• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
salchydog

Losing my mind!! - MERGED 2 threads

18 posts in this topic

I need someones expertice on getting rid of whatever is wrong with my PC.

 

Below is the HJT log, let me know what to do...PLEASE!!!! Thanks in advance.

 

Also, i can't get onto the Micro Trends page to run the online scan. IE closes.

Casino Online appears as a program and I cant delete it.

It also seems that I have some programs in c:\programs that I have never seen. Should I delete them? Sorry for all of the questions. Brad

 

Already ran CWS and SpyBot

 

Logfile of HijackThis v1.97.7

Scan saved at 10:26:20 PM, on 6/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\CasinoOnline\CsRemnd.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\UnbAZu.exe

C:\WINDOWS\System32\VzxdXo.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Brad\My Documents\XITOUT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;Revelation

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {269BC335-96BA-4FB5-9CA5-0281349B4BB1} - C:\WINDOWS\System32\cfk.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O4 - HKLM\..\Run: [4JF4LD83PLSGLB] C:\WINDOWS\System32\CpbFG.exe

O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Brad\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/292fd4fdb1ecbf505e01/netzip/RdxIE2.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instantservice.com/jars/customerxsigned41.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

Edited by salchydog

Share this post


Link to post
Share on other sites

Click here to download the PeperFix tool, save it to your desktop, doubleclick on it, click 'Find and Fix' and reboot if prompted.

 

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

 

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

 

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

 

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

 

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

 

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

 

Reboot when done. Rescan with HJT and post a new log here so that any remnants can be removed manually.

Share this post


Link to post
Share on other sites

Here is the new log file from HJT. Ad-Aware did not find anything by the way. And.... THANK YOU!!!!!

 

Logfile of HijackThis v1.97.7

Scan saved at 7:36:33 AM, on 6/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CasinoOnline\CsRemnd.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Brad\My Documents\XITOUT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;Revelation

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {269BC335-96BA-4FB5-9CA5-0281349B4BB1} - C:\WINDOWS\System32\cfk.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O4 - HKLM\..\Run: [4JF4LD83PLSGLB] C:\WINDOWS\System32\CpbFG.exe

O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Brad\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/292fd4fdb1ecbf505e01/netzip/RdxIE2.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instantservice.com/jars/customerxsigned41.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

Share this post


Link to post
Share on other sites

I just got finished running Peper and AdAware. So far so good. Please let me know what needs to be checked on this log. Thank you.

 

I still cant run the online Trend Micro Virus scan, explorer closes.

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 9:25:44 AM, on 6/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Documents and Settings\Brad\Desktop\full recovery\Program Files\AIM95\aim.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Brad\My Documents\XITOUT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;Revelation

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {269BC335-96BA-4FB5-9CA5-0281349B4BB1} - C:\WINDOWS\System32\cfk.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O4 - HKLM\..\Run: [4JF4LD83PLSGLB] C:\WINDOWS\System32\CpbFG.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Brad\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/292fd4fdb1ecbf505e01/netzip/RdxIE2.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instantservice.com/jars/customerxsigned41.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

Edited by salchydog

Share this post


Link to post
Share on other sites

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {269BC335-96BA-4FB5-9CA5-0281349B4BB1} - C:\WINDOWS\System32\cfk.dll (file missing)

O4 - HKLM\..\Run: [4JF4LD83PLSGLB] C:\WINDOWS\System32\CpbFG.exe

O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/292fd4fdb1ecbf505e01/netzip/RdxIE2.cab

 

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, reboot into safe mode by tapping F8 after the BIOS has loaded, find and delete the following:

 

C:\Program Files\CasinoOnline\ <-- folder

 

Reboot when done, rescan with HJT and post a new log here for a final check over.

Share this post


Link to post
Share on other sites

I did what you recommended in the last post. I restarted and SpySweeper informed me that my IE start page was changed. About Blank is the new start page on IE. I ran AdAware and this is the log:

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Internet Explorer\Main

Value : HOMEOldSP

 

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 1

Objects found so far: 1

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 2

Objects found so far: 3

 

 

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Tracking Cookie Object recognized!

Type : File

Data : brad@cgi-bin[1].txt

Object : C:\Documents and Settings\Brad\Cookies\

 

Created on : 6/9/2004 2:24:27 AM

Last accessed : 6/9/2004 2:25:36 AM

Last modified : 6/9/2004 2:25:36 AM

 

 

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

 

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Hosts file scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

1 entries scanned.

New objects :0

Objects found so far: 4

 

 

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : PROTOCOLS\Filter\text/html

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Rootkey : HKEY_CLASSES_ROOT

Object : PROTOCOLS\Filter\text/plain

 

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Value : ITBarLayout

 

 

Conditional scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 3

Objects found so far: 7

 

 

7:40:14 PM Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:02:30:250

Objects scanned :49174

Objects identified :7

Objects ignored :0

New objects :7

 

Here is the HT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 7:45:06 PM, on 6/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Brad\My Documents\XITOUT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nhc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nhc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nhc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nhc.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nhc.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nhc.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;Revelation

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {67A4B7B9-966E-4FE0-A5BC-AF4C0AE4D074} - C:\WINDOWS\System32\nhc.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Brad\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a...all/xscan53.cab

O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instantservice.com/jars/customerxsigned41.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

Edited by salchydog

Share this post


Link to post
Share on other sites

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

 

Download 'Dllfix.exe' from here. It is a self-extracting archive; double click on it. Open the DLLFIX folder and double click on Start.bat.

