Jump to content


Photo

Please check my log


  • This topic is locked This topic is locked
14 replies to this topic

#1 litlbiomouse

litlbiomouse

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 29 July 2004 - 10:21 PM

My computer recently got laggy and got tons of pop-ups even with a blocker. I ran adaware and spybot to get rid of some stuff, but my comp managed to install an online casino software and I've notice other stuff that I didn't install. Please check and let me know if it's clean. Thank you!

Logfile of HijackThis v1.97.7
Scan saved at 10:42:54 PM, on 7/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM95\aim.exe
C:\VSTASCAN\vsaccess.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\tsmgr.exe
C:\Documents and Settings\Jen\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87E88080-4014-43F4-AAE4-125633453FD1} - C:\WINDOWS\System32\cxzrh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [iunddvxqzhrdp] C:\WINDOWS\System32\nwsunvk.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [cxzrhc] C:\WINDOWS\System32\cxzrhc.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [_UnwiseDMO] cmd.exe /c del C:\WINDOWS\System32\ATPartners.dll
O4 - HKLM\..\RunOnce: [_UnwiseDMO_] cmd.exe /c del C:\WINDOWS\System32\im64.dll
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjss0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.yaho...ts/y/pys1_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/ss0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.yaho...ts/y/yws0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...or6/cabs/SW.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.c...e Installer.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7356.6833101852
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com...ActivexTest.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{445FBE16-0181-430A-A247-868CA57596A6}: NameServer = 216.107.0.3 216.107.0.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{445FBE16-0181-430A-A247-868CA57596A6}: NameServer = 216.107.0.3 216.107.0.23

#2 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 30 July 2004 - 11:34 AM

litlbiomouse,

Welcome to SWI!

There is a new version (1.98) of HijackThis which identifies more malware than its previous version.!

Please update HijackThis by pressing its 'Config' button (lower right corner)
Then click: 'Misc. Tools' button (at the top).
Next press: 'Check for update online'
You should see version 1.98.0 available.
Download the new version.

If you have any problems getting the update. Simply delete your old version of HijackThis and download the new version from the following link: http://www.spywarein.../downloads.html

Also, it shows that you are running HijackThis from a temporary location.
Create a folder in C:\, name it whatever you like, place the HijackThis.exe file in it, and run it from there. You will avoid the risk of accidentally deleting backups, and will know exactly where they are kept.

After updating HijackThis to v1.98, make sure all windows and browsers are closed before proceeding to scan.

Please post a new log.
IPB Image

There are times when everything is understood...then one regains consciousness!

#3 litlbiomouse

litlbiomouse

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 31 July 2004 - 07:24 PM

Ok. New HJT log. Please let me know if there's anything that shouldn't belong. Thank you!

Logfile of HijackThis v1.98.0
Scan saved at 8:23:47 PM, on 7/31/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\cvss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\keyword.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\ntvdm.exe
C:\VSTASCAN\vsaccess.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jen\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SDWin32 Class - {87E88080-4014-43F4-AAE4-125633453FD1} - C:\WINDOWS\System32\cxzrh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [iunddvxqzhrdp] C:\WINDOWS\System32\nwsunvk.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [cxzrhc] C:\WINDOWS\System32\cxzrhc.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjss0_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/ss0_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.c...e Installer.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com...ActivexTest.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{445FBE16-0181-430A-A247-868CA57596A6}: NameServer = 216.107.0.3 216.107.0.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{445FBE16-0181-430A-A247-868CA57596A6}: NameServer = 216.107.0.3 216.107.0.23

#4 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 31 July 2004 - 10:35 PM

Please proceed as follows:

You already have AdAware, but it is probably configured with its default settings.
[If you had it configured for a Full Scan, then just let me know, and skip what follows]

After using the: 'Check for Updates Now' option and downloading the latest reference files, configure Ad-aware for a Full Scan as follows:

