• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
shabih

VERY SLOW XP logon

16 posts in this topic

I can start windows XP but when i try to log on to a user account then it takes a really long time. In Windows 2000 it is running fine. Heres my HiJack this log.

 

Logfile of HijackThis v1.97.7

Scan saved at 9:10:59 PM, on 7/15/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\WINNT\System32\svchost.exe

C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe

C:\Program Files\VerizonDSL\IPInsight\ARMon32a.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\VerizonDSL\WinPoET\WrOS.EXE

C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe

C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe

D:\Program Files\BullGuard\vsserv.exe

C:\WINNT\Explorer.exe

C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

D:\LogiTray.exe

C:\WINNT\loadqm.exe

D:\Winamp\winampa.exe

C:\Program Files\QuickTime\qttask.exe

D:\Program Files\BullGuard\bdmcon.exe

C:\Program Files\AdDestroyer\AdDestroyer.exe

D:\LowLight.exe

C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe

D:\AIM\aim.exe

D:\Mozilla\MozillaFirebird\MozillaFirebird.exe

C:\WINNT\Dotest.exe

D:\Shabih\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [WinPoET] C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WindowsUpd] C:\WINNT\WindowsUpd1.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\LogiTray.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [sysUpd] C:\WINNT\WindowsUpd1.exe

O4 - HKLM\..\Run: [symantec Security Routine Addon] navpaw.exe

O4 - HKLM\..\Run: [iE Loader] nsc32.exe

O4 - HKLM\..\Run: [iE Processes] nosc32.exe

O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe

O4 - HKLM\..\Run: [qwqkeatv] C:\WINNT\System32\ynoxtr.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe

O4 - HKLM\..\Run: [WindowsUpd1] C:\WINNT\WindowsUpd1.exe

O4 - HKLM\..\Run: [bDMCon] D:\PROGRA~1\BULLGU~1\bdmcon.exe

O4 - HKLM\..\RunServices: [symantec Security Routine Addon] navpaw.exe

O4 - HKLM\..\RunServices: [iE Loader] nsc32.exe

O4 - HKLM\..\RunServices: [iE Processes] nosc32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [WhatPulse] D:\Shabih\whatpulse\WhatPulse.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E7189BA6-9C07-4351-9B0E-931CA2EBA68C}: NameServer = 199.45.32.43 199.45.32.38

Share this post


Link to post
Share on other sites

Hi,

First thing to do is ...

 

Update Ad-aware's Reference File: instructions icon11.gifhere

 

Required Step: icon11.gifReconfigure Ad-Aware for Full Scan

 

Note: do not run Ad-Aware yet, just update and reconfigure.

 

Next:

 

Reconfigure Windows Explorer to show Hidden Files: [required step]

Open the Windows Explorer | Tools | Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

 

Next:

 

Close all open windows, rescan with HijackThis

Place a check in each of the following then click "Fix checked".

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [WindowsUpd] C:\WINNT\WindowsUpd1.exe

O4 - HKLM\..\Run: [sysUpd] C:\WINNT\WindowsUpd1.exe

O4 - HKLM\..\Run: [iE Loader] nsc32.exe

O4 - HKLM\..\Run: [iE Processes] nosc32.exe

O4 - HKLM\..\Run: [qwqkeatv] C:\WINNT\System32\ynoxtr.exe

O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe

O4 - HKLM\..\Run: [WindowsUpd1] C:\WINNT\WindowsUpd1.exe

O4 - HKLM\..\RunServices: [iE Loader] nsc32.exe

O4 - HKLM\..\RunServices: [iE Processes] nosc32.exe

O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

 

Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Open Windows Explorer locate and delete the following:

 

C:\Program Files\INCREDIFIND <--this folder

C:\Program Files\VBouncer <--this folder

C:\WINNT\WindowsUpd1.exe <--this file

C:\WINNT\System32\ynoxtr.exe <--this file

C:\WINNT\alchem.exe <--this file

nsc32.exe <--this file

nosc32.exe <--this file :alarm:Win32.Boxbot.B

Note: locate the last 2 via Start > Search > Advanced Options

 

While still in Safe Mode run Ad-Aware and fix everything it finds.

