« previous next »
Pages: [1] 2 3 4

Author Topic: What is causing this???  (Read 16798 times)

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« on: January 26, 2006, 05:09:03 AM »
Don't know how this happened but for some reason every time I click on anything from a google search result it redirects me to so other page, or a page related to my search.

Here is my Hijack this log... I tried everything! Please help, thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 5:01:18 AM, on 1/26/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\MK9908.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...=5.5&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CHotKey] mk9908.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .aiff: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
Logged

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #1 on: January 26, 2006, 11:16:46 AM »
Hmm, maybe this will help...

Ran a scan found these...

c:\WINDOWS\SYSTEM\howiper.exe is infected with Trojan Horse  
c:\WINDOWS\SYSTEM\dgprpsetup.exe is infected with SecurityRisk.Downldr
Logged

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #2 on: January 26, 2006, 11:49:59 AM »
OK, I re-enabled some stuff I had disabled from start-up and here is my new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:27 AM, on 1/26/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\MK9908.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NTS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...=5.5&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CHotKey] mk9908.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [sbin] sound64.exe
O4 - HKLM\..\Run: [SysSupport] backd.exe
O4 - HKCU\..\Run: [newbreed] InpriseMon.exe
O4 - HKCU\..\Run: [prcmon] KeywordFinder.exe
O4 - HKCU\..\Run: [cmon14] TForm1.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .aiff: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
What is causing this???
« Reply #3 on: January 27, 2006, 12:17:23 AM »
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it.  Click Next, then Install, then make sure "Run fixit" is checked and click Finish.  The fix will begin; follow the prompts.  You will be asked to reboot your computer; please do so.  Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.  Afterwards, HijackThis will launch.  Please click Scan, and check the following items (if they appear):

O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [sbin] sound64.exe
O4 - HKLM\..\Run: [SysSupport] backd.exe
O4 - HKCU\..\Run: [newbreed] InpriseMon.exe
O4 - HKCU\..\Run: [prcmon] KeywordFinder.exe
O4 - HKCU\..\Run: [cmon14] TForm1.exe

ensure all other open windows are closed except for Hijackthis
Then click Fix Checked. Close HijackThis, and click OK to proceed.

Reboot your computer again

Back in Windows
Download and Install Spybot 1.4 from
HERE
 or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check the boxes and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process
Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

If ONLY in the event you have troubles getting online afterwards
This nasty plays with your DNS settings
Click on Start, then Settings, and then click on Control Panel to open the Control Panel. Then double-click on the Network icon. You will then be presented with a list of entries. Scroll down until you see TCP/IP -> yournetworkcard and double-click on that entry. This will open the TCP/IP properties window.

Click once on the DNS Configuration tab>>On most machines DNS is set to disabled, but some ISPs require it. If required you will either have to try various settings and see what works, or contact your ISP (or read the ISP documentation) to find the proper domain, host, and DNS server information
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #4 on: January 27, 2006, 04:49:11 PM »
OK, thanks... here it is... and by the way I had already done the HJT fix removing those items before I did the fixwareout so they were gone. However, I found 2 new entries when I did HJT after fixwareout named CSEVW.EXE and DMMQV.EXE which I fixed.

I think I have the betterinternet adaware virus too... according to a trendmicro scan. I tried Norton's removal tool but it said it can't find it. Any suggestions?

Thanks!!!

Here are the log files:


Logfile of HijackThis v1.99.1
Scan saved at 4:41:54 PM, on 1/27/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\MK9908.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CHotKey] mk9908.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .aiff: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

 
Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\vqmmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\puorgdopd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM\CSEVW.EXE
C:\WINDOWS\SYSTEM\DMMQV.EXE
 
»»»»» Misc files
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
What is causing this???
« Reply #5 on: January 28, 2006, 01:52:24 AM »
Your not running any active AV in the background
Please, if you don't have your own to install
Install either one of the following below>>>ONLY install one AV, more that one can cause conflicts

AVG 7 by Grisoft

Avast Home Edition by ALWIL

AntiVir Personal Edition Classic

BitDefender 8

After any of the above are installed, make sure it is totally updated, run a full system scan
Reboot the computer afterwards
Post back a fresh hijackthis log and let me know how everythings running

Could you also do the following
Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Click the SAVE LIST button
Save the list to desktop and copy and paste back here the WHOLE contents please
« Last Edit: January 28, 2006, 01:54:36 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #6 on: January 28, 2006, 03:47:24 AM »
As requested...

