Jump to content


Photo

Need help getting rid of spyware popups,


  • This topic is locked This topic is locked
28 replies to this topic

#1 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 14 June 2004 - 07:44 AM

When I use the aol browser a series of popups from http://vn.msie.tv/popup3.php?pin=2 appears. If I try to close them my screen freezes. I don't know much about computers and I couldn't find a German site for help, so I hope someone here can help me. I ran ad-aware, restarted the computer and ran hijack this but I don't have any idea what the things in the log file mean, so hopefully someone can help me fix that problem.

#2 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 14 June 2004 - 07:50 AM

Here is the log of HijackThis:


Logfile of HijackThis v1.97.7
Scan saved at 13:46:03, on 14.06.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\Virenschutz\AVKService.exe
C:\Programme\Virenschutz\AVKWCtl.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
C:\Programme\Browser mouse\1.3\mouse32a.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\LONGPL~1\locksway.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\System32\bojfro.exe
C:\Broadband Router\Gate-MON V1.10.exe
C:\Programme\T-DSL SpeedManager\SpeedMgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\RCPrograms\v2\prizesurfer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\Programme\ISTsvc\istsvc.exe
C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
C:\Programme\ClockSync\Sync.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programme\Zilla Popup Killer\ZillaPop.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\ScanPanel\ScnPanel.exe
C:\Dokumente und Einstellungen\Fam. Krüger\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\home.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jcgec.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=ZillaPopupKiller:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://%34%2Dv%2Enet/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {087173EF-9829-4F49-8340-A524177D3F60} - C:\WINDOWS\System32\inetp60.dll
O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O2 - BHO: (no name) - {867F19F8-50F4-41B7-97A5-77AF6BBFA070} - C:\WINDOWS\System32\jcgec.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RCSync] C:\Programme\RCPrograms\RCSync.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe
O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe
O4 - HKLM\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - HKLM\..\Run: [nuylb] C:\WINDOWS\ivubn.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [eryp] C:\WINDOWS\eryp.exe
O4 - HKLM\..\Run: [bwenceowbyw] C:\WINDOWS\System32\bojfro.exe
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WetGirls_gb] C:\Program Files\GMSoft\Dialers\WetGirls_gb\WetGirls_gb.exe /dontdial
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\System32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PrizeSurfer] C:\Programme\RCPrograms\v2\prizesurfer.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe
O4 - HKLM\..\Run: [LiveGirls_gb] C:\Program Files\GMSoft\Dialers\LiveGirls_gb\LiveGirls_gb.exe /dontdial
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HTML>
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net...net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net...net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe
O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
O4 - HKCU\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - HKCU\..\Run: [ClockSync] C:\Programme\ClockSync\Sync.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe
O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide
O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [care0039] c:\windows\care0039.exe -m
O4 - HKCU\..\Run: [Buddyizer] C:\Programme\Aimster\Buddyizer.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Programme\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../DE/install.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://www.tnc4u.com/MCInst.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/...kup/qdiagcc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...n/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7576.4794212963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#3 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 17 June 2004 - 04:29 AM

Yesterday I read the "Pinned" things on the beginning of the first Page and realized that I didn't clean up the computer like recommended before posting here. I did that after reading the instructions, I ran Spybot and Ad-aware and TrojanHunter and CWShredder and fixed the things that were found,
I also tried to make a virus scan but the mouse cursor went out of control when I opened the GData program, so I couldn't do that. I restarted the computer and ran HijackThis. The popups are still there but I can close them now, the screen doesn't freeze anymore, but now Netscape doesn't open, I keep getting the Windows message " Not enough Virtual Memory " and the computer keeps downloading the same 2 Windows-updates and tells me to install them although I already did that.

