• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
litlbiomouse

Please check my log

15 posts in this topic

My computer recently got laggy and got tons of pop-ups even with a blocker. I ran adaware and spybot to get rid of some stuff, but my comp managed to install an online casino software and I've notice other stuff that I didn't install. Please check and let me know if it's clean. Thank you!

 

Logfile of HijackThis v1.97.7

Scan saved at 10:42:54 PM, on 7/29/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\logonui.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AIM95\aim.exe

C:\VSTASCAN\vsaccess.exe

C:\OPLIMIT\ocrawr32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\RUNDLL32.exe

C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\tsmgr.exe

C:\Documents and Settings\Jen\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {87E88080-4014-43F4-AAE4-125633453FD1} - C:\WINDOWS\System32\cxzrh.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [iunddvxqzhrdp] C:\WINDOWS\System32\nwsunvk.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [cxzrhc] C:\WINDOWS\System32\cxzrhc.exe

O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe

O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\RunOnce: [_UnwiseDMO] cmd.exe /c del C:\WINDOWS\System32\ATPartners.dll

O4 - HKLM\..\RunOnce: [_UnwiseDMO_] cmd.exe /c del C:\WINDOWS\System32\im64.dll

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjss0_x.cab

O16 - DPF: Yahoo! Pyramids - http://download.yahoo.com/games/clients/y/pys1_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/ss0_x.cab

O16 - DPF: Yahoo! Towers 2.0 - http://download.yahoo.com/games/clients/y/yws0_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director6/cabs/SW.CAB

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedCont...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0723c2de85c1213d5e22/netzip/RdxIE2.cab

O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//223/Eyetide%20Installer.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7356.6833101852

O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{445FBE16-0181-430A-A247-868CA57596A6}: NameServer = 216.107.0.3 216.107.0.23

O17 - HKLM\System\CS1\Services\Tcpip\..\{445FBE16-0181-430A-A247-868CA57596A6}: NameServer = 216.107.0.3 216.107.0.23

Share this post


Link to post
Share on other sites

litlbiomouse,

 

Welcome to SWI!

 

There is a new version (1.98) of HijackThis which identifies more malware than its previous version.!

 

Please update HijackThis by pressing its 'Config' button (lower right corner)

Then click: 'Misc. Tools' button (at the top).

Next press: 'Check for update online'

You should see version 1.98.0 available.

Download the new version.

 

If you have any problems getting the update. Simply delete your old version of HijackThis and download the new version from the following link: http://www.spywareinfo.com/~merijn/downloads.html

 

Also, it shows that you are running HijackThis from a temporary location.

Create a folder in C:\, name it whatever you like, place the HijackThis.exe file in it, and run it from there. You will avoid the risk of accidentally deleting backups, and will know exactly where they are kept.

 

After updating HijackThis to v1.98, make sure all windows and browsers are closed before proceeding to scan.

 

Please post a new log.

Share this post


Link to post
Share on other sites

Ok. New HJT log. Please let me know if there's anything that shouldn't belong. Thank you!

 

Logfile of HijackThis v1.98.0

Scan saved at 8:23:47 PM, on 7/31/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\cvss.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\keyword.exe

C:\Program Files\AIM95\aim.exe

C:\WINDOWS\system32\ntvdm.exe

C:\VSTASCAN\vsaccess.exe

C:\OPLIMIT\ocrawr32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Jen\Desktop\HijackThis.exe

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SDWin32 Class - {87E88080-4014-43F4-AAE4-125633453FD1} - C:\WINDOWS\System32\cxzrh.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [iunddvxqzhrdp] C:\WINDOWS\System32\nwsunvk.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [cxzrhc] C:\WINDOWS\System32\cxzrhc.exe

O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\manage.exe

O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjss0_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/ss0_x.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedCont...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0723c2de85c1213d5e22/netzip/RdxIE2.cab

O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//223/Eyetide%20Installer.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivexTest.ocx

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{445FBE16-0181-430A-A247-868CA57596A6}: NameServer = 216.107.0.3 216.107.0.23

O17 - HKLM\System\CS1\Services\Tcpip\..\{445FBE16-0181-430A-A247-868CA57596A6}: NameServer = 216.107.0.3 216.107.0.23

Share this post


Link to post
Share on other sites

Please proceed as follows:

 

You already have AdAware, but it is probably configured with its default settings.