 

Restart normally and then ... Download icon11.gifHijackThis! 1.98

 

After the above, reboot, rescan with HijackThis and post a fresh log ...

Share this post


Link to post
Share on other sites

i did everything you asked...

 

Logfile of HijackThis v1.97.7

Scan saved at 2:50:17 PM, on 7/16/2004

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\WINNT\System32\svchost.exe

C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe

C:\Program Files\VerizonDSL\IPInsight\ARMon32a.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\VerizonDSL\WinPoET\WrOS.EXE

C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe

C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe

D:\Program Files\BullGuard\vsserv.exe

C:\WINNT\Explorer.exe

C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

D:\LogiTray.exe

C:\WINNT\loadqm.exe

D:\Winamp\winampa.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

D:\LowLight.exe

C:\Program Files\AdDestroyer\AdDestroyer.exe

C:\Program Files\VerizonDSL\IPInsight\ARUpld32.exe

D:\AIM\aim.exe

D:\mIRC\mirc.exe

D:\Shabih\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [WinPoET] C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\LogiTray.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [symantec Security Routine Addon] navpaw.exe

O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bDMCon] D:\PROGRA~1\BULLGU~1\bdmcon.exe

O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\RunServices: [symantec Security Routine Addon] navpaw.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [WhatPulse] D:\Shabih\whatpulse\WhatPulse.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E7189BA6-9C07-4351-9B0E-931CA2EBA68C}: NameServer = 199.45.32.43 199.45.32.38

 

BUT i still cant log on to XP... The screen to choose which account to go into comes up, it logs on to the account. Then the desktop wallpaper just shows up, and thats it. Then I go to the task manager and check the processes and every time theres new things running that i know i didnt put on there.

Heres some of them(i would put a screenshot but i cant get into xp :-/):

ntye32.exe

javahl.exe

ipvj32.exe

netcm32.exe

apixk.exe

iexy32.exe

apinzs.exe

ieed32.exe

crxf.exe

mswy.exe

netvx32.exe

javaki32.exe

Share this post


Link to post
Share on other sites

Hi,

Your log is clean now ... good job!

 

Well by looking at that list of files it looks like the XP is infected with a version of CWS.

Several of the files you list match the same ones in this log icon11.gifhere

 

1) Are you dual-booting 2k & XP?

2) If so, can you view the XP files from 2K?

3) Can you get XP to start in Safe Mode? (see "How To" below)

 

If you can get into Safe Mode, run HijackThis from there

 

Download icon11.gifHijackThis! 1.98

Edited by WinHelp2002

Share this post


Link to post
Share on other sites

1) yes, i have a dual-boot with 2k and XP

2) yes, the XP files are on the E: partition on my computer

3) yes, and i ran HijackThis

 

Logfile of HijackThis v1.98.0

Scan saved at 6:01:00 PM, on 7/16/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

E:\WINDOWS1\System32\smss.exe

E:\WINDOWS1\system32\winlogon.exe

E:\WINDOWS1\system32\services.exe

E:\WINDOWS1\system32\lsass.exe

E:\WINDOWS1\system32\svchost.exe

E:\WINDOWS1\system32\svchost.exe

E:\Program Files\Common Files\Stardock\SDMCP.exe

E:\WINDOWS1\Explorer.EXE

D:\Shabih\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\ayygn.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayygn.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ayygn.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS1\ayygn.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\ayygn.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayygn.dll/index.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {27C21F83-683C-675C-3EAF-DB7FF6EDC4F8} - E:\WINDOWS1\system32\crhw32.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS1\System32\msdxm.ocx

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [mfcup.exe] E:\WINDOWS1\system32\mfcup.exe

O4 - HKLM\..\Run: [Configuration Loader] zonealarm.exe

O4 - HKLM\..\Run: [Microsoft Update Machine] xnfphfg.exe

O4 - HKLM\..\Run: [WhenUSave] "E:\Program Files\Save\Save.exe"