 

At the main menu, press '1' (Run Find-All by FreeAtLast) and enter. Let the program run. When finished, press 'E' to exit. Open the DLLFix folder. Post the contents of Output.txt in this thread.

Share this post


Link to post
Share on other sites

Here are the things that you requested. I have noticed that when i leave my PC running for a few hours and when i go online, IE freeks out and the about:blank start page wants to load. SpySweeper stops it. What is causing this? Is there a pest that only comes out when the computer has been running for a while?

 

Thanks for your help. Brad

 

 

1. C:\WINDOWS\System32\hlp.dll

 

2. --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--

--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

 

Wed 06/09/2004

06:58 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (7CC0:7F83) - FS:NTFS clusters:4k

Total: 15 726 702 592 [15G] - Free: 4 288 819 200 [4.0G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

5.1.2600.0 C:\WINDOWS\notepad.exe

*Media Player version :

8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q832894;Q831167;Q837009;

 

 

 

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error

\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error

 

 

Scanning for main Hijacker:

 

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Edited by salchydog

Share this post


Link to post
Share on other sites

It's the hidden hijacker. Open the DLLFIX folder and double click on Start.bat. At the main menu, press '2' (Run Fix) and enter.

 

At the second menu, press '2' (Run Fix without DLL name) and enter.

 

Your system will reboot in 15 seconds and begin the fix. When finished, there will be a log (logs.txt) in the dllfix folder. Paste it into your next reply with a new HJT log.

Share this post


Link to post
Share on other sites

You guy's need to start a paid service. I would pay for this! You are the man.... Thank you.

 

here's the first log:

 

CWSDLL/Searchx Appinit Fix By Shadowwar

Version 3.01 060504

Please Do not mirror Without Permission!

I can be contacted at spywaresubmit at aol.com

Thu 06/10/2004

05:47 AM

 

Backing up Registry Hive

 

The operation completed successfully

 

Deleting Windows Key

 

The operation completed successfully

 

Adding Test Windows Key

 

The operation completed successfully

 

Restoring temp Values Key

 

The operation completed successfully

 

Deleting Bad Appinit Value

 

The operation completed successfully

 

 

Backup of Modified Hiv

 

The operation completed successfully

 

Deleting test Windows key

 

The operation completed successfully

 

Deleting Filter text

Running from C:\Documents and Settings\Brad\Desktop\dllfix

Scanning for Locked File

Unlocking Locked File

 

C:\WINDOWS\System32\HLP.DLL

Scanning For main hijacker.

Found Main Hijacker Dll:C:\WINDOWS\System32\ENN.DLL

Md5 tested As 4E24A18F3A557AF479219E47E27B8B59

Scanning for Hidden Dll in system32 1st pass

File found was: C:\WINDOWS\System32\ENN.DLL

Md5 Check of C:\WINDOWS\System32\ENN.DLL

 

Md5 tested As 4E24A18F3A557AF479219E47E27B8B59

File was found but md5 didnt match

MD5 was: 4E24A18F3A557AF479219E47E27B8B59

Resetting file attributes

Processing ACL of: <\\?\C:\WINDOWS\System32\ENN.DLL>

 

SetACL finished successfully.

File was zipped for submission to Shadowwar

File is located at C:\Documents and Settings\Brad\Desktop\dllfix\submit.zip

please Email a copy to spywaresubmit at aol.com

Please include a link to your post.

File is still in original location now unlocked.

It is now ok to proceed with Rest of Cleanup.

 

Adding Back Windows Key

 

The operation completed successfully

 

Restoring Registry Hive

 

The operation completed successfully

 

 

Restoring Cleaned Appinit Value

 

The operation completed successfully

 

 

Here's the HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 5:57:47 AM, on 6/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Brad\My Documents\XITOUT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;Revelation

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Brad\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instantservice.com/jars/customerxsigned41.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

Share this post


Link to post
Share on other sites

AdAware is still finding CWS. It just keeps comong back... Heres the newest HJT log.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:00:57 PM, on 6/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\gearsec.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Brad\My Documents\XITOUT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;Revelation

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Brad\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"

O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: TREND MICRO HouseCall (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instantservice.com/jars/customerxsigned41.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

Share this post


Link to post
Share on other sites

I assume Housecall can't fix it?

 

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

 

Copy and paste this into the 'From' box: C:\WINDOWS\System32\HLP.DLL

Copy and paste this into the 'To' box: C:\Junk\HLP.DLL

 

Copy and paste this into the 'From' box: C:\WINDOWS\System32\ENN.DLL

Copy and paste this into the 'To' box: C:\Junk\ENN.DLL

 

Hit OK. Close Winfile and check in C:\Junk for those files - let me know what's there. Run HJT and post a new log for the next steps.

Share this post


Link to post
Share on other sites

Daemon, thanks for your help. I am going to reformat my hard drive. At this point, think that its much easier and i will have a clean computer after i do it.. Again, thank you.

 

salchydog..

Share this post


Link to post
Share on other sites

If you prefer. I didn't think we were at that stage yet but yes, you will have a clean system after that.

 

I will close this topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0