[if you had it configured for a Full Scan, then just let me know, and skip what follows]

 

After using the: 'Check for Updates Now' option and downloading the latest reference files, configure Ad-aware for a Full Scan as follows:

 

Click on the Gear icon to access Settings

In the General window make sure the following are selected:

-Automatically save log-file

-Automatically quarantine objects prior to removal

-Safe Mode (always request confirmation)

 

Click on the Scanning button on the left and select :

Under Drives and Folders:

-Scan Within Archives

Under Memory and Registry:

-Scan Active Processes

-Scan Registry

-Deep Scan Registry

-Scan my IE favorites for banned URL’s

-Scan my Hosts file

 

Under Click here to select drives and folders, choose all your hard drives

 

Click on the Advanced button on the left and select:

-Include additional process information

-Include additional file information

-Include environment information

-Include additional object details

 

Click the Tweak button and select:

Under the Scanning Engine:

-Unload recognized processes during scanning

-Include basic Ad-aware settings in logfile

-Include additional Ad-aware settings in logfile

 

Under the Cleaning Engine:

-Let Windows remove files in use at next reboot

 

Click: Proceed to save the settings.

 

Click: Start

On the next screen make sure: Activate in-depth Scan and Use Custom Scanning Options are selected

 

Click Next and Ad-aware scans your hard drive(s) with the options selected.

 

When finished, right-click the window with all the entries, choose: Select All from the drop menu, and click Next.

Once AdAware has removed all the items, close the program

 

Restart the computer.

 

Before using HijackThis again, it needs to go in its own folder. If it is on the Desktop as it is right now, you will have its backup files spread all over the place.

Don’t think you want that. :thumbsdown:

 

Close all windows and browsers, run HijackThis again, and post a new log.

 

I'll be analyzing the 7/31/2004 in the meantime, and there is more work to do.

Share this post


Link to post
Share on other sites

lilbiomouse,

 

Analyzed 7/31/2004 HijackThis Log.

A group of entries need to go.

 

Waiting on your running AdAware in Full Scan mode.

It might remove some items from your system.

 

Post a new HJT log and it will show.

 

:keybrd:

Share this post


Link to post
Share on other sites

I did what you said and it found quite a few things. On start-up, I received an error message for 2 programs due to a missing file. The names of the programs looked like random letters stuck together. How does it look now? Another question, is there a good pop-up blocker out there that I can use to help minimize the amount that I get?

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 4:56:26 PM, on 8/2/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\WinTools\WToolsS.exe

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\cvss.exe

C:\WINDOWS\liceqmg.exe

C:\WINDOWS\rldmaoc..exe

C:\DOCUME~1\Jen\LOCALS~1\Temp\tb_setup.exe

C:\Program Files\Common Files\WinTools\WToolsA.exe

C:\Program Files\AIM95\aim.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\VSTASCAN\vsaccess.exe

C:\WINDOWS\System32\ezsys.exe

C:\OPLIMIT\ocrawr32.exe

C:\Program Files\Common Files\WinTools\WSup.exe

C:\Documents and Settings\Jen\Desktop\HijackThis.exe

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)

O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - (no file)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: SDWin32 Class - {87E88080-4014-43F4-AAE4-125633453FD1} - C:\WINDOWS\System32\cxzrh.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [iunddvxqzhrdp] C:\WINDOWS\System32\nwsunvk.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [cxzrhc] C:\WINDOWS\System32\cxzrhc.exe

O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\liceqmg.exe

O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\rldmaoc..exe

O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32

O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Jen\LOCALS~1\Temp\tb_setup.exe /dcheck

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\ezsys.exe

O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjss0_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/ss0_x.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedCont...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0723c2de85c1213d5e22/netzip/RdxIE2.cab

O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//223/Eyetide%20Installer.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....iof5_3_16_0.cab

Share this post


Link to post
Share on other sites

lilbiomouse,

 

You have an assortment of bad stuff that does not seem to quit!

There are a lot of steps involved in getting rid of the stuff, but just take them one at a time. Print these instructions for easier reference.

 

Please, do create a folder for HijackThis.

Right now, you are running it from the Desktop:

C:\Documents and Settings\Jen\Desktop\HijackThis.exe

That is not good. If nothing else, create a folder on the Desktop and move it there.

HijackThis needs to have a safe location for its backups, just in case we need to use one of them!!!