Here is the new HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 18:19:36, on 16.06.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\Virenschutz\AVKService.exe
C:\Programme\Virenschutz\AVKWCtl.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
C:\Programme\Browser mouse\1.3\mouse32a.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\LONGPL~1\locksway.exe
C:\Programme\Window Active\winactive.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\DHUpdt.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\System32\bojfro.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\Broadband Router\Gate-MON V1.10.exe
C:\Programme\RCPrograms\v2\prizesurfer.exe
C:\WINDOWS\System32\snmp.exe
C:\Programme\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\Programme\TrojanHunter 3.9\THGuard.exe
C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programme\Zilla Popup Killer\ZillaPop.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe
C:\Programme\ScanPanel\ScnPanel.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...ex.html?http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\home.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=ZillaPopupKiller:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RCSync] C:\Programme\RCPrograms\RCSync.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe
O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe
O4 - HKLM\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - HKLM\..\Run: [nuylb] C:\WINDOWS\ivubn.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [eryp] C:\WINDOWS\eryp.exe
O4 - HKLM\..\Run: [bwenceowbyw] C:\WINDOWS\System32\bojfro.exe
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WetGirls_gb] C:\Program Files\GMSoft\Dialers\WetGirls_gb\WetGirls_gb.exe /dontdial
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PrizeSurfer] C:\Programme\RCPrograms\v2\prizesurfer.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe
O4 - HKLM\..\Run: [LiveGirls_gb] C:\Program Files\GMSoft\Dialers\LiveGirls_gb\LiveGirls_gb.exe /dontdial
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HTML>
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net...net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net...net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe
O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
O4 - HKCU\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe
O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide
O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [care0039] c:\windows\care0039.exe -m
O4 - HKCU\..\Run: [Buddyizer] C:\Programme\Aimster\Buddyizer.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../DE/install.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://www.tnc4u.com/MCInst.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/...kup/qdiagcc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...n/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7576.4794212963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#4 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 17 June 2004 - 10:08 AM

Bump

#5 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 17 June 2004 - 11:20 PM

Bump

#6 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 03:15 PM

:) Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

Please keep an eye on this message for a resolution shortly.

#7 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 03:32 PM

  • How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  • Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "P2P Networking.exe". If you find the file, click it, and then click End Process => Exit the Task Manager.
  • We need to remove a program called "Twain-Tec". To do this, first you need to disable System restore as per the instructions at here . Twiantec.dll is a transponder. HijackThis will detect it as a BHO but it must not be removed using HijackThis. This is because of the remaining registry entries and files which can be dangerous. Instead the following method of removal is preferable and complete:
    Go to "Add/Remove Programs" => Uninstall "Twain-Tech". Reboot the computer to SAFE mode - How do I boot into "Safe" mode?. Delete twaintech.dll and twaintec.ini If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it.
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...ex.html?http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\home.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0cj.net/cat
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0cj.net/cat
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=ZillaPopupKiller:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - (no file)
    O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [RCSync] C:\Programme\RCPrograms\RCSync.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe
    O4 - HKLM\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [nuylb] C:\WINDOWS\ivubn.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKLM\..\Run: [eryp] C:\WINDOWS\eryp.exe
    O4 - HKLM\..\Run: [bwenceowbyw] C:\WINDOWS\System32\bojfro.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [WetGirls_gb] C:\Program Files\GMSoft\Dialers\WetGirls_gb\WetGirls_gb.exe /dontdial
    O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
    O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
    O4 - HKLM\..\Run: [PrizeSurfer] C:\Programme\RCPrograms\v2\prizesurfer.exe
    O4 - HKLM\..\Run: [LiveGirls_gb] C:\Program Files\GMSoft\Dialers\LiveGirls_gb\LiveGirls_gb.exe /dontdial
    O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HTML>
    O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
    O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net...net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net...net/">GANDI</A> then parked.
    O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
    O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
    O4 - HKCU\..\Run: [mswdtc.exe] C:\WINDOWS\System32\mswdtc.exe
    O4 - HKCU\..\Run: [TV Media] C:\Programme\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [care0039] c:\windows\care0039.exe -m
    O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../DE/install.cab
    O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://www.tnc4u.com/MCInst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
  • The following are optional to delete as they are resource hogs:
  • Please reboot into safe mode - How do I boot into "Safe" mode?
  • The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
    • DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"
    • DIRECTORIES
      • C:\Programme\TV Media\
      • C:\WINDOWS\System32\P2P Networking\
      • C:\Program Files\webHancer\
      • C:\Programme\RCPrograms\
      • C:\Program Files\GMSoft\Dialers
    • FILES
      • C:\WINDOWS\home.htm
      • C:\WINDOWS\bxxs5.dll
      • C:\WINDOWS\System32\stlbupdt.DLL
      • C:\WINDOWS\System32\mswdtc.exe
      • C:\WINDOWS\ivubn.exe
      • C:\WINDOWS\DHUpdt.exe
      • C:\WINDOWS\dhbrwsr.exe
      • C:\WINDOWS\eryp.exe
      • C:\WINDOWS\System32\bojfro.exe
      • C:\Programme\RCPrograms\v2\prizesurfer.exe
      • C:\WINDOWS\System32\mswdtc.exe
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.
p.s. Next time, please actually run all the programs suggested and don't just say that they have been run as most of these infections would of been cleaned. Thank you for your consideration.