O4 - HKLM\..\Run: [WhenUSearch] "E:\Program Files\WhenUSearch\Search.exe"

O4 - HKLM\..\Run: [bDMCon] E:\Program Files\BullGuard\\bdmcon.exe

O4 - HKLM\..\Run: [bGNewsAgent] e:\program files\bullguard\bgnewsag.exe

O4 - HKLM\..\RunServices: [Configuration Loader] zonealarm.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] xnfphfg.exe

O4 - HKLM\..\RunOnce: [d3qr32.exe] E:\WINDOWS1\d3qr32.exe

O4 - HKLM\..\RunOnce: [syswu32.exe] E:\WINDOWS1\system32\syswu32.exe

O4 - HKLM\..\RunOnce: [ntcg.exe] E:\WINDOWS1\system32\ntcg.exe

O4 - HKLM\..\RunOnce: [ntca.exe] E:\WINDOWS1\system32\ntca.exe

O4 - HKLM\..\RunOnce: [d3tt.exe] E:\WINDOWS1\d3tt.exe

O4 - HKLM\..\RunOnce: [sysri.exe] E:\WINDOWS1\sysri.exe

O4 - HKLM\..\RunOnce: [msjy.exe] E:\WINDOWS1\msjy.exe

O4 - HKLM\..\RunOnce: [javavy.exe] E:\WINDOWS1\javavy.exe

O4 - HKLM\..\RunOnce: [d3gw.exe] E:\WINDOWS1\d3gw.exe

O4 - HKLM\..\RunOnce: [apirl32.exe] E:\WINDOWS1\apirl32.exe

O4 - HKLM\..\RunOnce: [addqw.exe] E:\WINDOWS1\system32\addqw.exe

O4 - HKLM\..\RunOnce: [addet.exe] E:\WINDOWS1\addet.exe

O4 - HKLM\..\RunOnce: [winjf.exe] E:\WINDOWS1\system32\winjf.exe

O4 - HKLM\..\RunOnce: [ipxr.exe] E:\WINDOWS1\ipxr.exe

O4 - HKLM\..\RunOnce: [winpf.exe] E:\WINDOWS1\winpf.exe

O4 - HKLM\..\RunOnce: [javafd.exe] E:\WINDOWS1\system32\javafd.exe

O4 - HKLM\..\RunOnce: [atlgo.exe] E:\WINDOWS1\system32\atlgo.exe

O4 - HKLM\..\RunOnce: [ievz32.exe] E:\WINDOWS1\system32\ievz32.exe

O4 - HKLM\..\RunOnce: [ipvj32.exe] E:\WINDOWS1\ipvj32.exe

O4 - HKLM\..\RunOnce: [javahl.exe] E:\WINDOWS1\javahl.exe

O4 - HKLM\..\RunOnce: [crxp32.exe] E:\WINDOWS1\system32\crxp32.exe

O4 - HKLM\..\RunOnce: [netcm32.exe] E:\WINDOWS1\system32\netcm32.exe

O4 - HKLM\..\RunOnce: [ntye32.exe] E:\WINDOWS1\system32\ntye32.exe

O4 - HKLM\..\RunOnce: [javaol32.exe] E:\WINDOWS1\javaol32.exe

O4 - HKLM\..\RunOnce: [ipsn32.exe] E:\WINDOWS1\system32\ipsn32.exe

O4 - HKLM\..\RunOnce: [netdy32.exe] E:\WINDOWS1\system32\netdy32.exe

O4 - HKLM\..\RunOnce: [sdkrz32.exe] E:\WINDOWS1\system32\sdkrz32.exe

O4 - HKLM\..\RunOnce: [mfcdd32.exe] E:\WINDOWS1\mfcdd32.exe

O4 - HKLM\..\RunOnce: [apixk.exe] E:\WINDOWS1\apixk.exe

O4 - HKLM\..\RunOnce: [appry.exe] E:\WINDOWS1\system32\appry.exe

O4 - HKLM\..\RunOnce: [mskr32.exe] E:\WINDOWS1\system32\mskr32.exe

O4 - HKLM\..\RunOnce: [iexy32.exe] E:\WINDOWS1\system32\iexy32.exe

O4 - HKLM\..\RunOnce: [apinz.exe] E:\WINDOWS1\apinz.exe

O4 - HKLM\..\RunOnce: [ieed32.exe] E:\WINDOWS1\system32\ieed32.exe

O4 - HKLM\..\RunOnce: [crxf.exe] E:\WINDOWS1\crxf.exe

O4 - HKLM\..\RunOnce: [atlmq.exe] E:\WINDOWS1\system32\atlmq.exe

O4 - HKLM\..\RunOnce: [mswy.exe] E:\WINDOWS1\mswy.exe

O4 - HKLM\..\RunOnce: [netvx32.exe] E:\WINDOWS1\system32\netvx32.exe

O4 - HKLM\..\RunOnce: [msgw32.exe] E:\WINDOWS1\msgw32.exe

O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Extreme Messenger for AIM] D:\Extreme Messenger\ExtremeMessenger.exe nosplash

O4 - HKCU\..\Run: [Microsoft Update Machine] xnfphfg.exe

O4 - HKCU\..\Run: [Configuration Loader] zonealarm.exe