 

Next, proceed as follows:

 

Disable System Restore:

-Click Start

-Right-click the My Computer icon, and select Properties

-Click the System Restore tab

-Check: Turn off System Restore

-Click: Apply

-When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.

-Click OK.

 

Go to: Start>Control Panel>Administrative Tools>Services

-Look for a service called: WinTools for IE Service

-Double-click on this service to open it

-Click on the: Stop button

-Change the Startup type to: Disabled (Use the down arrow)

-Click: OK

Exit out of Services.

(If the service is not listed, just continue below.)

 

Now, right-click an empty area of the Taskbar (bar at bottom of the screen), and select: Task Manager

-In Task Manager, select the: Processes tab

-Double-click the: Image Name column header to alphabetically sort the processes

-Scroll through the list and look for: WtoolsA.exe, WToolsS.exe and WSup.exe.

(If you find the files, select one, and then click: End Process button. Do this for all three files)

-Exit the Task Manager.

 

Next, open a command prompt by clicking on: Start>Run and type in: cmd

-Click OK

-In the Open area, type in (or copy/paste) exactly the following:

 

regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll"

 

(Quotation marks must be included)

-Press: Enter

-Type: Exit to close the command prompt window

 

Close all windows and browsers, and run HijackThis

Click on: Scan, place a check mark in the boxes for the entries that follow, and click on: Fix Checked.

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

 

O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)

O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - (no file)

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: SDWin32 Class - {87E88080-4014-43F4-AAE4-125633453FD1} - C:\WINDOWS\System32\cxzrh.dll

 

O4 - HKLM\..\Run: [iunddvxqzhrdp] C:\WINDOWS\System32\nwsunvk.exe

O4 - HKLM\..\Run: [cxzrhc] C:\WINDOWS\System32\cxzrhc.exe

O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\liceqmg.exe

O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\rldmaoc..exe

O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINDOWS\System32\he3e3fc4.dll,EnableRunDLL32

O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Jen\LOCALS~1\Temp\tb_setup.exe /dcheck

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\ezsys.exe

 

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0723c2de85c1213d5e22/netzip/RdxIE2.cab

O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//223/Eyetide%20Installer.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

 

Next, go to Start>Control Panel>Add/Remove Programs, look for any WinTools entries. Remove whatever you find.

 

Now, enable the viewing of Hidden files and Folders as follows:

-At your desktop, go to Start>My Computer

-Select the Tools menu and then Folder Options

-After the new window appears select the View tab

-Select: Display the contents of system folders

-Under the Hidden files and folders section select: Show hidden files and folders

-Remove the checkmark from Hide file extensions for known file types

-Remove the checkmark from Hide protected operating system files (Recommended)

-Press the Apply button

Click OK

The computer is configured to show all hidden files.

 

Then, reboot into Safe Mode as follows:

-Restart your computer.

-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

Please search for and delete the following files (bold):

 

C:\WINDOWS\System32\nwsunvk.exe

C:\WINDOWS\System32\cxzrhc.exe

C:\WINDOWS\liceqmg.exe

C:\WINDOWS\rldmaoc..exe

C:\DOCUMENTS and Settings\Jen\Local Settings\Temp\tb_setup.exe

C:\WINDOWS\System32\ezsys.exe

C:\WINDOWS\System32\he3e3fc4.dll

C:\WINDOWS\System32\readdb40.dll

C:\WINDOWS\rldmaoc..exe <<--something beginning with this name

 

Search for and delete the following folders (bold):

C:\Program Files\Toolbar

C:\Program Files\Common Files\WinTools

 

Reboot, close all windows and browsers, and post a new HijackThis log for further review.

 

There is more work to do!! :bangbang:

Share this post


Link to post
Share on other sites

Followed your instructions. How does it look now? The only thing I've really noticed is eZula keeps trying to install itself automatically. Here's the new log:

 

 

Logfile of HijackThis v1.98.0

Scan saved at 11:55:20 AM, on 8/3/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\cvss.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\pmsbkup.exe

C:\WINDOWS\srchupdt.exe

C:\Program Files\AutoUpdate\AutoUpdate.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\AIM95\aim.exe

C:\WINDOWS\System32\powdow.exe

C:\WINDOWS\system32\ntvdm.exe

C:\VSTASCAN\vsaccess.exe

C:\Program Files\SysAI\SysAI.exe

C:\OPLIMIT\ocrawr32.exe

C:\Documents and Settings\Jen\Desktop\HJT\HijackThis.exe

 