#8 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 18 June 2004 - 04:55 PM

PGPhantom,

Thank you very much for your help.
But there is something that I don't understand.
You asked me to next time actually run the programs and not just say I did :wtf: , well I did really run them and fixed everything they found and then posted the second HijackThis log yesterday, so I am not sure where my mistake was.
Anyway, I will follow your instructions and then post a new log.

#9 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 05:35 PM

Just ignore me ... :) It has been a long day fighting this stuff, far too many new infections cropping up. Please do post a new log once you have cleaned everything up ...

#10 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 20 June 2004 - 03:58 AM

PGPhantom,

I followed the instructions but wasn't able to to do everything.
I could not remove the program Twain-Tech with "Add/Remove Programs" because it wasn't listed there. I tried to find it with the search assistent but got no result. I did find the following files:
twaintec.ini C:\Windows
twaintec.dll.tcf C:\Windows
twaintec.dll.tcf C:\Windows\LastGood
twaintec.ini C:\Windows\LastGood

I haven't deleted them yet because I wasn't sure if these are the right ones.

When I tried to delete C:\Programme\TV Media I got the message:
can't delete TvmBHo.dll
access denied
I ran HijackThis and check marked the things you listed and clicked fix but the new log still shows things that I marked for fixing before.
When Windows starts I get the message:
RUNDLL
can't load C:\Windows\System32\stlbupdt.DLL
Modul not found

and another window opens with the following information:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

I still get the messages " not enough virtual memory" and the one for installing the same Windows Updates again.
The popups freeze the screen again when using the aol browser. :ugh:
Here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 19:55:30, on 19.06.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\Virenschutz\AVKService.exe
C:\Programme\Virenschutz\AVKWCtl.exe
C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
C:\PROGRA~1\LONGPL~1\locksway.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Broadband Router\Gate-MON V1.10.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\Programme\TrojanHunter 3.9\THGuard.exe
C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programme\Zilla Popup Killer\ZillaPop.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe
C:\Programme\ScanPanel\ScnPanel.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12BAEC26-7088-43D2-B949-F08D0B8A5A63} - C:\WINDOWS\System32\cbhlci.dll
O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe
O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Programme\WebSavingsfromEbates\System\Code" Main lp: "C:\Programme\WebSavingsfromEbates"
O4 - HKLM\..\Run: [mardykfhtpacq] C:\WINDOWS\System32\bojfro.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe
O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide
O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [Buddyizer] C:\Programme\Aimster\Buddyizer.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/...kup/qdiagcc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...n/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7576.4794212963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#11 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 09:10 AM

Did you follow the order as listed? Delete the entries in HijackThis and then boot up into safe mode to delete the files?

#12 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2004 - 09:33 AM

Yes I did follow the orders as listed, I deleted the entries in HijackThis and then booted into safe mode and tried to delete everything you listed. I did it all again today because I thought I maybe forgot something and I really found some more of the things you listed as optional, I don't know why I didn't see them the first time :oops: , but there is still no Twain-Tec program and I can't delete that TV Media file.

Here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 16:02:13, on 21.06.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\Virenschutz\AVKService.exe
C:\Programme\Virenschutz\AVKWCtl.exe
C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
C:\PROGRA~1\LONGPL~1\locksway.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Broadband Router\Gate-MON V1.10.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\Programme\TrojanHunter 3.9\THGuard.exe
C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programme\Zilla Popup Killer\ZillaPop.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe
C:\Programme\ScanPanel\ScnPanel.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...p://about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe
O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Programme\WebSavingsfromEbates\System\Code" Main lp: "C:\Programme\WebSavingsfromEbates"
O4 - HKLM\..\Run: [mardykfhtpacq] C:\WINDOWS\System32\bojfro.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe
O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide
O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [Buddyizer] C:\Programme\Aimster\Buddyizer.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/...kup/qdiagcc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...n/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7576.4794212963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#13 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 09:53 AM

Due to the number of infections that you have, can you please run through the following procedures and after you have completed them, reboot and post another HijackThis log into this message for further review:

#14 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2004 - 10:28 AM

I already have Ad-aware, Spybot and Trojan Hunter on the computer and ran them a few times before. I will read again how to use them and then run them and also make the online virus scan and post a new log. Thanks for your help.

#15 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 10:30 AM

Please make sure to update all then as your versions may be outdated.

#16 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 21 June 2004 - 02:18 PM

I ran the Pandasoftware online scan, it found Trojans, then tried to update Ad-Aware, Spybot and Trojan Hunter, there were no updates for the Trojan Hunter Trial and the others were uptodate. I ran them all and fixed what they found, rebooted and ran HijackThis.
Here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 21:02:57, on 21.06.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\Virenschutz\AVKService.exe
C:\Programme\Virenschutz\AVKWCtl.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
C:\PROGRA~1\LONGPL~1\locksway.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\Broadband Router\Gate-MON V1.10.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Microsoft Works\WksSb.exe
C:\Programme\TrojanHunter 3.9\THGuard.exe
C:\WINDOWS\System32\javaw.exe
C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programme\Zilla Popup Killer\ZillaPop.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe
C:\Programme\ScanPanel\ScnPanel.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...ex.html?http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe
O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Programme\WebSavingsfromEbates\System\Code" Main lp: "C:\Programme\WebSavingsfromEbates"
O4 - HKLM\..\Run: [mardykfhtpacq] C:\WINDOWS\System32\bojfro.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe
O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide
O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [Buddyizer] C:\Programme\Aimster\Buddyizer.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/...kup/qdiagcc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7576.4794212963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#17 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 21 June 2004 - 03:04 PM

  • Please reboot into safe mode - How do I boot into "Safe" mode?
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...ex.html?http://
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Programme\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
    O4 - HKLM\..\Run: [winactive] C:\Programme\Window Active\winactive.exe
    O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
    O4 - HKLM\..\Run: [WebSavingsfromEbates] javaw -cp "C:\Programme\WebSavingsfromEbates\System\Code" Main lp: "C:\Programme\WebSavingsfromEbates"
    O4 - HKLM\..\Run: [mardykfhtpacq] C:\WINDOWS\System32\bojfro.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Programme\TV Media\Tvm.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
  • The following are optional to delete as they are resource hogs:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
  • The following FILES, DIRECTORIES and DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
    • DIRECTORY CONTENTS (But not the directory)
      • C:\Windows\Temp\
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
      • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Empty your "Recycle Bin"
    • DIRECTORIES
      • C:\Programme\TV Media\
      • C:\Programme\Window Active\
    • FILES
      • C:\WINDOWS\mxTarget.dll
      • C:\WINDOWS\System32\stlbupdt.DLL
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.


#18 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 22 June 2004 - 01:05 AM

I followed the orders as listed, I could not find C:\Windows\System32\stlbupdt.DLL but that was one of the files you said I don't have to worry about if they are not present. And in C:\Documents and Settings\default user\Local Settings\Temporary Internetfiles\ was something called desktop.ini, when I tried to delete that I got a message that said " This is a System file. If you delete it your system may not run properly." Well, it said something like that in German but that is the meaning of it. Can I delete that?
When I rebooted in normal mode I had a toolbar on the screen, it is something like a searchbar and still popups.

Here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 07:40:37, on 22.06.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
C:\PROGRA~1\LONGPL~1\locksway.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\Broadband Router\Gate-MON V1.10.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Microsoft Works\WksSb.exe
C:\Programme\TrojanHunter 3.9\THGuard.exe
C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programme\Zilla Popup Killer\ZillaPop.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\ScanPanel\ScnPanel.exe
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\Virenschutz\AVKService.exe
C:\Programme\Virenschutz\AVKWCtl.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...://www.aol.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe
O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide
O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [Buddyizer] C:\Programme\Aimster\Buddyizer.exe
O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/...kup/qdiagcc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7576.4794212963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#19 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 22 June 2004 - 09:10 AM

Almost clean, just a few more things to do:
  • How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button.
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...://www.aol.com/
  • The following is a recommended maintenance regime for Windows XP:
    • Please reboot into safe mode - How do I boot into "Safe" mode?
    • The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change. If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
      • DIRECTORY CONTENTS (But not the directory)
      • %windir%\prefetch\
      • %windir%\Temp\
      • %temp%\
      • %userprofile%\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • DIRECTORIES
      • Nothing Yet
    • FILES
      • Nothing Yet
  • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click pn "OK". Click on "OK" once more to close the options panel.
  • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.


#20 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 22 June 2004 - 11:59 AM

Hi,

Here is the new log. Seems like some things keep coming back although I fixed and deleted everything like it was listed.


Logfile of HijackThis v1.97.7
Scan saved at 18:43:37, on 22.06.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
C:\Programme\Virenschutz\AVKService.exe
C:\PROGRA~1\LONGPL~1\locksway.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Virenschutz\AVKWCtl.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\Broadband Router\Gate-MON V1.10.exe
C:\Programme\Microsoft Works\WksSb.exe
C:\Programme\TrojanHunter 3.9\THGuard.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programme\Zilla Popup Killer\ZillaPop.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\Programme\ScanPanel\ScnPanel.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...p://about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe
O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide
O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [Buddyizer] C:\Programme\Aimster\Buddyizer.exe
O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/...kup/qdiagcc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7576.4794212963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#21 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 22 June 2004 - 12:18 PM

  • How do I boot into "Safe" mode?
  • Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked" (NOTE: This is done while in safe mode):
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...p://about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\FAM~1.KRG\LOKALE~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O3 - Toolbar: beepfilmbits - {E5BDDD47-1803-8FFE-006F-53C01A582CBD} - C:\PROGRA~1\MORELO~1\Mess intra.dll
  • The following is a recommended maintenance regime for Windows XP:
    • Please reboot into safe mode - How do I boot into "Safe" mode?
    • The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". Click on "Apply to All Folders" and then respond "Yes" when prompted and click on "OK" to apply the change. If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
      • DIRECTORY CONTENTS (But not the directory)
        • %windir%\prefetch\
        • %windir%\Temp\
        • %temp%\
        • %userprofile%\Local Settings\Temp\
        • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
        • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • DIRECTORIES
        • Nothing Yet
      • FILES
        • Nothing Yet
    • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click pn "OK". Click on "OK" once more to close the options panel.
    • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.


#22 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 22 June 2004 - 01:10 PM

Here is the new log after doing everything in safe mode:


Logfile of HijackThis v1.97.7
Scan saved at 20:05:02, on 22.06.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\Virenschutz\AVKService.exe
C:\Programme\Virenschutz\AVKWCtl.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
C:\PROGRA~1\LONGPL~1\locksway.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\Broadband Router\Gate-MON V1.10.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\Programme\Microsoft Works\WksSb.exe
C:\Programme\TrojanHunter 3.9\THGuard.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programme\Zilla Popup Killer\ZillaPop.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe
C:\Programme\ScanPanel\ScnPanel.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...p://about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4DF1DB24-A57C-11d3-A180-00A0C90AE44B} - C:\Programme\Zilla Popup Killer\ZillaBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Tray] C:\Programme\KaZaA\My Shared Folder\Yugioh PC Game.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Zilla Popup Killer] C:\Programme\Zilla Popup Killer\ZillaPop.exe
O4 - HKCU\..\Run: [WRLiteAdm] "C:\Programme\WinRoute Lite\wrladmin.exe" /hide
O4 - HKCU\..\Run: [WrCtrl] "C:\Programme\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [Buddyizer] C:\Programme\Aimster\Buddyizer.exe
O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: reminder-ScanSoft Produkt Registrierung.lnk = C:\Programme\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/...kup/qdiagcc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7576.4794212963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#23 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 22 June 2004 - 03:10 PM

The only entry still showing as bad is:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...p://about:blank

If you can delete that through HijackThis.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#24 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 23 June 2004 - 06:38 AM

I deleted that one bad entry with HijackjThis but it kept coming back and the entries that I deleted yesterday in safe mode were back too. I downloaded and installed the programs you recommended for protection ( can't run Spywareblaster, I keep getting a message that the program is damaged, I reinstalled it a few times but still doesn't work ) and deleted everything you listed yesterday again in safe mode. It seems like it works now. When Windows starts I get a message from SpywareGuard that an attempt from search200.com was detected to change the startpage. I klicked "restore old values" and none of the bad entries appeared in the HijackThis log again and there weren't any popups so far :) but will still post one more log, just to make sure.


Logfile of HijackThis v1.97.7
Scan saved at 13:27:54, on 23.06.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
C:\Programme\Browser mouse\1.3\mouse32a.exe
C:\PROGRA~1\LONGPL~1\locksway.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\Broadband Router\Gate-MON V1.10.exe
C:\Programme\Virenschutz\AVKService.exe
C:\Programme\Microsoft Works\WksSb.exe
C:\Programme\Virenschutz\AVKWCtl.exe
C:\Programme\TrojanHunter 3.9\THGuard.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ScanPanel\ScnPanel.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\SpywareGuard\sgmain.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\Programme\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: SpywareGuard.lnk = C:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/...kup/qdiagcc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7576.4794212963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#25 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 23 June 2004 - 09:04 AM

I am still seeing a problem - That is with the O10 entries.

Please follow the instructions below to remove TargetSoft.inetadpt manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If TargetSoft.inetadpt remains on your system after stepping through the removal instructions, please double-check by stepping through them again. Please notice that inetadpt.dll is a layered socket provider that can break your internet connection if it is removed incorrectly.
  • Download and run LSPFix.
  • Check 'I know what I'm doing'.
  • Select 'inetadpt.dll'.
  • Click the right-pointing arrow.
  • Click 'Finished'.
  • Restart your computer.
  • Delete the following file: %SystemDir%\inetadpt.dll - Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Please post another HijackThis log once you are done so that I can verify it is clean.

#26 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 23 June 2004 - 12:18 PM

Here is the new log after running LSPFix as instructed and deleting the inetadpt.dll file:

Logfile of HijackThis v1.97.7
Scan saved at 19:06:53, on 23.06.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
C:\Programme\Browser mouse\1.3\mouse32a.exe
C:\PROGRA~1\LONGPL~1\locksway.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\Broadband Router\Gate-MON V1.10.exe
C:\Programme\Microsoft Works\WksSb.exe
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\TrojanHunter 3.9\THGuard.exe
C:\Programme\Virenschutz\AVKService.exe
C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
C:\Programme\Virenschutz\AVKWCtl.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Programme\Netscape\Netscape\Netscp.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\Telekom\Eumex 504PC USB\Capictrl.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\ScanPanel\ScnPanel.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\SpywareGuard\sgmain.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\Programme\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programme\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D7B4FAD-7C27-B560-A639-C20C6AD08B46} - C:\PROGRA~1\MORELO~1\Mess intra.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Multimedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Thunkdrive] C:\PROGRA~1\LONGPL~1\locksway.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Broadband Router\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [AOL Meine Fotos - Bildschirmschoner] C:\Programme\Gemeinsame Dateien\AOL\Screensaver\ygpsstra.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: SpywareGuard.lnk = C:\Programme\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ScanPanel\ScnPanel.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/...kup/qdiagcc.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7576.4794212963
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} (IEAnimBehaviorFactory Class) - http://download.micr...N-US/msorun.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab

#27 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 23 June 2004 - 03:10 PM

The log is looking clean :)

#28 pattya1122

pattya1122

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 23 June 2004 - 03:40 PM

:) Thank you so much for spending your time to help! ( and upgrading my English language skills )

Patricia

#29 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 23 June 2004 - 04:26 PM

It has been our pleasure to help you :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button