Logfile of HijackThis v1.99.1
Scan saved at 3:41:31 AM, on 1/28/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE
C:\WINDOWS\IPCONFIG.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\MK9908.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CHotKey] mk9908.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .aiff: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab


Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\oofmd
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM\CSUGF.EXE
C:\WINDOWS\SYSTEM\DMFOO.EXE
 
»»»»» Misc files


Uninstall list:

1999 Grolier Multimedia Encyclopedia
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Photoshop 5.0
America Online
AOL Instant Messenger
AOL YGP Picture Downloader
ArcSoft Camera Studio
AudibleManager 2.0
AVG Free Edition
By Design Office
CCleaner (remove only)
Creative Launcher
Creative PlayCenter
cs 3.0
DART Karaoke Studio
DirectX Eradicator
Email VOICELink 3.0
eMule
Enfish Tracker
EnterNet 300
ffdshow (remove only)
HijackThis 1.99.1
HP DeskJet 970C Series (Remove only)
HP Instant Delivery
Internet Explorer Q832894
J2SE Runtime Environment 5.0 Update 6
Macromedia Flash Player 8
Macromedia Shockwave Player
MaxBlast 3
McAfee VirusScan v4.0.3 (OEM)
Microsoft IntelliPoint 4.1
Microsoft Internet Explorer 5.5 and Internet Tools
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Outlook Express 5
Microtek ScanWizard 5
MSConfig CleanUp 1.2
MSN Messenger 6.2
Multimedia Hotkey
Napster v2.0 BETA 7
Nero - Burning Rom
Nero Suite
Netscape Communicator 4.73
Netscape SmartDownload 1.1
Office In Color
Ontrack® SystemSuite 4.0
Quantex
QuickTime
RealPlayer
RingCentral
Software CineMaster 99
Sound Blaster Live! Value
Sound Blaster Live! Value Drivers
Spybot - Search & Destroy 1.4
StartPage Guard 2.52
Viewpoint Media Player
WebFerret
Winamp (Remove Only)
Windows 98 KB891711 Update
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q888113 Update
WinZip

Question: why do I keep getting new or different "ruins" and .exe files each time I run fixwareout?
« Last Edit: January 29, 2006, 03:55:46 AM by magicman911 »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
What is causing this???
« Reply #7 on: January 29, 2006, 01:34:46 PM »
Log looks good
Can you find these files and delete them please if found
C:\WINDOWS\SYSTEM\CSUGF.EXE <-file
C:\WINDOWS\SYSTEM\DMFOO.EXE
C:\WINDOWS\SYSTEM\CSEVW.EXE
C:\WINDOWS\SYSTEM\DMMQV.EXE

In addition: Can you download and install the free version of
Emsisoft's A-Squared
The free link is at the bottom of the page
After installation ensure it's updated and run a full scan

When it's done, let if fix what it finds
Reboot the computer afterwards

Run FixWareout again with the instructions posted earlier
When your done, post a new hijackthis log and the report from fixwareout please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #8 on: January 29, 2006, 02:34:51 PM »
OK, thanks, I will do that... but those SYSTEM files you asked me to delete are not there... these usually aren't when I look for them after fixwareout finds them. and I find that everytime something is fixed I go back to Fixwareout and it has a new RUIN and .EXE found... does it keep re-inventing itself? or are these just more that it finds? I also notice the HJT log file always looks good though. It's very strange. I always find BetterInternet on my system when I run a new scan... I also found a Pipas.A virus once too.

Will your last instructions help with getting rid of thse?
« Last Edit: January 29, 2006, 02:37:36 PM by magicman911 »
Logged

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #9 on: January 30, 2006, 12:19:26 AM »
OK, same problem!  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />  (read my last comment)... same thing, new RUINS and .exe's, and still have browser re-directs... take a look...
 
Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\edlmd
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM\CSFCP.EXE
C:\WINDOWS\SYSTEM\DMLDE.EXE
 
»»»»» Misc files



Logfile of HijackThis v1.99.1
Scan saved at 12:10:18 AM, on 1/30/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE
C:\WINDOWS\IPCONFIG.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\MK9908.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CHotKey] mk9908.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .aiff: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
What is causing this???
« Reply #10 on: January 30, 2006, 01:37:59 AM »
Quote
OK, same problem! mad.gif (read my last comment)... same thing, new RUINS and .exe's, and still have browser re-directs... take a look...
Yah, I seen it, do you want to stop here or should we continue?