Click on the Gear icon to access Settings
In the General window make sure the following are selected:
-Automatically save log-file
-Automatically quarantine objects prior to removal
-Safe Mode (always request confirmation)

Click on the Scanning button on the left and select :
Under Drives and Folders:
-Scan Within Archives
Under Memory and Registry:
-Scan Active Processes
-Scan Registry
-Deep Scan Registry
-Scan my IE favorites for banned URL’s
-Scan my Hosts file

Under Click here to select drives and folders, choose all your hard drives

Click on the Advanced button on the left and select:
-Include additional process information
-Include additional file information
-Include environment information
-Include additional object details

Click the Tweak button and select:
Under the Scanning Engine:
-Unload recognized processes during scanning
-Include basic Ad-aware settings in logfile
-Include additional Ad-aware settings in logfile

Under the Cleaning Engine:
-Let Windows remove files in use at next reboot

Click: Proceed to save the settings.

Click: Start
On the next screen make sure: Activate in-depth Scan and Use Custom Scanning Options are selected

Click Next and Ad-aware scans your hard drive(s) with the options selected.

When finished, right-click the window with all the entries, choose: Select All from the drop menu, and click Next.
Once AdAware has removed all the items, close the program

Restart the computer.

Before using HijackThis again, it needs to go in its own folder. If it is on the Desktop as it is right now, you will have its backup files spread all over the place.
Don’t think you want that. :thumbsdown:

Close all windows and browsers, run HijackThis again, and post a new log.

I'll be analyzing the 7/31/2004 in the meantime, and there is more work to do.
IPB Image

There are times when everything is understood...then one regains consciousness!

#5 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 01 August 2004 - 07:56 PM

lilbiomouse,

Analyzed 7/31/2004 HijackThis Log.
A group of entries need to go.

Waiting on your running AdAware in Full Scan mode.
It might remove some items from your system.

Post a new HJT log and it will show.

:keybrd:
IPB Image

There are times when everything is understood...then one regains consciousness!

#6 litlbiomouse

litlbiomouse

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 02 August 2004 - 04:03 PM

I did what you said and it found quite a few things. On start-up, I received an error message for 2 programs due to a missing file. The names of the programs looked like random letters stuck together. How does it look now? Another question, is there a good pop-up blocker out there that I can use to help minimize the amount that I get?



Logfile of HijackThis v1.98.0
Scan saved at 4:56:26 PM, on 8/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\cvss.exe
C:\WINDOWS\liceqmg.exe
C:\WINDOWS\rldmaoc..exe
C:\DOCUME~1\Jen\LOCALS~1\Temp\tb_setup.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\VSTASCAN\vsaccess.exe
C:\WINDOWS\System32\ezsys.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Documents and Settings\Jen\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: SDWin32 Class - {87E88080-4014-43F4-AAE4-125633453FD1} - C:\WINDOWS\System32\cxzrh.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [iunddvxqzhrdp] C:\WINDOWS\System32\nwsunvk.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [cxzrhc] C:\WINDOWS\System32\cxzrhc.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\liceqmg.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\rldmaoc..exe
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Jen\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\ezsys.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjss0_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/ss0_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.c...e Installer.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...iof5_3_16_0.cab

#7 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 02 August 2004 - 07:26 PM

lilbiomouse,

You have an assortment of bad stuff that does not seem to quit!
There are a lot of steps involved in getting rid of the stuff, but just take them one at a time. Print these instructions for easier reference.

Please, do create a folder for HijackThis.
Right now, you are running it from the Desktop:
C:\Documents and Settings\Jen\Desktop\HijackThis.exe
That is not good. If nothing else, create a folder on the Desktop and move it there.
HijackThis needs to have a safe location for its backups, just in case we need to use one of them!!!

Next, proceed as follows:

Disable System Restore:
-Click Start
-Right-click the My Computer icon, and select Properties
-Click the System Restore tab
-Check: Turn off System Restore
-Click: Apply
-When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
-Click OK.

