• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
pattya1122

Need help getting rid of spyware popups,

29 posts in this topic

When I use the aol browser a series of popups from http://vn.msie.tv/popup3.php?pin=2 appears. If I try to close them my screen freezes. I don't know much about computers and I couldn't find a German site for help, so I hope someone here can help me. I ran ad-aware, restarted the computer and ran hijack this but I don't have any idea what the things in the log file mean, so hopefully someone can help me fix that problem.

Share this post


Link to post
Share on other sites

Here is the log of HijackThis:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 13:46:03, on 14.06.2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe

C:\Programme\Virenschutz\AVKService.exe

C:\Programme\Virenschutz\AVKWCtl.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\rundll32.exe

C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

C:\Programme\Browser mouse\1.3\mouse32a.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\PROGRA~1\LONGPL~1\locksway.exe

C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Programme\QuickTime\qttask.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE

C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE

C:\WINDOWS\dhbrwsr.exe

C:\WINDOWS\System32\bojfro.exe

C:\Broadband Router\Gate-MON V1.10.exe

C:\Programme\T-DSL SpeedManager\SpeedMgr.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\SahAgent.exe

C:\WINDOWS\System32\rundll32.exe

C:\Programme\Real\RealPlayer\RealPlay.exe

C:\Programme\RCPrograms\v2\prizesurfer.exe

C:\WINDOWS\System32\svchost.exe

C:\Programme\Microsoft Works\WksSb.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Mixer.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE

C:\Programme\ISTsvc\istsvc.exe

C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

C:\Programme\ClockSync\Sync.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Programme\Zilla Popup Killer\ZillaPop.exe

C:\Programme\AOL 9.0\aoltray.exe

C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe

C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Programme\ScanPanel\ScnPanel.exe

C:\Dokumente und Einstellungen\Fam. Krüger\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\home.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=ZillaPopupKiller:8100

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\System32\inetp60.dll

O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O2 - BHO: (no name) - {867F19F8-50F4-41B7-97A5-77AF6BBFA070} - C:\WINDOWS\System32\jcgec.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain

O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RCSync] C:\Programme\RCPrograms\RCSync.exe

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe

O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe

O4 - HKLM\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"

O4 - HKLM\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - HKLM\..\Run: [nuylb] C:\WINDOWS\ivubn.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe

O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe

O4 - HKLM\..\Run: [eryp] C:\WINDOWS\eryp.exe

O4 - HKLM\..\Run: [bwenceowbyw] C:\WINDOWS\System32\bojfro.exe

O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [WetGirls_gb] C:\Program Files\GMSoft\Dialers\WetGirls_gb\WetGirls_gb.exe /dontdial

O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"

O4 - HKLM\..\Run: [sAHAgent] C:\WINDOWS\System32\SahAgent.exe

O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PrizeSurfer] C:\Programme\RCPrograms\v2\prizesurfer.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe

O4 - HKLM\..\Run: [LiveGirls_gb] C:\Program Files\GMSoft\Dialers\LiveGirls_gb\LiveGirls_gb.exe /dontdial

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HTML>

O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKLM\..\Run: [iST Service] C:\Programme\ISTsvc\istsvc.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe

O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

O4 - HKCU\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - HKCU\..\Run: [ClockSync] C:\Programme\ClockSync\Sync.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe

O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide

O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"

O4 - HKCU\..\Run: [care0039] c:\windows\care0039.exe -m

O4 - HKCU\..\Run: [buddyizer] C:\Programme\Aimster\Buddyizer.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE

O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe

O4 - Global Startup: CAPIControl.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: PrecisionTime.lnk = C:\Programme\PrecisionTime\PrecisionTime.exe

O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe

O9 - Extra button: Recherche-Assistent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/DE/install.cab

O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://www.tnc4u.com/MCInst.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2002060...all/xscan53.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7576.4794212963

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

Yesterday I read the "Pinned" things on the beginning of the first Page and realized that I didn't clean up the computer like recommended before posting here. I did that after reading the instructions, I ran Spybot and Ad-aware and TrojanHunter and CWShredder and fixed the things that were found,

I also tried to make a virus scan but the mouse cursor went out of control when I opened the GData program, so I couldn't do that. I restarted the computer and ran HijackThis. The popups are still there but I can close them now, the screen doesn't freeze anymore, but now Netscape doesn't open, I keep getting the Windows message " Not enough Virtual Memory " and the computer keeps downloading the same 2 Windows-updates and tells me to install them although I already did that.