If you would like to continue?

==Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder

NOTE: Are you sure none of these files can be found
C:\WINDOWS\SYSTEM\CSUGF.EXE <-file
C:\WINDOWS\SYSTEM\DMFOO.EXE
C:\WINDOWS\SYSTEM\CSEVW.EXE
C:\WINDOWS\SYSTEM\DMMQV.EXE
C:\WINDOWS\SYSTEM\CSFCP.EXE
C:\WINDOWS\SYSTEM\DMLDE.EXE

Make sure you have windows set to show hidden files
* Open My Computer.
    * Select the View menu and click Folder Options.
    * Select the View Tab.
    * In the Hidden files section select Show all files.
    * Click OK.
« Last Edit: January 30, 2006, 02:03:02 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #11 on: February 01, 2006, 12:40:14 AM »
Yes, I most definitely want to continue  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> I'm sorry if you misunderstood me...

Anyhow, no I am not able to find those files.

Here is the WinPfind file: (by the way I saved this program to its own folder instead of the desktop and extracted to the same folder... I hope that is OK)



»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows 98    Version: 4.10.2222
Internet Explorer Version: 5.50.4807.2300

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
web-nex              2/1/06 12:21:26 AM      RH  1327136    C:\WINDOWS\USER.DAT
ad-w-a-r-e.com       2/1/06 12:21:26 AM      RH  1327136    C:\WINDOWS\USER.DAT

Items found in C:\WINDOWS\hosts


Checking %System% folder...
UPX!                 2/10/04 11:14:52 PM         225792     C:\WINDOWS\SYSTEM\Xcite.dll
PTech                11/4/05 4:27:24 PM          534280     C:\WINDOWS\SYSTEM\LegitCheckControl.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     2/1/06 12:21:26 AM      RH  1327136    C:\WINDOWS\USER.DAT
                     2/1/06 12:20:30 AM      RH  10629152   C:\WINDOWS\SYSTEM.DAT
                     12/18/05 3:17:40 AM      H  31047      C:\WINDOWS\ttfCache
                     12/20/05 12:05:36 AM     H  54156      C:\WINDOWS\QTFont.qfn
                     12/22/05 5:47:54 AM      H  710567     C:\WINDOWS\ShellIconCache
                     12/9/05 5:20:24 AM       H  11581      C:\WINDOWS\WEB\ftp.htt
                     12/9/05 5:17:56 AM       H  9793       C:\WINDOWS\HELP\windows.GID