Go to: Start>Control Panel>Administrative Tools>Services
-Look for a service called: WinTools for IE Service
-Double-click on this service to open it
-Click on the: Stop button
-Change the Startup type to: Disabled (Use the down arrow)
-Click: OK
Exit out of Services.
(If the service is not listed, just continue below.)

Now, right-click an empty area of the Taskbar (bar at bottom of the screen), and select: Task Manager
-In Task Manager, select the: Processes tab
-Double-click the: Image Name column header to alphabetically sort the processes
-Scroll through the list and look for: WtoolsA.exe, WToolsS.exe and WSup.exe.
(If you find the files, select one, and then click: End Process button. Do this for all three files)
-Exit the Task Manager.

Next, open a command prompt by clicking on: Start>Run and type in: cmd
-Click OK
-In the Open area, type in (or copy/paste) exactly the following:

regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll"

(Quotation marks must be included)
-Press: Enter
-Type: Exit to close the command prompt window

Close all windows and browsers, and run HijackThis
Click on: Scan, place a check mark in the boxes for the entries that follow, and click on: Fix Checked.

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: SDWin32 Class - {87E88080-4014-43F4-AAE4-125633453FD1} - C:\WINDOWS\System32\cxzrh.dll

O4 - HKLM\..\Run: [iunddvxqzhrdp] C:\WINDOWS\System32\nwsunvk.exe
O4 - HKLM\..\Run: [cxzrhc] C:\WINDOWS\System32\cxzrhc.exe
O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\liceqmg.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\rldmaoc..exe
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Jen\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\ezsys.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.c...e Installer.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...38/QDow_AS2.cab

Next, go to Start>Control Panel>Add/Remove Programs, look for any WinTools entries. Remove whatever you find.

Now, enable the viewing of Hidden files and Folders as follows:
-At your desktop, go to Start>My Computer
-Select the Tools menu and then Folder Options
-After the new window appears select the View tab
-Select: Display the contents of system folders
-Under the Hidden files and folders section select: Show hidden files and folders
-Remove the checkmark from Hide file extensions for known file types
-Remove the checkmark from Hide protected operating system files (Recommended)
-Press the Apply button
Click OK
The computer is configured to show all hidden files.

Then, reboot into Safe Mode as follows:
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

Please search for and delete the following files (bold):

C:\WINDOWS\System32\nwsunvk.exe
C:\WINDOWS\System32\cxzrhc.exe
C:\WINDOWS\liceqmg.exe
C:\WINDOWS\rldmaoc..exe
C:\DOCUMENTS and Settings\Jen\Local Settings\Temp\tb_setup.exe
C:\WINDOWS\System32\ezsys.exe
C:\WINDOWS\System32\he3e3fc4.dll
C:\WINDOWS\System32\readdb40.dll
C:\WINDOWS\rldmaoc..exe <<--something beginning with this name

Search for and delete the following folders (bold):
C:\Program Files\Toolbar
C:\Program Files\Common Files\WinTools

Reboot, close all windows and browsers, and post a new HijackThis log for further review.

There is more work to do!! :bangbang:
IPB Image

There are times when everything is understood...then one regains consciousness!

#8 litlbiomouse

litlbiomouse

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 03 August 2004 - 10:58 AM

Followed your instructions. How does it look now? The only thing I've really noticed is eZula keeps trying to install itself automatically. Here's the new log:


Logfile of HijackThis v1.98.0
Scan saved at 11:55:20 AM, on 8/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\cvss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\pmsbkup.exe
C:\WINDOWS\srchupdt.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\powdow.exe
C:\WINDOWS\system32\ntvdm.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\SysAI\SysAI.exe
C:\OPLIMIT\ocrawr32.exe
C:\Documents and Settings\Jen\Desktop\HJT\HijackThis.exe

O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [uF9R33g] pmsbkup.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ptusof] C:\WINDOWS\System32\nwsunvk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [foq5RTMEP] powdow.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjss0_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/ss0_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...iof5_3_16_0.cab

#9 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 03 August 2004 - 06:18 PM

lilbiomouse:

That computer is like a magnet rolling on metal shavings!!!
It can pick up the bad stuff faster than what we can get rid of it.
The reason for this is that you are running an outdated and therefore vulnerable/unsafe version of Internet Explorer. You must obtain Internet Explorer 6.0 Service Pack 1, and any Critical Updates applicable to XP.

