|
| Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free! |
Annoying pop ups! Can't Fix
|
Original Message
|
Name: mustangblu98
Date: April 6, 2006 at 12:56:08 Pacific
Subject: Annoying pop ups! Can't FixOS: windows xpCPU/Ram: AMP Anthlon XP 2100; 480MModel/Manufacturer: Compaq 6029 |
Comment: I've been recieving a constant barrage of pop-ups that I can't seem to get rid of. I am running spydoctor, xoftspy, adaware, and norton. I am constantly cleaning stuff off. Adaware picks up this: HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Shell" () I can't find any useful information in any of the other forums. It's like a needle in a haystack trying to find my specific problem. I have a hijackthis log if it is needed Any help would be greatly appreciated to rid myself of this. Thanks! Patrick
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: XpUser4Real
Date: April 6, 2006 at 14:03:38 Pacific
|
Reply: (edit)Is it a messenger pop-up? If so, d/l shoot the messenger and safely shut it down. Hopefully my advice will help you...Please post back with your results....thanks
Report Offensive Follow Up For Removal
|
|
Response Number 5
|
|
Reply: (edit)no there is no mention of messenger service, just general ad popups for pc cleaners, shopping, etc. hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 3:43:50 PM, on 4/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\RioMSC.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\sys011269599344-.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE C:\Compaq\EAKDRV\EAUSBKBD.EXE C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: (no name) - _{FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file) R3 - URLSearchHook: (no name) - _{0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file) F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\inthv.exe F2 - REG:system.ini: UserInit=userinit.exe,sjblghr.exe O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe O4 - HKLM\..\Run: [QaOD] C:\documents and settings\patrick lee\local settings\temp\QaOD.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [Iifwveig] C:\Program Files\Wven\Fdsyth.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [csr] csrrs.exe O4 - HKLM\..\Run: [wtkyelnA] C:\WINDOWS\wtkyelnA.exe O4 - HKLM\..\Run: [w01507aa.dll] RUNDLL32.EXE w01507aa.dll,I2 00018c2f001507aa O4 - HKLM\..\Run: [sys011269599344-] C:\WINDOWS\sys011269599344-.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe O4 - HKLM\..\Run: [AuthStart] C:\Program Files\SafeandSecure\SafeandSecure\app\authstart.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\RunServices: [csr] csrrs.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegClean.exe" O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: palstart.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\remove_me.dll (file missing) (HKCU) O9 - Extra button: Microsoft® JavaScript® Console - {86FB0D2D-1D8F-4EF8-803A-F3A422F925D9} - C:\WINDOWS\system32\COMDLG32.OCX (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {86FB0D2D-1D8F-4EF8-803A-F3A422F925D9} - C:\WINDOWS\system32\COMDLG32.OCX (HKCU) O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load5.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab O20 - Winlogon Notify: DH - C:\WINDOWS\system32\guard.tmp (file missing) O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing) O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Report Offensive Follow Up For Removal
|
|
Response Number 7
|
Name: jabuck
Date: April 6, 2006 at 19:17:51 Pacific
|
Reply: (edit)Please print this. First turn of Norton's script blocking and temporarily disable "real time protection" for any of the tools that you may have at this link or "this fix will not work." Disable Real Time Protection then re-enable these after you have finished. Please download Brute Force Uninstaller from this link http://www.merijn.org/files/bfu.zip Unzip it to a folder of it’s own (c:\BFU). Read here how to unzip/extract properly: http://metallica.geekstogo.com/xpcompressedexplanation.html Start the Brute Force Uninstaller by doubleclicking BFU.exe To the right of the "scriptfile to execute" window you'll see two icons. Click the one on the right. When you click that icon, a little window will open that says: "Please enter the full URL to the sript you want to execute" In the field, copy and paste everything in bold into that window: http://metallica.geekstogo.com/alcanshorty.bfu
Click Ok. Then click execute in Brute Force Uninstaller.