 

Here is the new HijackThis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 18:19:36, on 16.06.2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe

C:\Programme\Virenschutz\AVKService.exe

C:\Programme\Virenschutz\AVKWCtl.exe

C:\WINDOWS\System32\rundll32.exe

C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

C:\Programme\Browser mouse\1.3\mouse32a.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\LONGPL~1\locksway.exe

C:\Programme\Window Active\winactive.exe

C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\DHUpdt.exe

C:\WINDOWS\dhbrwsr.exe

C:\WINDOWS\System32\bojfro.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE

C:\Broadband Router\Gate-MON V1.10.exe

C:\Programme\RCPrograms\v2\prizesurfer.exe

C:\WINDOWS\System32\snmp.exe

C:\Programme\Microsoft Works\WksSb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE

C:\Programme\TrojanHunter 3.9\THGuard.exe

C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Programme\Zilla Popup Killer\ZillaPop.exe

C:\Programme\AOL 9.0\aoltray.exe

C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe

C:\Programme\ScanPanel\ScnPanel.exe

C:\Programme\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\home.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=ZillaPopupKiller:8100

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain

O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RCSync] C:\Programme\RCPrograms\RCSync.exe

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe

O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe

O4 - HKLM\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"

O4 - HKLM\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - HKLM\..\Run: [nuylb] C:\WINDOWS\ivubn.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe

O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe

O4 - HKLM\..\Run: [eryp] C:\WINDOWS\eryp.exe

O4 - HKLM\..\Run: [bwenceowbyw] C:\WINDOWS\System32\bojfro.exe

O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [WetGirls_gb] C:\Program Files\GMSoft\Dialers\WetGirls_gb\WetGirls_gb.exe /dontdial

O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PrizeSurfer] C:\Programme\RCPrograms\v2\prizesurfer.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe

O4 - HKLM\..\Run: [LiveGirls_gb] C:\Program Files\GMSoft\Dialers\LiveGirls_gb\LiveGirls_gb.exe /dontdial

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HTML>

O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe

O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

O4 - HKCU\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe

O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide

O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"

O4 - HKCU\..\Run: [care0039] c:\windows\care0039.exe -m

O4 - HKCU\..\Run: [buddyizer] C:\Programme\Aimster\Buddyizer.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE

O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe

O4 - Global Startup: CAPIControl.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe

O9 - Extra button: Recherche-Assistent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/DE/install.cab

O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://www.tnc4u.com/MCInst.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2002060...all/xscan53.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7576.4794212963

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

:) Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

 

Please keep an eye on this message for a resolution shortly.

Share this post


Link to post
Share on other sites

  1. How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  2. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "P2P Networking.exe". If you find the file, click it, and then click End Process => Exit the Task Manager.
  3. We need to remove a program called "Twain-Tec". To do this, first you need to disable System restore as per the instructions at here . Twiantec.dll is a transponder. HijackThis will detect it as a BHO but it must not be removed using HijackThis. This is because of the remaining registry entries and files which can be dangerous. Instead the following method of removal is preferable and complete:
    Go to "Add/Remove Programs" => Uninstall "Twain-Tech". Reboot the computer to SAFE mode - How do I boot into "Safe" mode?. Delete twaintech.dll and twaintec.ini If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it.
  4. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\home.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=ZillaPopupKiller:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
    O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [RCSync] C:\Programme\RCPrograms\RCSync.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe
    O4 - HKLM\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [nuylb] C:\WINDOWS\ivubn.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKLM\..\Run: [eryp] C:\WINDOWS\eryp.exe
    O4 - HKLM\..\Run: [bwenceowbyw] C:\WINDOWS\System32\bojfro.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [WetGirls_gb] C:\Program Files\GMSoft\Dialers\WetGirls_gb\WetGirls_gb.exe /dontdial
    O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
    O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
    O4 - HKLM\..\Run: [PrizeSurfer] C:\Programme\RCPrograms\v2\prizesurfer.exe
    O4 - HKLM\..\Run: [LiveGirls_gb] C:\Program Files\GMSoft\Dialers\LiveGirls_gb\LiveGirls_gb.exe /dontdial
    O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HTML>
    O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
    O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
    O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
    O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
    O4 - HKCU\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe
    O4 - HKCU\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [care0039] c:\windows\care0039.exe -m
    O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/DE/install.cab
    O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://www.tnc4u.com/MCInst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2002060...all/xscan53.cab
  5. The following are optional to delete as they are resource hogs:
  6. Please reboot into safe mode - How do I boot into "Safe" mode?
  7. The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