When you get done with the steps below, do not go surfing, and go straight to the following website:
http://v4.windowsupd.../en/default.asp
Use the Scan for Updates option, and download/install all the Critical Updates it offers.

The above is absolutely mandatory!!! All Critical Updates and Service Packs must be installed after applying the cleaning steps below, or the entire cleanup process is an exercise in futility.

Once again, you may want to copy this for easier reference.

Now, let’s sniff out some Trojans.

First, disable System Restore (Instructions provided on earlier post; it may still be disabled if you did not change those settings.)

Next, make sure Windows is set to show Hidden Files & Folders (Instructions provided on earlier post also. Still the same if you did not change those settings.)

-Download Trojan Hunter (Trial version) from here: http://www.misec.net/trojanhunter/
-Install the program, and update as instructed here: : http://www.misec.net...unter/updating/

[Note: TrojanHunter 3.9 installs to C:\Program Files\TrojanHunter 3.9
Keep this in mind when updating its reference files.
If you need further guidance on this, let me know.]

Run TrojanHunter, and let it remove whatever it finds.
-If there is something that cannot be removed, please provide that info in your next post.
-Reboot when done.

Proceed to do an online virus scan from Trend-Micro: http://housecall.trendmicro.com/
-Check the option to Auto Clean when you run the scan.
-If the scan finds something, but cannot remove it, please supply that info in your next post.
-Reboot after the virus scan.

Now, make sure all windows and browsers are closed before proceeding to run HijackThis and scan. Fix the following by placing a check in the appropriate boxes and selecting the: ‘Fix Checked’ button:


O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll
O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll

O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [uF9R33g] pmsbkup.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [ptusof] C:\WINDOWS\System32\nwsunvk.exe
O4 - HKCU\..\Run: [foq5RTMEP] powdow.exe


Next, reboot into Safe Mode (Instructions provided on earlier post).

Go to Start>Control Panel>Add/Remove Programs, select the following, and click Remove:
TwainTech
POP!

Next, search for and delete the following Folder or Files:

Folder (bold):
C:\Program Files\AutoUpdate

Files (bold):
C:\WINDOWS\System32\li01f948.dll
C:\WINDOWS\srchfst.dll
C:\WINDOWS\System32\iel2cde8.dll
C:\WINDOWS\srchupdt.exe
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\nwsunvk.exe
pmsbkup.exe
powdow.exe

Still in Safe Mode go to C:\Windows\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the Temp folder.

Next, go to C:\Documents and Settings\username\Local Settings\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the that Temp folder.

Finally, go to Control Panel>Internet Options.
On the General tab under: Temporary Internet Files, click: Delete Files
Place a check by: Delete Offline Content when the prompt appears, and click OK.
Next, click on the Programs tab, then click: Reset Web Settings button.
Click Apply, then OK.

Also, empty the Recycle Bin.

Reboot to Normal mode.

:alarm:
Now go straight to the following website:
http://v4.windowsupd.../en/default.asp
Use the Scan for Updates option, and download/install all the Critical Updates it offers.
:alarm:

When done with all of the above, close all windows and browsers, and post a fresh HijackThis log.

We are almost there, but not done yet.

Glad you are determined to get rid of all this stuff.
IPB Image

There are times when everything is understood...then one regains consciousness!