Wait for the complete script execution box to popup and press OK. Press exit to terminate the BFU program. Next download Look2Me-Destroyer from this link http://www.atribune.org/public-beta/Look2Me-Destroyer.exe Close all windows before continuing. Double-click Look2Me-Destroyer.exe to run it. Put a check next to Run this program as a task. You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. Once it's done scanning, click the Remove L2M button. You will receive a Done Scanning message, click OK. When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. Your computer will then shutdown. Turn your computer back on. If Look2Me-Destroyer does not reopen automatically, reboot and try again. If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX Next go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")
Download Killbox from this link for later use Download killbox from this link Killbox Download ATF-Cleaner from this link for later use http://www.atribune.org/content/view/19/2/ Run this free online scan from Panda When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it. Reboot in safe mode by following the directions at this link How To Boot Into Safe Mode Run Ht again close all windows, place a check to the left of the following items and press "fix checked": R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
R3 - URLSearchHook: (no name) - _{0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\inthv.exe
F2 - REG:system.ini: UserInit=userinit.exe,sjblghr.exe O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [QaOD] C:\documents and settings\patrick lee\local settings\temp\QaOD.exeIf you know what this is you will need to move it out of the temp file, otherwise remove it with HT O4 - HKLM\..\Run: [Iifwveig] C:\Program Files\Wven\Fdsyth.exe Same here remove if not known O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [wtkyelnA] C:\WINDOWS\wtkyelnA.exe
O4 - HKLM\..\Run: [w01507aa.dll] RUNDLL32.EXE w01507aa.dll,I2 00018c2f001507aa
O4 - HKLM\..\Run: [sys011269599344-] C:\WINDOWS\sys011269599344-.exe O4 - HKLM\..\RunServices: [csr] csrrs.exe O4 - Global Startup: palstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present Remove this if you did not set it
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present remove this if you did not set it O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\remove_me.dll (file missing) (HKCU) O16 - DPF: {20309504-8D74-4762-82CE-856903876EEA} - http://66.154.18.136/npd/load5.exe O20 - Winlogon Notify: DH - C:\WINDOWS\system32\guard.tmp (file missing) O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) While still in safe mode run Killbox. Double-click on Killbox.exe to run it. Put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time. C:\WINDOWS\system32\inthv.exe C:\WINDOWS\wtkyelnA.exe C:\WINDOWS\sys011269599344-.exe C:\Program Files\Wven\Fdsyth.exe ( if not known) Click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box. Next while still in safe mode do a search for the files and delete all instances if found: sjblghr.exe w01507aa.dll csrrs.exe While still in safe mode run ATF-Cleaner. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Please post a new HT log.
Report Offensive Follow Up For Removal
|
|
Response Number 8
|
|
Reply: (edit)Here is the active scan from the Panda website: Incident Status Location
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@888[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@ad.yieldmanager[1].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@adopt.hbmediapro[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@adrevolver[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@adrevolver[3].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@as-eu.falkag[2].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@as-us.falkag[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@atdmt[1].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@azjmp[2].txt Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@cassava[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@doubleclick[1].txt Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@linksynergy[2].txt Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@maxserving[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@mediaplex[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@overture[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@realmedia[1].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@server.iad.liveperson[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@stats1.reliablestats[2].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@statse.webtrendslive[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@tribalfusion[1].txt Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Patrick Lee\Cookies\patrick lee@webpower[2].txt Virus:Bck/IRCBot.WJ Not disinfected C:\Documents and Settings\Patrick Lee\rar.exe Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\?ystem\winlogon.exe Spyware:Cookie/2o7 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp Spyware:Cookie/Adtech Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp Spyware:Cookie/Clickbank Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp Spyware:Cookie/Findwhat Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp Spyware:Cookie/Adserver Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3E.tmp Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\adm.exe Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\adm4.dll Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\admdata.dll Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\admdloader.dll Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\admfdi.dll Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\admprog.dll Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\dmfiles.cab Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\dmfiles.cab[AltnetUninstall.exe] Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\dmfiles.cab[asmend.exe] Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\mysearch.cab Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\pmexe.cab Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp\pmexe.cab[Points Manager.exe] Adware:Adware/InstaFinder Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5D.tmp Spyware:Cookie/Adtech Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA5.tmp Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA7.tmp Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA9.tmp Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAA.tmp Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAB.tmp Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAE.tmp Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAF.tmp Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB0.tmp Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB1.tmp Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB2.tmp Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\system32\dr.exe Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\wcrgi.dat
Report Offensive Follow Up For Removal
|
|
Response Number 11
|
|
Reply: (edit)Ok, I've gone through everything. Below is posted my new HijackThis log. However, AD-aware still picks up this: RegData HKEY_LOCAL_MACHINE:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Shell" () Shell Possibly Compromised Any Suggestions? Logfile of HijackThis v1.99.1 Scan saved at 11:02:55 PM, on 4/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\reddvb.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\inthv.exe C:\WINDOWS\system32\inthv.exe C:\WINDOWS\system32\inthv.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\inthv.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,sjblghr.exe O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [qvhuvy] C:\WINDOWS\system32\reddvb.exe reg_run O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe O4 - HKLM\..\Run: [AuthStart] C:\Program Files\SafeandSecure\SafeandSecure\app\authstart.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKCU\..\Run: [nsovw] C:\WINDOWS\system32\reddvb.exe reg_run O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegClean.exe" O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: kloec.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Microsoft® JavaScript® Console - {86FB0D2D-1D8F-4EF8-803A-F3A422F925D9} - C:\WINDOWS\system32\COMDLG32.OCX (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {86FB0D2D-1D8F-4EF8-803A-F3A422F925D9} - C:\WINDOWS\system32\COMDLG32.OCX (HKCU) O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing) O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe Patrick
Report Offensive Follow Up For Removal
|
|
Response Number 12
|
Name: jabuck
Date: April 7, 2006 at 21:28:08 Pacific
|
Reply: (edit)An old but subtle foe called Qoologic. Please download FindQool.Zip from this link http://downloads.subratam.org/Lon/FindQool.zip to your desktop. Unzip FindQool.zip to your C: drive so that the path is C:\FindQool. Go to the C:\FindQool folder where you just extracted FindQool.zip and doubleclick the Qlocate.bat file to run it. A command window will open and you'll get a message to "Press any key to continue". Press any key and a report.txt file will open in notepad. Copy and paste the contents of the report.txt file in your next reply.