O4 - HKCU\..\Run: [Ruon] E:\Documents and Settings\Shabih\Application Data\ibma.exe

O4 - HKCU\..\Run: [uisguus] E:\WINDOWS1\System32\vaihhix.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS1\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS1\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lim/install.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - E:\WINDOWS1\msopt.dll

O20 - AppInit_DLLs: sockspy.dll

O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - E:\Program Files\Common Files\Stardock\MCPCore.dll

 

guess the log doesnt look so clean now

Share this post


Link to post
Share on other sites

Hi,

Just as I figured ... you have several trojans some adware and CWS!

 

I assume that log was from Safe Mode?

 

Note: there are no automated removal tools for CWS, the best method is to use System Restore to "restore" the machine to a Date prior to the CWS infection.

 

To do this, locate the following file:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\ayygn.dll/sp.html#28129

 

Right-click and select: Properties = "Date created"

Run System Restore and select a Date prior to the "Date created"

 

To start System Restore = Start > Help

[or]

How to start the System Restore tool at a command prompt in Windows XP

http://support.microsoft.com/?kbid=304449

 

[otherwise]

Reconfigure Ad-Aware to scan "E:\" only ...

Settings | "Click here to select drives and folders"

 

After the above rescan with HijackThis and post a fresh log ...

Share this post


Link to post
Share on other sites

I'd rather have to do the system restore as a last resort, because the file was created June 16th. So I ran Ad-Aware for the E: drive and it fixed some stuff but XP still wont get past the desktop wallpaper. Here's my log I got in safe mode on XP after running Ad-Aware.

 

Logfile of HijackThis v1.98.0

Scan saved at 2:30:08 PM, on 7/22/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

E:\WINDOWS1\System32\smss.exe

E:\WINDOWS1\system32\winlogon.exe

E:\WINDOWS1\system32\services.exe

E:\WINDOWS1\system32\lsass.exe

E:\WINDOWS1\system32\svchost.exe

E:\WINDOWS1\system32\svchost.exe

E:\Program Files\Common Files\Stardock\SDMCP.exe

E:\WINDOWS1\Explorer.EXE

D:\Shabih\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\ayygn.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayygn.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ayygn.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS1\ayygn.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\ayygn.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ayygn.dll/index.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {36CC7432-49FC-4CA0-A19B-542646CAFF53} - E:\WINDOWS1\system32\mfcga.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS1\System32\msdxm.ocx

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [mfcup.exe] E:\WINDOWS1\system32\mfcup.exe

O4 - HKLM\..\Run: [Configuration Loader] zonealarm.exe

O4 - HKLM\..\Run: [Microsoft Update Machine] xnfphfg.exe

O4 - HKLM\..\Run: [WhenUSave] "E:\Program Files\Save\Save.exe"