Checking for CPL files...
Microsoft Corporation          4/23/99 10:22:00 PM         221280     C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         60928      C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         93248      C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         14448      C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         7952       C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         47104      C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         420864     C:\WINDOWS\SYSTEM\MMSYS.CPL
                               4/23/99 10:22:00 PM         70656      C:\WINDOWS\SYSTEM\STICPL.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         103424     C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         387072     C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         51984      C:\WINDOWS\SYSTEM\POWERCFG.CPL
Sun Microsystems, Inc.         11/10/05 1:03:50 PM         49265      C:\WINDOWS\SYSTEM\jpicpl32.cpl
Microsoft Corporation          2/10/99 7:48:48 AM          40960      C:\WINDOWS\SYSTEM\FINDFAST.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         72192      C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         37376      C:\WINDOWS\SYSTEM\TIMEDATE.CPL
RAVISENT Technologies Inc.     8/16/99 2:31:44 PM          195072     C:\WINDOWS\SYSTEM\qiswcine.cpl
Apple Computer, Inc.           4/8/04 2:12:42 PM           323072     C:\WINDOWS\SYSTEM\QUICKTIME.CPL
Creative Technology Ltd.       12/8/98 1:53:00 AM          223744     C:\WINDOWS\SYSTEM\CtDetect.cpl
Creative Technology Ltd.       3/19/98 1:00:00 AM          18432      C:\WINDOWS\SYSTEM\AUDIOHQ.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         15360      C:\WINDOWS\SYSTEM\THEMES.CPL
Microsoft Corporation          7/23/01                     259344     C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation          10/30/01 8:10:00 AM         442368     C:\WINDOWS\SYSTEM\joy.cpl
Microsoft Corporation          4/23/99 10:22:00 PM         66048      C:\WINDOWS\SYSTEM\ACCESS.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         14848      C:\WINDOWS\SYSTEM\TELEPHON.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
                     1/30/06 12:15:36 AM         6891       C:\WINDOWS\Application Data\dw.log
                     12/25/05 10:34:20 PM        3136       C:\WINDOWS\Application Data\mpauth.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Fix-It Menu
   {A50302A0-8E15-11d2-887B-006008C1C087}    = C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\mxctxmnu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WS_FTP
   {797F3885-5429-11D4-8823-0050DA59922B}    =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WS_FTP
   {797F3885-5429-11D4-8823-0050DA59922B}    =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Fix-It Menu
   {A50302A0-8E15-11d2-887B-006008C1C087}    = C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\mxctxmnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
   SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = @msdxmLC.dll,-1@1033,&Radio   : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
   ButtonText    = AIM   : C:\PROGRAM FILES\AIM95\AIM.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
   {8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio   : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   SystemTray   SysTray.Exe
   Disc Detector   C:\Program Files\Creative\ShareDLL\CtNotify.exe
   CHotKey   mk9908.exe
   POINTER   point32.exe
   LoadPowerProfile   Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
   ScanRegistry   C:\WINDOWS\scanregw.exe /autorun
   AVG7_CC   C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
   AVG7_AMSVR   C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
   csctt.exe   csctt.exe
   dmeuo.exe   C:\WINDOWS\SYSTEM\dmeuo.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   MSFS   Installed = 1
   MAPI   Installed = 1
   IMAIL   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
   WinampAgent   "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
   Matrox Powerdesk   C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
   AudioHQ   C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
   AvconsoleEXE   C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
   VsecomrEXE   C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
   VsStatEXE   C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
   Vshwin32EXE   C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
   TaskMonitor   C:\WINDOWS\taskmon.exe
   hpidschd.exe -log -- -log   "C:\Program Files\Hewlett-Packard\HP Instant Delivery\hpidschd.exe"
   Fix-It AV   C:\PROGRA~1\ONTRACK\SYSTEM~1\MEMCHECK.EXE
   StillImageMonitor   C:\WINDOWS\SYSTEM\STIMON.EXE
   TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
   HPDJ Taskbar Utility   C:\WINDOWS\SYSTEM\hpztsb04.exe
   LoadQM   loadqm.exe
   QuickTime Task   "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
   USBDetector   C:\USBStorage\USBDetector.exe
   InCD   C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]
   SchedulingAgent   mstask.exe
   Vshwin32EXE   C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
   Machine Debug Manager   C:\WINDOWS\SYSTEM\MDM.EXE
   LoadPowerProfile   Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
   KB891711   C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   •
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   WebCheck                          {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/1/06 12:28:39 AM
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
What is causing this???
« Reply #12 on: February 01, 2006, 12:59:46 AM »
We're going to try this with a different twist

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
 
Code: [Select]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"csctt.exe"=-
"dmeuo.exe"=-

Please save these instructions too a Notepad file saved to the desktop
Close all browser windows down, do not open then until you are done
You must make sure that Internet Explorer isn't open
Even enter your task manager and end task on IEXPLORE.EXE if running
Don't confuse it with explorer.exe

Find and delete these files
C:\WINDOWS\SYSTEM\dmeuo.exe <-file
C:\WINDOWS\SYSTEM\Xcite.dll <-file
Also, do a search for this one and send it to the recycle bin if found
I can find no info on it
csctt.exe
I believe it's also related to the Wareout infection
Probably found in the C:\WINDOWS\SYSTEM folder

With all other windows closed

Double click on fix.reg and allow to merge to the registry
Run FixWareout again with the instructions posted earlier
When your done, post a new hijackthis log and the report from fixwareout please

Could you also run WPFind again and post the log
You can run it in Normal mode
But once you hit Start Scan, don't open or close any windows till the log opens
« Last Edit: February 01, 2006, 01:27:02 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #13 on: February 01, 2006, 11:35:30 AM »
OK, I have to run out for a bit, but I will do this as soon as I get back...