    1. DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"

[*]DIRECTORIES

  • C:\Programme\TV Media\
  • C:\WINDOWS\System32\P2P Networking\
  • C:\Program Files\webHancer\
  • C:\Programme\RCPrograms\
  • C:\Program Files\GMSoft\Dialers

[*]FILES

  • C:\WINDOWS\home.htm
  • C:\WINDOWS\bxxs5.dll
  • C:\WINDOWS\System32\stlbupdt.DLL
  • C:\WINDOWS\System32\mswdtc.exe
  • C:\WINDOWS\ivubn.exe
  • C:\WINDOWS\DHUpdt.exe
  • C:\WINDOWS\dhbrwsr.exe
  • C:\WINDOWS\eryp.exe
  • C:\WINDOWS\System32\bojfro.exe
  • C:\Programme\RCPrograms\v2\prizesurfer.exe
  • C:\WINDOWS\System32\mswdtc.exe

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.

p.s. Next time, please actually run all the programs suggested and don't just say that they have been run as most of these infections would of been cleaned. Thank you for your consideration.

Share this post


Link to post
Share on other sites

PGPhantom,

 

Thank you very much for your help.

But there is something that I don't understand.

You asked me to next time actually run the programs and not just say I did :wtf: , well I did really run them and fixed everything they found and then posted the second HijackThis log yesterday, so I am not sure where my mistake was.

Anyway, I will follow your instructions and then post a new log.

Share this post


Link to post
Share on other sites

Just ignore me ... :) It has been a long day fighting this stuff, far too many new infections cropping up. Please do post a new log once you have cleaned everything up ...

Share this post


Link to post
Share on other sites

PGPhantom,

 

I followed the instructions but wasn't able to to do everything.

I could not remove the program Twain-Tech with "Add/Remove Programs" because it wasn't listed there. I tried to find it with the search assistent but got no result. I did find the following files:

twaintec.ini C:\Windows

twaintec.dll.tcf C:\Windows

twaintec.dll.tcf C:\Windows\LastGood

twaintec.ini C:\Windows\LastGood

 

I haven't deleted them yet because I wasn't sure if these are the right ones.

 

When I tried to delete C:\Programme\TV Media I got the message:

can't delete TvmBHo.dll

access denied

I ran HijackThis and check marked the things you listed and clicked fix but the new log still shows things that I marked for fixing before.

When Windows starts I get the message:

RUNDLL

can't load C:\Windows\System32\stlbupdt.DLL

Modul not found

 

and another window opens with the following information:

 

[.ShellClassInfo]

LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

 

I still get the messages " not enough virtual memory" and the one for installing the same Windows Updates again.

The popups freeze the screen again when using the aol browser. :ugh:

Here is the new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 19:55:30, on 19.06.2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe

C:\Programme\Virenschutz\AVKService.exe

C:\Programme\Virenschutz\AVKWCtl.exe

C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

C:\PROGRA~1\LONGPL~1\locksway.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Broadband Router\Gate-MON V1.10.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE

C:\Programme\Real\RealPlayer\RealPlay.exe

C:\Programme\Microsoft Works\WksSb.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE

C:\Programme\TrojanHunter 3.9\THGuard.exe

C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Programme\Zilla Popup Killer\ZillaPop.exe

C:\Programme\AOL 9.0\aoltray.exe

C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe

C:\Programme\ScanPanel\ScnPanel.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Programme\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {12BAEC26-7088-43D2-B949-F08D0B8A5A63} - C:\WINDOWS\System32\cbhlci.dll

O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain

O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe

O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"

O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe

O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Programme\WebSavingsfromEbates\System\Code" Main lp: "C:\Programme\WebSavingsfromEbates"

O4 - HKLM\..\Run: [mardykfhtpacq] C:\WINDOWS\System32\bojfro.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe

O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide

O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"

O4 - HKCU\..\Run: [buddyizer] C:\Programme\Aimster\Buddyizer.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE

O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe

O4 - Global Startup: CAPIControl.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe

O9 - Extra button: Recherche-Assistent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7576.4794212963

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

Did you follow the order as listed? Delete the entries in HijackThis and then boot up into safe mode to delete the files?

Share this post


Link to post
Share on other sites

Yes I did follow the orders as listed, I deleted the entries in HijackThis and then booted into safe mode and tried to delete everything you listed. I did it all again today because I thought I maybe forgot something and I really found some more of the things you listed as optional, I don't know why I didn't see them the first time :oops: , but there is still no Twain-Tec program and I can't delete that TV Media file.