O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll

O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll

O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - (no file)

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll

O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll

O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32

O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32

O4 - HKLM\..\Run: [uF9R33g] pmsbkup.exe

O4 - HKLM\..\Run: [srchfstUpdate] C:\WINDOWS\srchupdt.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [ptusof] C:\WINDOWS\System32\nwsunvk.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [foq5RTMEP] powdow.exe

O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjss0_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/ss0_x.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedCont...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....iof5_3_16_0.cab

Share this post


Link to post
Share on other sites

lilbiomouse:

 

That computer is like a magnet rolling on metal shavings!!!

It can pick up the bad stuff faster than what we can get rid of it.

The reason for this is that you are running an outdated and therefore vulnerable/unsafe version of Internet Explorer. You must obtain Internet Explorer 6.0 Service Pack 1, and any Critical Updates applicable to XP.

 

When you get done with the steps below, do not go surfing, and go straight to the following website:

http://v4.windowsupdate.microsoft.com/en/default.asp

Use the Scan for Updates option, and download/install all the Critical Updates it offers.

 

The above is absolutely mandatory!!! All Critical Updates and Service Packs must be installed after applying the cleaning steps below, or the entire cleanup process is an exercise in futility.

 

Once again, you may want to copy this for easier reference.

 

Now, let’s sniff out some Trojans.

 

First, disable System Restore (Instructions provided on earlier post; it may still be disabled if you did not change those settings.)

 

Next, make sure Windows is set to show Hidden Files & Folders (Instructions provided on earlier post also. Still the same if you did not change those settings.)

 

-Download Trojan Hunter (Trial version) from here: http://www.misec.net/trojanhunter/

-Install the program, and update as instructed here: : http://www.misec.net/trojanhunter/updating/

 

[Note: TrojanHunter 3.9 installs to C:\Program Files\TrojanHunter 3.9

Keep this in mind when updating its reference files.

If you need further guidance on this, let me know.]

 

Run TrojanHunter, and let it remove whatever it finds.

-If there is something that cannot be removed, please provide that info in your next post.

-Reboot when done.

 

Proceed to do an online virus scan from Trend-Micro: http://housecall.trendmicro.com/

-Check the option to Auto Clean when you run the scan.

-If the scan finds something, but cannot remove it, please supply that info in your next post.

-Reboot after the virus scan.

 

Now, make sure all windows and browsers are closed before proceeding to run HijackThis and scan. Fix the following by placing a check in the appropriate boxes and selecting the: ‘Fix Checked’ button:

 

 

O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\System32\iel2cde8.dll

O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll

O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - (no file)

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

 

O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\System32\li01f948.dll

O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll

 

O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32

O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32

O4 - HKLM\..\Run: [uF9R33g] pmsbkup.exe

O4 - HKLM\..\Run: [srchfstUpdate] C:\WINDOWS\srchupdt.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [ptusof] C:\WINDOWS\System32\nwsunvk.exe

O4 - HKCU\..\Run: [foq5RTMEP] powdow.exe

 

 

Next, reboot into Safe Mode (Instructions provided on earlier post).

 

Go to Start>Control Panel>Add/Remove Programs, select the following, and click Remove:

TwainTech

POP!

 

Next, search for and delete the following Folder or Files:

 

Folder (bold):

C:\Program Files\AutoUpdate

 

Files (bold):

C:\WINDOWS\System32\li01f948.dll

C:\WINDOWS\srchfst.dll

C:\WINDOWS\System32\iel2cde8.dll

C:\WINDOWS\srchupdt.exe

C:\WINDOWS\alchem.exe

C:\WINDOWS\System32\nwsunvk.exe

pmsbkup.exe

powdow.exe

 

Still in Safe Mode go to C:\Windows\Temp folder.

Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the Temp folder.

 

Next, go to C:\Documents and Settings\username\Local Settings\Temp folder.

Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the that Temp folder.

 

Finally, go to Control Panel>Internet Options.

On the General tab under: Temporary Internet Files, click: Delete Files

Place a check by: Delete Offline Content when the prompt appears, and click OK.

Next, click on the Programs tab, then click: Reset Web Settings button.

Click Apply, then OK.

 

Also, empty the Recycle Bin.