O4 - HKLM\..\Run: [WhenUSearch] "E:\Program Files\WhenUSearch\Search.exe"

O4 - HKLM\..\Run: [bDMCon] E:\Program Files\BullGuard\\bdmcon.exe

O4 - HKLM\..\Run: [bGNewsAgent] e:\program files\bullguard\bgnewsag.exe

O4 - HKLM\..\RunServices: [Configuration Loader] zonealarm.exe

O4 - HKLM\..\RunServices: [Microsoft Update Machine] xnfphfg.exe

O4 - HKLM\..\RunOnce: [javavy.exe] E:\WINDOWS1\javavy.exe

O4 - HKLM\..\RunOnce: [d3gw.exe] E:\WINDOWS1\d3gw.exe

O4 - HKLM\..\RunOnce: [apirl32.exe] E:\WINDOWS1\apirl32.exe

O4 - HKLM\..\RunOnce: [addqw.exe] E:\WINDOWS1\system32\addqw.exe

O4 - HKLM\..\RunOnce: [addet.exe] E:\WINDOWS1\addet.exe

O4 - HKLM\..\RunOnce: [winjf.exe] E:\WINDOWS1\system32\winjf.exe

O4 - HKLM\..\RunOnce: [ipxr.exe] E:\WINDOWS1\ipxr.exe

O4 - HKLM\..\RunOnce: [winpf.exe] E:\WINDOWS1\winpf.exe

O4 - HKLM\..\RunOnce: [javafd.exe] E:\WINDOWS1\system32\javafd.exe

O4 - HKLM\..\RunOnce: [atlgo.exe] E:\WINDOWS1\system32\atlgo.exe

O4 - HKLM\..\RunOnce: [ievz32.exe] E:\WINDOWS1\system32\ievz32.exe

O4 - HKLM\..\RunOnce: [ipvj32.exe] E:\WINDOWS1\ipvj32.exe

O4 - HKLM\..\RunOnce: [javahl.exe] E:\WINDOWS1\javahl.exe

O4 - HKLM\..\RunOnce: [crxp32.exe] E:\WINDOWS1\system32\crxp32.exe

O4 - HKLM\..\RunOnce: [netcm32.exe] E:\WINDOWS1\system32\netcm32.exe

O4 - HKLM\..\RunOnce: [ntye32.exe] E:\WINDOWS1\system32\ntye32.exe

O4 - HKLM\..\RunOnce: [javaol32.exe] E:\WINDOWS1\javaol32.exe

O4 - HKLM\..\RunOnce: [ipsn32.exe] E:\WINDOWS1\system32\ipsn32.exe

O4 - HKLM\..\RunOnce: [netdy32.exe] E:\WINDOWS1\system32\netdy32.exe

O4 - HKLM\..\RunOnce: [sdkrz32.exe] E:\WINDOWS1\system32\sdkrz32.exe

O4 - HKLM\..\RunOnce: [mfcdd32.exe] E:\WINDOWS1\mfcdd32.exe

O4 - HKLM\..\RunOnce: [apixk.exe] E:\WINDOWS1\apixk.exe

O4 - HKLM\..\RunOnce: [appry.exe] E:\WINDOWS1\system32\appry.exe

O4 - HKLM\..\RunOnce: [mskr32.exe] E:\WINDOWS1\system32\mskr32.exe

O4 - HKLM\..\RunOnce: [iexy32.exe] E:\WINDOWS1\system32\iexy32.exe

O4 - HKLM\..\RunOnce: [apinz.exe] E:\WINDOWS1\apinz.exe

O4 - HKLM\..\RunOnce: [ieed32.exe] E:\WINDOWS1\system32\ieed32.exe

O4 - HKLM\..\RunOnce: [crxf.exe] E:\WINDOWS1\crxf.exe

O4 - HKLM\..\RunOnce: [atlmq.exe] E:\WINDOWS1\system32\atlmq.exe

O4 - HKLM\..\RunOnce: [mswy.exe] E:\WINDOWS1\mswy.exe

O4 - HKLM\..\RunOnce: [netvx32.exe] E:\WINDOWS1\system32\netvx32.exe

O4 - HKLM\..\RunOnce: [msgw32.exe] E:\WINDOWS1\msgw32.exe

O4 - HKLM\..\RunOnce: [d3qr32.exe] E:\WINDOWS1\d3qr32.exe

O4 - HKLM\..\RunOnce: [syswu32.exe] E:\WINDOWS1\system32\syswu32.exe

O4 - HKLM\..\RunOnce: [ntcg.exe] E:\WINDOWS1\system32\ntcg.exe

O4 - HKLM\..\RunOnce: [ntca.exe] E:\WINDOWS1\system32\ntca.exe

O4 - HKLM\..\RunOnce: [d3tt.exe] E:\WINDOWS1\d3tt.exe

O4 - HKLM\..\RunOnce: [sysri.exe] E:\WINDOWS1\sysri.exe

O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Extreme Messenger for AIM] D:\Extreme Messenger\ExtremeMessenger.exe nosplash

O4 - HKCU\..\Run: [Microsoft Update Machine] xnfphfg.exe

O4 - HKCU\..\Run: [Configuration Loader] zonealarm.exe

O4 - HKCU\..\Run: [Ruon] E:\Documents and Settings\Shabih\Application Data\ibma.exe