I just quickly checked and again I can't find the .exe files but I can find the .dll one... just wanted to let you know... If you have any thoughts on that, I'll check back before following your last instructions to see if you want me to do anything different.

I'll post my results soon. Thanks! Thanks! Thanks!
Logged

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #14 on: February 02, 2006, 02:12:20 AM »
As per your request:

Logfile of HijackThis v1.99.1
Scan saved at 2:02:34 AM, on 2/2/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE
C:\WINDOWS\IPCONFIG.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\MK9908.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CHotKey] mk9908.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .aiff: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab




»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows 98    Version: 4.10.2222
Internet Explorer Version: 5.50.4807.2300

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
web-nex              2/2/06 2:03:10 AM       RH  1327136    C:\WINDOWS\USER.DAT
ad-w-a-r-e.com       2/2/06 2:03:10 AM       RH  1327136    C:\WINDOWS\USER.DAT

Items found in C:\WINDOWS\hosts


Checking %System% folder...
PTech                11/4/05 4:27:24 PM          534280     C:\WINDOWS\SYSTEM\LegitCheckControl.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     2/2/06 2:03:10 AM       RH  1327136    C:\WINDOWS\USER.DAT
                     2/2/06 2:03:10 AM       RH  10629152   C:\WINDOWS\SYSTEM.DAT
                     12/18/05 3:17:40 AM      H  31047      C:\WINDOWS\ttfCache
                     12/20/05 12:05:36 AM     H  54156      C:\WINDOWS\QTFont.qfn
                     12/9/05 5:20:24 AM       H  11581      C:\WINDOWS\WEB\ftp.htt
                     12/9/05 5:17:56 AM       H  9793       C:\WINDOWS\HELP\windows.GID

Checking for CPL files...
Microsoft Corporation          4/23/99 10:22:00 PM         221280     C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         60928      C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         93248      C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         14448      C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         7952       C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         47104      C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         420864     C:\WINDOWS\SYSTEM\MMSYS.CPL
                               4/23/99 10:22:00 PM         70656      C:\WINDOWS\SYSTEM\STICPL.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         103424     C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         387072     C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         51984      C:\WINDOWS\SYSTEM\POWERCFG.CPL
Sun Microsystems, Inc.         11/10/05 1:03:50 PM         49265      C:\WINDOWS\SYSTEM\jpicpl32.cpl
Microsoft Corporation          2/10/99 7:48:48 AM          40960      C:\WINDOWS\SYSTEM\FINDFAST.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         72192      C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         37376      C:\WINDOWS\SYSTEM\TIMEDATE.CPL
RAVISENT Technologies Inc.     8/16/99 2:31:44 PM          195072     C:\WINDOWS\SYSTEM\qiswcine.cpl
Apple Computer, Inc.           4/8/04 2:12:42 PM           323072     C:\WINDOWS\SYSTEM\QUICKTIME.CPL
Creative Technology Ltd.       12/8/98 1:53:00 AM          223744     C:\WINDOWS\SYSTEM\CtDetect.cpl
Creative Technology Ltd.       3/19/98 1:00:00 AM          18432      C:\WINDOWS\SYSTEM\AUDIOHQ.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         15360      C:\WINDOWS\SYSTEM\THEMES.CPL
Microsoft Corporation          7/23/01                     259344     C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation          10/30/01 8:10:00 AM         442368     C:\WINDOWS\SYSTEM\joy.cpl
Microsoft Corporation          4/23/99 10:22:00 PM         66048      C:\WINDOWS\SYSTEM\ACCESS.CPL
Microsoft Corporation          4/23/99 10:22:00 PM         14848      C:\WINDOWS\SYSTEM\TELEPHON.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
                     1/30/06 12:15:36 AM         6891       C:\WINDOWS\Application Data\dw.log
                     12/25/05 10:34:20 PM        3136       C:\WINDOWS\Application Data\mpauth.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Fix-It Menu
   {A50302A0-8E15-11d2-887B-006008C1C087}    = C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\mxctxmnu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WS_FTP
   {797F3885-5429-11D4-8823-0050DA59922B}    =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WS_FTP
   {797F3885-5429-11D4-8823-0050DA59922B}    =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Fix-It Menu
   {A50302A0-8E15-11d2-887B-006008C1C087}    = C:\PROGRAM FILES\ONTRACK\SYSTEMSUITE\mxctxmnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
   SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = @msdxmLC.dll,-1@1033,&Radio   : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
   ButtonText    = AIM   : C:\PROGRAM FILES\AIM95\AIM.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
   {8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio   : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   SystemTray   SysTray.Exe
   Disc Detector   C:\Program Files\Creative\ShareDLL\CtNotify.exe
   CHotKey   mk9908.exe
   POINTER   point32.exe
   LoadPowerProfile   Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
   ScanRegistry   C:\WINDOWS\scanregw.exe /autorun
   AVG7_CC   C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
   AVG7_AMSVR   C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
   AVG7_AMSVR   C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
   AVG7_AMSVR   C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   MSFS   Installed = 1
   MAPI   Installed = 1
   IMAIL   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
   WinampAgent   "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
   Matrox Powerdesk   C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
   AudioHQ   C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
   AvconsoleEXE   C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
   VsecomrEXE   C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
   VsStatEXE   C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
   Vshwin32EXE   C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
   TaskMonitor   C:\WINDOWS\taskmon.exe
   hpidschd.exe -log -- -log   "C:\Program Files\Hewlett-Packard\HP Instant Delivery\hpidschd.exe"
   Fix-It AV   C:\PROGRA~1\ONTRACK\SYSTEM~1\MEMCHECK.EXE
   StillImageMonitor   C:\WINDOWS\SYSTEM\STIMON.EXE
   TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
   HPDJ Taskbar Utility   C:\WINDOWS\SYSTEM\hpztsb04.exe
   LoadQM   loadqm.exe
   QuickTime Task   "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
   USBDetector   C:\USBStorage\USBDetector.exe
   InCD   C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]
   SchedulingAgent   mstask.exe
   Vshwin32EXE   C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
   Machine Debug Manager   C:\WINDOWS\SYSTEM\MDM.EXE
   LoadPowerProfile   Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
   KB891711   C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   •
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   WebCheck                          {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/2/06 2:09:13 AM



Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ygqmd
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM\CSEZH.EXE
C:\WINDOWS\SYSTEM\DMQGY.EXE
 
»»»»» Misc files
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
What is causing this???
« Reply #15 on: February 02, 2006, 09:28:31 AM »
Now I'm just on my way out the door

Can you do the following please, let's make sure those files don't exist
==Download Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe
http://www.atribune.org/downloads/KillBox.exe
and save it too your desktop or folder

Open Killbox.exe
Leave "Standard Kill file" selected
Also select "End Explorer shell while killing file"
In the "Full path of File to Delete" copy and paste the full entry below in bold

C:\WINDOWS\SYSTEM\CSEZH.EXE

Then click the Red Circle with the White X
Allow to make a backup and delete the file
Don't worry about no file found messages

Carry on with the same instructions in killbox with the rest of these

C:\WINDOWS\SYSTEM\DMQGY.EXE
C:\WINDOWS\SYSTEM\dmeuo.exe
C:\WINDOWS\SYSTEM\csctt.exe
C:\WINDOWS\SYSTEM\CSUGF.EXE
C:\WINDOWS\SYSTEM\DMFOO.EXE
C:\WINDOWS\SYSTEM\CSEVW.EXE
C:\WINDOWS\SYSTEM\DMMQV.EXE
C:\WINDOWS\SYSTEM\CSFCP.EXE
C:\WINDOWS\SYSTEM\DMLDE.EXE

Can you also do the following
From below, Download and unzip to desktop RemV3.zip
So you now have the RemV3 folder on the desktop
Make sure windows is set to show hidden files

Reboot into safe mode
Open the RemV3 folder and double click on remv3.bat
Follow the prompts
When it's done
Exit all windows
Reboot back to Normal mode

Post the log created by remv3.bat located here
C:\log.txt
« Last Edit: February 02, 2006, 09:48:47 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #16 on: February 03, 2006, 12:36:19 AM »
This is one nasty virus!!!  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

Did RemV3 and fixwareout...

Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please
 
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\svvmd
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
 
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM\CSNMV.EXE
C:\WINDOWS\SYSTEM\DMVVS.EXE
 
»»»»» Misc files

The batch is run from --
Checking for version 1 Files.......
"Files found"
---------------------------------------------------------------------
 
deleting files........
---------------------------------------------------------
 
"Files Not Deleted"
---------------------------------------------------------------------
 
Checking for version 2 files..........
Files Found
 ------------------------------------------------------------
 
deleting files........
---------------------------------------------------------
 
Files Not deleted
 ------------------------------------------------------------
 

Checking version 3 Files...................
Files Found ..................
----------------------------------------

Files not Deleted.............  
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
 
 
Other bad files to be Manually deleted.. Please Note that This might also list Legit Files, be careful while Deleting
-----------------------------------------------------------------

 Volume in drive C is QV29D0    
 Volume Serial Number is 2A31-1401
 Directory of C:\WINDOWS\SYSTEM

                        24,833.22 MB free
Finished
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
What is causing this???
« Reply #17 on: February 03, 2006, 01:12:19 AM »
I've fixed this quite a few times without this much trouble
What are you using to control entries on startup
It may be that McAfee's, although disabled on startup is interfering
Can I have you enable everything on startup
and then reboot the computer
I didn't realize you had McAfee's installed
Please either uninstall either McAfee's or AVG

Run killbox and use the instructions I gave you earlier to delete these files
C:\WINDOWS\SYSTEM\CSNMV.EXE
C:\WINDOWS\SYSTEM\DMVVS.EXE
Did you delete these files earlier?
c:\WINDOWS\SYSTEM\howiper.exe
c:\WINDOWS\SYSTEM\dgprpsetup.exe

Can you open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Click the SAVE LIST button
Save this list too desktop and then copy and paste back here the whole contents

Additionally:
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as export.bat
Save this file on the desktop

Code: [Select]
@echo off
cd C:\fixwareout
dir /s /a > C:\export.txt
notepad C:\export.txt
del /q C:\export.txtDouble click on export.bat
A text file will open, copy and paste the whole contents back here
« Last Edit: February 03, 2006, 01:45:14 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline magicman911

  • Newbie
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
What is causing this???
« Reply #18 on: February 03, 2006, 01:59:32 AM »
OK below is what you asked for... Also, I don't know if it matters or not but  have my IE temp files and swap file are on a separate drive. I also made some changes to speed up boot-up that may be causing this? as follows:

Instructions from some site:

"For example, adding the line stacks=0,0 to the config.sys file can significantly speed up a computer. However, the two files I really want to focus on here are system.ini and msdos.sys. Within system.ini, add the following lines under [386Enh]:

LocalLoadHigh=1 - This setting tells the computer to load everything the operating system needs into upper memory by default, freeing up as much conventional memory as possible (the first 640K). Microsoft would like us to believe that this no longer effects the system, but they are lying.

DMABufferSize=64 - This setting tells the computer to leave as much memory available for DMA data transfers as possible, speeding up not only the boot process but the system in general.

There are some even more exciting settings available within the msdos.sys file for optimizing the boot process. Before you can modify the msdos.sys file (which is a hidden file, by the way, so you'll have to set Windows to show hidden files from within Windows Explorer), you will need to remove its read-only attribute. To do this, right click on the file, enter its properties menu, and uncheck read-only. Now that you've done that, open the file in notepad and add the following lines:

Logo=0 - This setting turns off the silly Windows splash screen during startup. Disabling this will shave a few seconds off your boot time.

Drvspace=0 - This setting turns off support for Drivespace-compressed FAT16 drives. Since no one uses this anymore, it is safe to disable. Disabling it will not only speed up your boot time, but it will also free up some extra resources as well

Dblspace=0 - Same as above, but this time for Doublespace-compressed FAT16 drives.

DisableLog=1 - This setting disables the log file which Windows creates by default when booting up. Disabling this will shave a few seconds off your boot time, and since no one ever uses the log file for anything anyway, it won't be missed."




 Volume in drive C is QV29D0    
 Volume Serial Number is 2A31-1401

Directory of C:\fixwareout

.              <DIR>        01-27-06 12:31p .
..             <DIR>        01-27-06 12:31p ..
FINDT          <DIR>        01-27-06 12:31p FindT
SUB            <DIR>        01-27-06 12:31p SUB
REPORT   TXT           472  02-03-06 12:29a report.txt
FIXIT    BAT         3,370  12-05-05  2:39a FixIt.BAT
FIXWAR~1 EXE       455,107  01-27-06 12:30p Fixwareout.exe
         3 file(s)        458,949 bytes

Directory of C:\fixwareout\FindT

.              <DIR>        01-27-06 12:31p .
..             <DIR>        01-27-06 12:31p ..
FINDT    BAT        25,477  01-10-06  8:17p FindT.bat
LOCATE   COM        11,254  09-03-05  8:37p locate.com
WINREG   EXE        39,936  02-11-05  7:05p WINREG.EXE
EXPORT   BAT           483  01-12-06  2:34a export.bat
SWREG    EXE        42,496  09-20-05  7:21a swreg.exe
XFIND    COM         1,992  12-06-05 11:25p XFIND.COM
         6 file(s)        121,638 bytes

Directory of C:\fixwareout\SUB

.              <DIR>        01-27-06 12:31p .
..             <DIR>        01-27-06 12:31p ..
BFU      ZIP        62,862  01-27-06 12:36p bfu.zip
9XREBOOT BFU           345  09-11-05  9:38p 9Xreboot.bfu
IPCONFIG BAT           597  09-16-05  6:18a ipconfig.bat
NTREBOOT BFU           740  12-14-05  1:47a NTreboot.bfu
UNZIP    EXE       167,936  02-28-05  5:51p unzip.exe
WIN98ME  BFU         8,189  12-22-05  4:07a win98me.bfu
XP-2K2   BFU        11,519  12-17-05  6:57a XP-2K2.bfu
DOWNLOAD EXE        61,440  09-23-05 11:01a download.exe
BFU      EXE        66,048  11-04-05 10:09p BFU.exe
         9 file(s)        379,676 bytes

Total files listed:
        18 file(s)        960,263 bytes
         8 dir(s)       24,849.19 MB free

Note: the MsDos window now says:

Invalid Switch - /Q

--------------------

Uninstall list:

1999 Grolier Multimedia Encyclopedia
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Photoshop 5.0
America Online
AOL Instant Messenger
AOL YGP Picture Downloader
ArcSoft Camera Studio
a-squared Free 1.6.1
AudibleManager 2.0
AVG Free Edition
By Design Office
CCleaner (remove only)
Creative Launcher
Creative PlayCenter
cs 3.0
DART Karaoke Studio
DirectX Eradicator
Email VOICELink 3.0
eMule
Enfish Tracker
EnterNet 300
ffdshow (remove only)
HijackThis 1.99.1
HP DeskJet 970C Series (Remove only)
HP Instant Delivery
Internet Explorer Q832894
J2SE Runtime Environment 5.0 Update 6
Macromedia Flash Player 8
Macromedia Shockwave Player
MaxBlast 3
McAfee VirusScan v4.0.3 (OEM)
Microsoft IntelliPoint 4.1
Microsoft Internet Explorer 5.5 and Internet Tools
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Outlook Express 5
Microtek ScanWizard 5
MSConfig CleanUp 1.2
MSN Messenger 6.2
Multimedia Hotkey
Napster v2.0 BETA 7
Nero - Burning Rom
Nero Suite
Netscape Communicator 4.73
Netscape SmartDownload 1.1
Office In Color
Ontrack® SystemSuite 4.0
Quantex
QuickTime
RealPlayer
RingCentral
Software CineMaster 99
Sound Blaster Live! Value
Sound Blaster Live! Value Drivers
Spybot - Search & Destroy 1.4
StartPage Guard 2.52
Viewpoint Media Player
WebFerret
Winamp (Remove Only)
Windows 98 KB891711 Update
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q888113 Update
WinZip
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
What is causing this???
« Reply #19 on: February 03, 2006, 10:30:09 AM »
I would uninstall McAfee, as it's an old outdated version
This will help ensure it's not interfering in what we're try

Your using a tool MSConfig CleanUp 1.2
This may, and probably is interfering also
What have you disabled>>Cleaned with it?

As mentioned, can you enable EVERYTHING on startup
This includes what you have disabled with Msconfig
Reboot the computer
Post back a fresh hijackthis log
It doesn't help if we don't see everything running on startup

Can you also enter Startpage guards preferences and disable it please
We have to track down what's interfering with this fix
I believe it's the problems of interference with other software you have installed

Did you delete these files earlier you found bad?
c:\WINDOWS\SYSTEM\howiper.exe
c:\WINDOWS\SYSTEM\dgprpsetup.exe
« Last Edit: February 03, 2006, 10:31:04 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1] 2 3 4
« previous next »