 

Here is the new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 16:02:13, on 21.06.2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe

C:\Programme\Virenschutz\AVKService.exe

C:\Programme\Virenschutz\AVKWCtl.exe

C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

C:\PROGRA~1\LONGPL~1\locksway.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Broadband Router\Gate-MON V1.10.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE

C:\Programme\Real\RealPlayer\RealPlay.exe

C:\Programme\Microsoft Works\WksSb.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE

C:\Programme\TrojanHunter 3.9\THGuard.exe

C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Programme\Zilla Popup Killer\ZillaPop.exe

C:\Programme\AOL 9.0\aoltray.exe

C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe

C:\Programme\ScanPanel\ScnPanel.exe

C:\Programme\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...p://about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain

O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe

O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"

O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe

O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Programme\WebSavingsfromEbates\System\Code" Main lp: "C:\Programme\WebSavingsfromEbates"

O4 - HKLM\..\Run: [mardykfhtpacq] C:\WINDOWS\System32\bojfro.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe

O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide

O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"

O4 - HKCU\..\Run: [buddyizer] C:\Programme\Aimster\Buddyizer.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE

O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe

O4 - Global Startup: CAPIControl.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe

O9 - Extra button: Recherche-Assistent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7576.4794212963

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

Due to the number of infections that you have, can you please run through the following procedures and after you have completed them, reboot and post another HijackThis log into this message for further review:

  1. Run either of these free online virus scans.

[*]How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Run this program as soon as possible.

[*]How to use Spybot to remove Spyware <= Please check this link for instructions on how to download, install and then use spybot. Run this as soon as possible as it may catch things that adaware misses.

[*]Download, install and run Tojan Hunter (Trial)

Share this post


Link to post
Share on other sites

I already have Ad-aware, Spybot and Trojan Hunter on the computer and ran them a few times before. I will read again how to use them and then run them and also make the online virus scan and post a new log. Thanks for your help.

Share this post


Link to post
Share on other sites

I ran the Pandasoftware online scan, it found Trojans, then tried to update Ad-Aware, Spybot and Trojan Hunter, there were no updates for the Trojan Hunter Trial and the others were uptodate. I ran them all and fixed what they found, rebooted and ran HijackThis.

Here is the new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 21:02:57, on 21.06.2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe

C:\Programme\Virenschutz\AVKService.exe

C:\Programme\Virenschutz\AVKWCtl.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE

C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

C:\PROGRA~1\LONGPL~1\locksway.exe

C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE

C:\Broadband Router\Gate-MON V1.10.exe

C:\Programme\Real\RealPlayer\RealPlay.exe

C:\Programme\Microsoft Works\WksSb.exe

C:\Programme\TrojanHunter 3.9\THGuard.exe

C:\WINDOWS\System32\javaw.exe

C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Programme\Zilla Popup Killer\ZillaPop.exe

C:\Programme\AOL 9.0\aoltray.exe

C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe

C:\Programme\ScanPanel\ScnPanel.exe

C:\Programme\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain

O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe

O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"

O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe

O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Programme\WebSavingsfromEbates\System\Code" Main lp: "C:\Programme\WebSavingsfromEbates"

O4 - HKLM\..\Run: [mardykfhtpacq] C:\WINDOWS\System32\bojfro.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe

O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide

O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"

O4 - HKCU\..\Run: [buddyizer] C:\Programme\Aimster\Buddyizer.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe

O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE

O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe

O4 - Global Startup: CAPIControl.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe

O9 - Extra button: Recherche-Assistent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7576.4794212963

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

  1. Please reboot into safe mode - How do I boot into "Safe" mode?
  2. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe
    O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
    O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Programme\WebSavingsfromEbates\System\Code" Main lp: "C:\Programme\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [mardykfhtpacq] C:\WINDOWS\System32\bojfro.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
  3. The following are optional to delete as they are resource hogs:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
  4. The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.

    1. DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"

[*]DIRECTORIES

  • C:\Programme\TV Media\
  • C:\Programme\Window Active\

[*]FILES

  • C:\WINDOWS\mxTarget.dll
  • C:\WINDOWS\System32\stlbupdt.DLL

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites

I followed the orders as listed, I could not find C:\Windows\System32\stlbupdt.DLL but that was one of the files you said I don't have to worry about if they are not present. And in C:\Documents and Settings\default user\Local Settings\Temporary Internetfiles\ was something called desktop.ini, when I tried to delete that I got a message that said " This is a System file. If you delete it your system may not run properly." Well, it said something like that in German but that is the meaning of it. Can I delete that?