O4 - HKCU\..\Run: [uisguus] E:\WINDOWS1\System32\vaihhix.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS1\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS1\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lim/install.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - E:\WINDOWS1\msopt.dll

O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - E:\Program Files\Common Files\Stardock\MCPCore.dll

Share this post


Link to post
Share on other sites

Hi,

You can use this link as a guide, read it entirely before procedding.

http://forums.spywareinfo.com/index.php?showtopic=12609

 

Download: About:Buster 1.30

http://www.majorgeeks.com/download4289.html

Follow the instructions on the page ...

 

Download icon11.gifCWShredder v1.59.1

Run CWShredder after running "About:Buster"

 

Then while still in Safe Mode run Ad-Aware again.

 

 

Next: run an online scan at: Trend Micro HouseCall

http://housecall.antivirus.com/pc_housecall/

 

After the above rescan with HijackThis and post a fresh log.

Share this post


Link to post
Share on other sites

Thank you sooooooooooo much I'm back on XP and its running perfectly. Here's the latest HJT log.

 

Logfile of HijackThis v1.98.0

Scan saved at 6:36:19 PM, on 7/22/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

E:\WINDOWS1\System32\smss.exe

E:\WINDOWS1\system32\winlogon.exe

E:\WINDOWS1\system32\services.exe

E:\WINDOWS1\system32\lsass.exe

E:\WINDOWS1\system32\svchost.exe

E:\WINDOWS1\System32\svchost.exe

E:\WINDOWS1\system32\spoolsv.exe

E:\Program Files\Common Files\Stardock\SDMCP.exe

E:\WINDOWS1\Explorer.EXE

E:\Program Files\QuickTime\qttask.exe

E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

E:\Program Files\Common Files\Real\Update_OB\realsched.exe

E:\program files\bullguard\bgnewsag.exe

E:\Program Files\Messenger\msmsgs.exe

D:\AIM\aim.exe

E:\WINDOWS1\System32\svchost.exe

E:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe

E:\WINDOWS1\system32\crxp32.exe

E:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe

E:\Program Files\BullGuard\vsserv.exe

D:\Mozilla\Mozilla Firefox\firefox.exe

D:\Shabih\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {27C21F83-683C-675C-3EAF-DB7FF6EDC4F8} - E:\WINDOWS1\system32\crhw32.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS1\System32\msdxm.ocx

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [bDMCon] E:\Program Files\BullGuard\\bdmcon.exe

O4 - HKLM\..\Run: [bGNewsAgent] e:\program files\bullguard\bgnewsag.exe

O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Extreme Messenger for AIM] D:\Extreme Messenger\ExtremeMessenger.exe nosplash

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lim/install.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CD7E44D5-1822-4F36-A943-501EA5521733}: NameServer = 199.45.32.43 199.45.32.38

O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - E:\Program Files\Common Files\Stardock\MCPCore.dll

Share this post


Link to post
Share on other sites

Hi,

Your log looks clean now ... good job!