#10 litlbiomouse

litlbiomouse

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 04 August 2004 - 11:08 PM

Wanted to let you know that I ran Trojan Hunter and Housecall. I didn't have any problems with them. I ran HJT and removed the files you suggested. Right now, I'm trying to update XP which is slow going thanks to alot of critical updates and a slow dial-up. When they're all installed, I'll post my log. So far, though, I'm not experiencing any of the previous problems. Thanks again.

#11 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 04 August 2004 - 11:13 PM

lilbiomouse,

Thanks for the update. :D

If you have dial-up, it will take a while to get the updates (know the feeling), but it is well worth the wait.

Post a new log when you are done.
There are still a few things to do, but nothing out of this world.
You have gone this far; might as well get the entire job done!!!

:keybrd:
IPB Image

There are times when everything is understood...then one regains consciousness!

#12 litlbiomouse

litlbiomouse

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 06 August 2004 - 08:07 PM

Ok, I think I'm done updating XP and I ran HJT. How does it look??


Logfile of HijackThis v1.98.0
Scan saved at 9:03:56 PM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cvss.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\ntvdm.exe
C:\VSTASCAN\vsaccess.exe
C:\OPLIMIT\ocrawr32.exe
C:\Documents and Settings\Jen\Desktop\HJT\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjss0_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/ss0_x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...iof5_3_16_0.cab

#13 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 07 August 2004 - 06:23 PM

lilbiomouse,

Outstanding!!!! :bounce: You did a great job!! :bounce: Good looking log!!

Now we can wrap up.

At one point you enabled the viewing of Hidden files and Folders as follows:
[Start>My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults button
Select: Apply, and click OK

Next, since the system is now clean, use System Restore, and create a Restore Point
Turn System Restore back on
-On the Desktop, right-click My Computer
-Select: Properties
-Select the System Restore tab
-Check: Turn on System Restore
-Click: Apply, and then: OK

Now, create a Restore Point:
-Go to: Start>All Programs.
-Go to: Accessories>System Tools, and select: System Restore.
-In the System Restore wizard, select: Create a restore point
-Click the Next button.
-Type a description for the restore point, like: Clean Slate (or whatever you like)
Click Create

Restart the computer.

Consider mustering up your PC’s line of defense against malware. You already have an Anti-virus program. Make sure it is kept updated and run regularly.

An essential addition to XP is a firewall. (Believe Norton SystemWorks does not include one)

Zone Alarm has a free version:
http://www.zonelabs....reeDownload.jsp

Two other good choices are:
Sygate http://smb.sygate.co...cts/spf_pro.htm
Kerio http://www.kerio.com/us/kpf_home.html

It is a good idea to clean up Temporary Internet Files, Temporary Files, and the Recycle Bin.
Periodically use the Disk Cleanup utility in Windows XP, as follows:
-Click Start>Run
-In the Open box, key in: cleanmgr
-Click: OK
-Place a check next to the categories mentioned above
-Click OK
-Click: Yes to proceed with the action
-Reboot

Visit the Microsoft Windows Update regularly.
Information on XPs Automatic Update feature is found here: http://www.microsoft...xp/updates.aspx

An excellent reference in developing a plan of defense is Tony Klein’s 'How Did I Get Infected In The First Place' article:
http://forums.net-in...?showtopic=3051
Its information provides some useful tools and their links.

Adding to Tony’s excellent advice, Spybot Search and Destroy and AdAware are programs that you already have, and can use as part of your plan to counteract malware. Update the programs to obtain their latest reference files, and run them on a regular basis.

If you have any questions about any of the above, just post back.

Good luck! :wave:
IPB Image

There are times when everything is understood...then one regains consciousness!

#14 litlbiomouse

litlbiomouse

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 08 August 2004 - 08:54 PM

Thank you again for your help. The computer's running alot smoother. Thanks!!

#15 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 08 August 2004 - 09:29 PM

:weee:

Thank you very much for your patience, and performing all the procedures requested.

Have a great week!!
IPB Image

There are times when everything is understood...then one regains consciousness!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button