When I rebooted in normal mode I had a toolbar on the screen, it is something like a searchbar and still popups.

 

Here is the new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 07:40:37, on 22.06.2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

C:\PROGRA~1\LONGPL~1\locksway.exe

C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE

C:\Broadband Router\Gate-MON V1.10.exe

C:\Programme\Real\RealPlayer\RealPlay.exe

C:\Programme\Microsoft Works\WksSb.exe

C:\Programme\TrojanHunter 3.9\THGuard.exe

C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Programme\Zilla Popup Killer\ZillaPop.exe

C:\Programme\AOL 9.0\aoltray.exe

C:\Programme\ScanPanel\ScnPanel.exe

C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe

C:\Programme\Virenschutz\AVKService.exe

C:\Programme\Virenschutz\AVKWCtl.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE

C:\Programme\Internet Explorer\iexplore.exe

C:\Programme\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...://www.aol.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"

O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe

O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe

O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide

O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"

O4 - HKCU\..\Run: [buddyizer] C:\Programme\Aimster\Buddyizer.exe

O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE

O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe

O4 - Global Startup: CAPIControl.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe

O9 - Extra button: Recherche-Assistent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7576.4794212963

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

Almost clean, just a few more things to do:

  1. How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  2. Run HijackThis, click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...://www.aol.com/
  3. The following is a recommended maintenance regime for Windows XP:

    1. Please reboot into safe mode - How do I boot into "Safe" mode?
    2. The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change. If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
      1. DIRECTORY CONTENTS (But not the directory)
        • %windir%\prefetch\
        • %windir%\Temp\
        • %temp%\
        • %userprofile%\Local Settings\Temp\
        • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
        • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

      [*]DIRECTORIES

    • Nothing Yet

[*]FILES

  • Nothing Yet

[*]Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click pn "OK". Click on "OK" once more to close the options panel.

[*]Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.


Share this post


Link to post
Share on other sites

Hi,

 

Here is the new log. Seems like some things keep coming back although I fixed and deleted everything like it was listed.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 18:43:37, on 22.06.2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe

C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

C:\Programme\Virenschutz\AVKService.exe

C:\PROGRA~1\LONGPL~1\locksway.exe

C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

C:\Programme\Virenschutz\AVKWCtl.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE

C:\Broadband Router\Gate-MON V1.10.exe

C:\Programme\Microsoft Works\WksSb.exe

C:\Programme\TrojanHunter 3.9\THGuard.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Programme\Zilla Popup Killer\ZillaPop.exe

C:\Programme\AOL 9.0\aoltray.exe

C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE

C:\Programme\ScanPanel\ScnPanel.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Programme\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...p://about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"

O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe

O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe

O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide

O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"

O4 - HKCU\..\Run: [buddyizer] C:\Programme\Aimster\Buddyizer.exe

O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE

O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe

O4 - Global Startup: CAPIControl.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe

O9 - Extra button: Recherche-Assistent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7576.4794212963

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

  1. How do I boot into "Safe" mode?
  2. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked" (NOTE: This is done while in safe mode):
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...p://about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll
  3. The following is a recommended maintenance regime for Windows XP:

    1. Please reboot into safe mode - How do I boot into "Safe" mode?
    2. The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change. If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
      1. DIRECTORY CONTENTS (But not the directory)
        • %windir%\prefetch\
        • %windir%\Temp\
        • %temp%\
        • %userprofile%\Local Settings\Temp\
        • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
        • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

      [*]DIRECTORIES

    • Nothing Yet

[*]FILES

  • Nothing Yet

[*]Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click pn "OK". Click on "OK" once more to close the options panel.

[*]Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.

[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.


Share this post


Link to post
Share on other sites

Here is the new log after doing everything in safe mode:

 

 

Logfile of HijackThis v1.97.7

Scan saved at 20:05:02, on 22.06.2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe

C:\Programme\Virenschutz\AVKService.exe

C:\Programme\Virenschutz\AVKWCtl.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

C:\PROGRA~1\LONGPL~1\locksway.exe

C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE

C:\Broadband Router\Gate-MON V1.10.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE

C:\Programme\Microsoft Works\WksSb.exe

C:\Programme\TrojanHunter 3.9\THGuard.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Programme\Zilla Popup Killer\ZillaPop.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE

C:\Programme\AOL 9.0\aoltray.exe

C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe

C:\Programme\ScanPanel\ScnPanel.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Programme\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...p://about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"

O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe

O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe

O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide

O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"

O4 - HKCU\..\Run: [buddyizer] C:\Programme\Aimster\Buddyizer.exe

O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE

O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE

O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe

O4 - Global Startup: CAPIControl.lnk = ?

