exe  
           04HKLM....{ao24Rij7R]fincm.exe
Do you want me to follow instructions using these  instead of the other ones? I appreciate your help
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Kickin' my computer to the curb...help!
« Reply #11 on: March 07, 2005, 07:49:46 PM »
If you have restarted your computer I'll have to see a new Hijackthis log
« Last Edit: March 07, 2005, 07:50:02 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
Kickin' my computer to the curb...help!
« Reply #12 on: March 10, 2005, 03:36:42 AM »
Logfile of HijackThis v1.99.1
Scan saved at 3:36:05 AM, on 3/10/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\Hpqdirec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\lmhhits.exe
C:\WINDOWS\System32\sisksie.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\hjt\HijackThis.exe

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r3tQ3sP] sisksie.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a024Rij7R] lmhhits.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email Removed/help/engine/aolcinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Kickin' my computer to the curb...help!
« Reply #13 on: March 10, 2005, 03:39:17 PM »
Can you please Download and save too desktop this removal tool from Symantecs
http://securityresponse.symantec.com/avcenter/FixAprop.exe

Restart into Safe mode and run it, let it scan your hard drive and fix what it finds

Restart back to Normal mode and post a fresh Hijackthis log

Let me know if the tool found anything
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
Kickin' my computer to the curb...help!
« Reply #14 on: March 10, 2005, 04:46:18 PM »
Logfile of HijackThis v1.99.1
Scan saved at 4:43:49 PM, on 3/10/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\hjt\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email Removed/help/engine/aolcinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



the tool did not appear in desktop in safe mode so I ran it in normal mode...here is a log of that


Symantec Spyware.Apropos Removal Tool 1.0.1
process: sisksie.exe (terminated)
process: lmhhits.exe (terminated)

C:\Documents and Settings\Jamie\Local Settings\Temp\AutoUpdate0\auto_update_install.exe: (deleted)
C:\Documents and Settings\Jamie\Local Settings\Temp\temp.frCB82: (deleted)
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\4HMB0HAB\AutoUpdaterInstaller[1].exe: (deleted)
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\CT6FG9QR\AproposClientInstaller[1].exe: (deleted)
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\CT6FG9QR\auto_update[1]: (deleted)
C:\Documents and Settings\T'adore Paris\Local Settings\Temp\~apropos0\CxtPls.exe: (deleted)
C:\Documents and Settings\T'adore Paris\Local Settings\Temp\~apropos0\pm.exe: (deleted)
C:\Documents and Settings\T'adore Paris\Local Settings\Temporary Internet Files\Content.IE5\WDCBCZEV\auto_update[1]: (deleted)
C:\Documents and Settings\T'adore Paris\Local Settings\Temporary Internet Files\Content.IE5\YL34L8FQ\auto_update[1]: (deleted)
C:\Program Files\AutoUpdate\AutoUpdate.exe: (deleted)
C:\Program Files\CxtPls\plg0\cxtpls.dll: (deleted)
C:\WINDOWS\system32\auto_update_uninstall.exe: (deleted)
C:\WINDOWS\system32\lmhhits.exe: (deleted)
C:\WINDOWS\system32\sisksie.exe: (deleted)
C:\WINDOWS\system32\vjokman.exe: (deleted)
C:\WINDOWS\system32\w32_hook.exe: (deleted)
C:\Program Files\CxtPls\ace.dll: (deleted)
C:\Program Files\CxtPls\atl.dll: (deleted)
registry: HKEY_USERS\S-1-5-21-1935655697-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Run: a024Rij7R (value deleted)
registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run: r3tQ3sP (value deleted)
directory C:\Program Files\CxtPls: (deleted)
directory C:\Program Files\AutoUpdate: (deleted)
directory C:\DOCUME~1\Jamie\LOCALS~1\Temp\AutoUpdate0: (deleted)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Apropos (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Envolo (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoUpdate (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: AutoUpdater (value deleted)
registry: HKEY_USERS\S-1-5-21-1935655697-926492609-725345543-1004\Software\Classes\CLSID: (Default) (restored)

Spyware.Apropos has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 28876
The number of deleted threat files: 18
The number of directories deleted: 3
The number of threat processes terminated: 2
The number of registry entries fixed: 16
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Kickin' my computer to the curb...help!
« Reply #15 on: March 10, 2005, 05:57:46 PM »
Looks good, hows everything running?

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Why so far behind on Windows Updates? This is important in keeping your computer secure too
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »