Jump to content


Photo

Please help me


  • This topic is locked This topic is locked
9 replies to this topic

#1 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 20 June 2004 - 05:32 AM

Hi, i saw that a lot of people have the same problem as the one i have: res://gvmqj.dll/index.html#96676. That is my homepage now, its driving me nuts. I cant change it, i tried a lot of things. I also cannot usse kazaa for some reason, but i dont know if thats part of the problem. Here is what i did so far:
I have run about everything u can run (all updated); norton, ad-aware, spybot, and dozens of other anti spyware. I also run cwshredder, which of course didnt find anything. Last day someone tried to help me and i sent him my logfile created with hijackthis. He told me to do the following: In safemode, i run
"regsvr32 /u gvmqj.dll" en "regsvr32 /u ippa.dll", only last one was succesfully unregistered. Then i run hijackthis (still in safe mode) and scanned. The following lines i fixed:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gvmqj.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://gvmqj.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://gvmqj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gvmqj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://gvmqj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gvmqj.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {093585F1-45A2-F3FD-5DC8-CE8C707B844B} - C:\WINDOWS\ippa.dll
O4 - HKLM\..\Run: [addfe32.exe] C:\WINDOWS\system32\addfe32.exe
O4 - HKLM\..\RunOnce: [netnq.exe] C:\WINDOWS\system32\netnq.exe


After all this still it wasnt resolved. Now my homepage looks like this: res://eaokm.dll/index.html#96676, and the gvmqj.dll still exists in my windows folder; there also seems to be a new file: eaokm.dll in my windows/system32/ folder. This file is new i think. CAN PLEASE SOMEONE TELL ME WHAT I HAVE TO DO TO GET RID OF THIS, AS I AM REALLY FED UP WITH THIS NEW CWS!
Thanks in advance, Adam

ps: my logfile at this moment:


Logfile of HijackThis v1.97.7
Scan saved at 10:15:39, on 20-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\addfe32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netnq.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Bureau-accessoires\WORDPAD.EXE
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://eaokm.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://eaokm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://eaokm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8729A8D6-2263-39B8-AA6E-6ACBD757DB62} - C:\WINDOWS\msti.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [addfe32.exe] C:\WINDOWS\system32\addfe32.exe
O4 - HKLM\..\RunOnce: [netnq.exe] C:\WINDOWS\system32\netnq.exe
O4 - HKLM\..\RunOnce: [javawb.exe] C:\WINDOWS\system32\javawb.exe
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8139.1508101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87206952-3212-4E24-9502-D1BA39A8D74D}: NameServer = 194.134.5.5 194.134.0.97

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 20 June 2004 - 10:25 AM

If you have rebooted since posting your last log then please rescan and post a new one, otherwise follow these instructions.

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double click the xphidden.reg and when asked to merge say yes.

Press Ctrl>Alt>Delete to bring up Task Manager. Click the Processes tab and double-click the Image Name column header to alphabetically sort the processes. Scroll through the list and look for the following entries, end the process on each when found:

addfe32.exe
netnq.exe

Next, click Start>Run and type Services.msc, hit OK. Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.

Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://eaokm.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://eaokm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://eaokm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8729A8D6-2263-39B8-AA6E-6ACBD757DB62} - C:\WINDOWS\msti.dll
O4 - HKLM\..\Run: [addfe32.exe] C:\WINDOWS\system32\addfe32.exe
O4 - HKLM\..\RunOnce: [netnq.exe] C:\WINDOWS\system32\netnq.exe
O4 - HKLM\..\RunOnce: [javawb.exe] C:\WINDOWS\system32\javawb.exe
O4 - HKLM\..\RunOnce: [javawt.exe] C:\WINDOWS\system32\javawt.exe

Reboot into safe mode by tapping F8 after the BIOS has loaded, find and delete the following:

C:\WINDOWS\system32\addfe32.exe
C:\WINDOWS\system32\netnq.exe
C:\WINDOWS\system32\javawb.exe
C:\WINDOWS\system32\javawt.exe

Boot back into normal mode. Click here to download cwsuninst.zip. Extract cwsuninst.reg from the zip file and save it to the desktop. When done double click the cwsuninst.reg when asked to merge say yes.

Two files (possibly three) were also deleted from your computer by this malware and need to be replaced.

control.exe - go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file. Go here here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program.

Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59. Reboot when done.

Run HiJackThis again and post a new log in this thread.

Edited by Daemon, 20 June 2004 - 11:02 AM.

Posted Image

#3 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 20 June 2004 - 10:58 AM

Here is my new log:
Logfile of HijackThis v1.97.7
Scan saved at 17:58:16, on 20-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netnq.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\addfe32.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\logon.scr
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Logitech\IMAGES~1\AlbumDB.exe
C:\PROGRA~1\Logitech\IMAGES~1\FxSvr.exe
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://eaokm.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://eaokm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://eaokm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Saab\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8729A8D6-2263-39B8-AA6E-6ACBD757DB62} - C:\WINDOWS\msti.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [addfe32.exe] C:\WINDOWS\system32\addfe32.exe
O4 - HKLM\..\RunOnce: [netnq.exe] C:\WINDOWS\system32\netnq.exe
O4 - HKLM\..\RunOnce: [javawb.exe] C:\WINDOWS\system32\javawb.exe
O4 - HKLM\..\RunOnce: [javawt.exe] C:\WINDOWS\system32\javawt.exe
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8139.1508101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87206952-3212-4E24-9502-D1BA39A8D74D}: NameServer = 194.134.5.5 194.134.0.97

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 20 June 2004 - 11:02 AM

OK, I've updated my previous fix - work through it now.
Posted Image

#5 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 20 June 2004 - 12:16 PM

Ok, all done, this is my current newly created logfile:


Logfile of HijackThis v1.97.7
Scan saved at 19:15:16, on 20-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Logitech\IMAGES~1\AlbumDB.exe
C:\PROGRA~1\Logitech\IMAGES~1\FxSvr.exe
E:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://eaokm.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://eaokm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://eaokm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8139.1508101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 20 June 2004 - 12:27 PM

It looks cleaner, see if HJT will fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://eaokm.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://eaokm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://eaokm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\eaokm.dll/sp.html#96676


Reboot when done - let me know.
Posted Image

#7 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 20 June 2004 - 01:10 PM

Please anyone, this is very important, i noticed that i still have a file named gvmqj.dll in my windows folder (c:\windows\), do i have to delete this??? Coz this dll i had before the eaokm.dll. And will it come back???? PLz reply

#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 20 June 2004 - 01:12 PM

Just delete it. Is everything running OK now?
Posted Image

#9 anas_adam

anas_adam

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 20 June 2004 - 01:15 PM

Yeah everything is oke. I thank you very very very very (i cant say this enough) much!!! O and one thing; what about this topic http://www.spywarein...?showtopic=8337 about secondinfection etc?????

#10 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 20 June 2004 - 01:59 PM

You're welcome - glad to help :D

Don't worry about that link - if you have any further problems you know where to find us.

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button