 

Just one minor item ...

 

Have HijackThis fix the following:

 

R3 - Default URLSearchHook is missing

 

Then reboot, on restart, Control Panel | Internet Options | Programs [tab]

Click the "Reset web settings" button, click Apply\Ok

 

Now ... one of the reasons you got hijacked ...

 

icon13.gifImportant! Your system is severly out of date!

Visit icon11.gifWindows Update and install all the "Critical Updates"

 

I would suggest adding some "Defense" to your system ...

atb_help.gifHow To: Prevent this from happening again? :wave:

Share this post


Link to post
Share on other sites

Im baaaaaaack... After I leave my computer on for a few hours it starts getting slow again, I have to keep going into HJT and fixing things to make it get back to normal speed again. Here's my latest log before fixing the stuff.

 

Logfile of HijackThis v1.98.0

Scan saved at 9:19:41 PM, on 7/19/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

E:\WINDOWS1\System32\smss.exe

E:\WINDOWS1\system32\winlogon.exe

E:\WINDOWS1\system32\services.exe

E:\WINDOWS1\system32\lsass.exe

E:\WINDOWS1\system32\svchost.exe

E:\WINDOWS1\System32\svchost.exe

E:\WINDOWS1\system32\spoolsv.exe

E:\Program Files\Common Files\Stardock\SDMCP.exe

E:\WINDOWS1\System32\svchost.exe

E:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe

E:\WINDOWS1\system32\crxp32.exe

E:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe

E:\Program Files\QuickTime\qttask.exe

E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

E:\Program Files\Common Files\Real\Update_OB\realsched.exe

E:\Program Files\BullGuard\bgnewsag.exe

E:\WINDOWS1\system32\crhw32.exe

D:\AIM\aim.exe

E:\Program Files\MSN Messenger\msnmsgr.exe

E:\WINDOWS1\system32\winlogon.exe

D:\mIRC\mirc.exe

E:\WINDOWS1\explorer.exe

E:\Program Files\BullGuard\bdmcon.exe

E:\Program Files\BullGuard\vsserv.exe

E:\WINDOWS1\system32\winlogon.exe

E:\WINDOWS1\system32\winlogon.exe

D:\shabih\hijackthis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\qvakd.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qvakd.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qvakd.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://E:\WINDOWS1\qvakd.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://E:\WINDOWS1\qvakd.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qvakd.dll/index.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0BC171EC-69B1-8323-283F-055923F172A8} - E:\WINDOWS1\mfcqy32.dll

O2 - BHO: (no name) - {27C21F83-683C-675C-3EAF-DB7FF6EDC4F8} - E:\WINDOWS1\system32\crhw32.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {DFBFEE67-D1F0-4CB0-DEB2-7F4A2C8A823E} - E:\WINDOWS1\atlwh32.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [bDMCon] E:\Program Files\BullGuard\\bdmcon.exe

O4 - HKLM\..\Run: [bGNewsAgent] E:\Program Files\BullGuard\bgnewsag.exe

O4 - HKLM\..\Run: [crhw32.exe] E:\WINDOWS1\system32\crhw32.exe

O4 - HKCU\..\Run: [AIM] D:\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CD7E44D5-1822-4F36-A943-501EA5521733}: NameServer = 199.45.32.43 199.45.32.38

 

-_-

Share this post


Link to post
Share on other sites

Hi,

Since you failed to update your machine, you now have an infection that there is no automated removal for. Your best aopproach at this point is to use System Restore to revert your system back to a Date prior to the infection.

 

Locate: E:\WINDOWS1\qvakd.dll, locate the "Date created", then select a Date in System Restore prior to that ...

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0