 

Reboot to Normal mode.

 

:alarm:

Now go straight to the following website:

http://v4.windowsupdate.microsoft.com/en/default.asp

Use the Scan for Updates option, and download/install all the Critical Updates it offers.

:alarm:

 

When done with all of the above, close all windows and browsers, and post a fresh HijackThis log.

 

We are almost there, but not done yet.

 

Glad you are determined to get rid of all this stuff.

Share this post


Link to post
Share on other sites

Wanted to let you know that I ran Trojan Hunter and Housecall. I didn't have any problems with them. I ran HJT and removed the files you suggested. Right now, I'm trying to update XP which is slow going thanks to alot of critical updates and a slow dial-up. When they're all installed, I'll post my log. So far, though, I'm not experiencing any of the previous problems. Thanks again.

Share this post


Link to post
Share on other sites

lilbiomouse,

 

Thanks for the update. :D

 

If you have dial-up, it will take a while to get the updates (know the feeling), but it is well worth the wait.

 

Post a new log when you are done.

There are still a few things to do, but nothing out of this world.

You have gone this far; might as well get the entire job done!!!

 

:keybrd:

Share this post


Link to post
Share on other sites

Ok, I think I'm done updating XP and I ran HJT. How does it look??

 

 

Logfile of HijackThis v1.98.0

Scan saved at 9:03:56 PM, on 8/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\cvss.exe

C:\WINDOWS\System32\pctspk.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\AIM95\aim.exe

C:\WINDOWS\system32\ntvdm.exe

C:\VSTASCAN\vsaccess.exe

C:\OPLIMIT\ocrawr32.exe

C:\Documents and Settings\Jen\Desktop\HJT\HijackThis.exe

 

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_16_0.dll

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjss0_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/ss0_x.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedCont...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....iof5_3_16_0.cab

Share this post


Link to post
Share on other sites

lilbiomouse,

 

Outstanding!!!! :bounce: You did a great job!! :bounce: Good looking log!!

 

Now we can wrap up.

 

At one point you enabled the viewing of Hidden files and Folders as follows:

[start>My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]

This time select the: Restore Defaults button

Select: Apply, and click OK

 

Next, since the system is now clean, use System Restore, and create a Restore Point

Turn System Restore back on

-On the Desktop, right-click My Computer

-Select: Properties

-Select the System Restore tab

-Check: Turn on System Restore

-Click: Apply, and then: OK

 

Now, create a Restore Point:

-Go to: Start>All Programs.

-Go to: Accessories>System Tools, and select: System Restore.

-In the System Restore wizard, select: Create a restore point

-Click the Next button.

-Type a description for the restore point, like: Clean Slate (or whatever you like)

Click Create

 

Restart the computer.

 

Consider mustering up your PC’s line of defense against malware. You already have an Anti-virus program. Make sure it is kept updated and run regularly.

 

An essential addition to XP is a firewall. (Believe Norton SystemWorks does not include one)

 

Zone Alarm has a free version:

http://www.zonelabs.com/store/content/comp...reeDownload.jsp

 

Two other good choices are:

Sygate http://smb.sygate.com/products/spf_pro.htm

Kerio http://www.kerio.com/us/kpf_home.html

 

It is a good idea to clean up Temporary Internet Files, Temporary Files, and the Recycle Bin.

Periodically use the Disk Cleanup utility in Windows XP, as follows:

-Click Start>Run

-In the Open box, key in: cleanmgr

-Click: OK

-Place a check next to the categories mentioned above

-Click OK

-Click: Yes to proceed with the action

-Reboot

 

Visit the Microsoft Windows Update regularly.

Information on XPs Automatic Update feature is found here: http://www.microsoft.com/athome/security/p...xp/updates.aspx

 

An excellent reference in developing a plan of defense is Tony Klein’s 'How Did I Get Infected In The First Place' article:

http://forums.net-integration.net/index.php?showtopic=3051

Its information provides some useful tools and their links.

 

Adding to Tony’s excellent advice, Spybot Search and Destroy and AdAware are programs that you already have, and can use as part of your plan to counteract malware. Update the programs to obtain their latest reference files, and run them on a regular basis.

 

If you have any questions about any of the above, just post back.

 

Good luck! :wave:

Share this post


Link to post
Share on other sites

:weee:

 

Thank you very much for your patience, and performing all the procedures requested.

 

Have a great week!!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0