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe

O9 - Extra button: Recherche-Assistent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7576.4794212963

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

The only entry still showing as bad is:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.htm...p://about:blank

 

If you can delete that through HijackThis.

 

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Share this post


Link to post
Share on other sites

I deleted that one bad entry with HijackjThis but it kept coming back and the entries that I deleted yesterday in safe mode were back too. I downloaded and installed the programs you recommended for protection ( can't run Spywareblaster, I keep getting a message that the program is damaged, I reinstalled it a few times but still doesn't work ) and deleted everything you listed yesterday again in safe mode. It seems like it works now. When Windows starts I get a message from SpywareGuard that an attempt from search200.com was detected to change the startpage. I klicked "restore old values" and none of the bad entries appeared in the HijackThis log again and there weren't any popups so far :) but will still post one more log, just to make sure.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 13:27:54, on 23.06.2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

C:\Programme\Browser mouse\1.3\mouse32a.exe

C:\PROGRA~1\LONGPL~1\locksway.exe

C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE

C:\Broadband Router\Gate-MON V1.10.exe

C:\Programme\Virenschutz\AVKService.exe

C:\Programme\Microsoft Works\WksSb.exe

C:\Programme\Virenschutz\AVKWCtl.exe

C:\Programme\TrojanHunter 3.9\THGuard.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE

C:\Programme\AOL 9.0\aoltray.exe

C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Programme\ScanPanel\ScnPanel.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Programme\SpywareGuard\sgmain.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE

C:\Programme\SpywareGuard\sgbhp.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Programme\Mozilla Firefox\firefox.exe

C:\Programme\Hijackthis\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programme\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"

O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo

O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - Startup: SpywareGuard.lnk = C:\Programme\SpywareGuard\sgmain.exe

O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe

O4 - Global Startup: CAPIControl.lnk = ?

O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe

O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Recherche-Assistent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7576.4794212963

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

I am still seeing a problem - That is with the O10 entries.

 

Please follow the instructions below to remove TargetSoft.inetadpt manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If TargetSoft.inetadpt remains on your system after stepping through the removal instructions, please double-check by stepping through them again. Please notice that inetadpt.dll is a layered socket provider that can break your internet connection if it is removed incorrectly.

  1. Download and run LSPFix.
  2. Check 'I know what I'm doing'.
  3. Select 'inetadpt.dll'.
  4. Click the right-pointing arrow.
  5. Click 'Finished'.
  6. Restart your computer.
  7. Delete the following file: %SystemDir%\inetadpt.dll - Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Please post another HijackThis log once you are done so that I can verify it is clean.

Share this post


Link to post
Share on other sites

Here is the new log after running LSPFix as instructed and deleting the inetadpt.dll file:

 

Logfile of HijackThis v1.97.7

Scan saved at 19:06:53, on 23.06.2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

C:\Programme\Browser mouse\1.3\mouse32a.exe

C:\PROGRA~1\LONGPL~1\locksway.exe

C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE

C:\Broadband Router\Gate-MON V1.10.exe

C:\Programme\Microsoft Works\WksSb.exe

C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe

C:\Programme\TrojanHunter 3.9\THGuard.exe

C:\Programme\Virenschutz\AVKService.exe

C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

C:\Programme\Virenschutz\AVKWCtl.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Programme\Netscape\Netscape\Netscp.exe

C:\Programme\AOL 9.0\aoltray.exe

C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe

C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe

C:\Programme\ScanPanel\ScnPanel.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Programme\SpywareGuard\sgmain.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE

C:\Programme\SpywareGuard\sgbhp.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Programme\Hijackthis\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programme\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE

O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"

O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe

O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo

O4 - Startup: SpywareGuard.lnk = C:\Programme\SpywareGuard\sgmain.exe

O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe

O4 - Global Startup: CAPIControl.lnk = ?

O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe

O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Recherche-Assistent (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: MedionShop (HKCU)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7576.4794212963

O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.microsoft.com/download/viz...N-US/msorun.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

Share this post


Link to post
Share on other sites

:) Thank you so much for spending your time to help! ( and upgrading my English language skills )

 

Patricia

Share this post


Link to post
Share on other sites

It has been our pleasure to help you :)

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0