Report Offensive Follow Up For Removal
|
|
Response Number 13
|
|
Reply: (edit)I seriously appreciate you taking the time to help me out...here is what FindQool found: Sat 04/08/2006 Running from: C:\FindQool PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE. Known file names C:\WINDOWS\UNWN.EXE MD5 Check.... C:\WINDOWS\system32\wcrgi.dat C:\WINDOWS\system32\reddvb.exe C:\WINDOWS\system32\inthv.exe C:\WINDOWS\system32\xlddnjd.dll C:\WINDOWS\system32\sjblghr.exe Files found with locate com. C:\WINDOWS\SYSTEM32\SJBLGHR.EXE C:\WINDOWS\SYSTEM32\XLDDNJD.DLL C:\WINDOWS\SYSTEM32\WCRGI.DAT C:\WINDOWS\SYSTEM32\REDDVB.EXE C:\WINDOWS\SYSTEM32\INTHV.EXE C:\WINDOWS\NCBLNO.DAT C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\KLOEC.EXE Re-check using dir /a:-d C:\Documents and Settings\All Users\Start Menu\Programs\Startup 04/03/2006 03:29 PM 127,488 kloec.exe ... HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6} ... Runs, Listed here as a Doublecheck for the locate com results HKLM "qvhuvy"="C:\\WINDOWS\\system32\\reddvb.exe reg_run" HKCU "nsovw"="C:\\WINDOWS\\system32\\reddvb.exe reg_run" ... Files In Winlogon shell and userinit Listed here as a Doublecheck for the locate com results shell REG_SZ Explorer.exe, C:\WINDOWS\system32\inthv.exe userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,sjblghr.exe Patrick
Report Offensive Follow Up For Removal
|
|
Response Number 14
|
Name: jabuck
Date: April 7, 2006 at 22:22:37 Pacific
|
Reply: (edit)Run HT again,close all windows and browsers except HT, then place a check to the left of these items and press "fix checked": F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\inthv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,sjblghr.exe O4 - HKLM\..\Run: [qvhuvy] C:\WINDOWS\system32\reddvb.exe reg_run O4 - HKCU\..\Run: [nsovw] C:\WINDOWS\system32\reddvb.exe reg_run O4 - Global Startup: kloec.exe O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) Close Hijack This Double-click on Killbox.exe to run it. Put a tick by Delete on Reboot. Copy the following list of files to clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\UNWN.EXE C:\WINDOWS\system32\wcrgi.dat
C:\WINDOWS\system32\reddvb.exe
C:\WINDOWS\system32\inthv.exe
C:\WINDOWS\system32\xlddnjd.dll
C:\WINDOWS\system32\sjblghr.exe C:\WINDOWS\SYSTEM32\SJBLGHR.EXE
C:\WINDOWS\SYSTEM32\XLDDNJD.DLL
C:\WINDOWS\SYSTEM32\WCRGI.DAT
C:\WINDOWS\SYSTEM32\REDDVB.EXE
C:\WINDOWS\SYSTEM32\INTHV.EXE
C:\WINDOWS\NCBLNO.DAT
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\KLOEC.EXE Next in Killbox go to File > Paste from clipboard Click on the All Files button. Next click on the button that has the red circle with the white X in the middle. It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now. Click Yes and let the computer reboot. Next copy the registry fix between the x"S: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX REGEDIT4
[-HKEY_CLASSES_ROOT\CLSID\{ce3a44d8 -bc88-4d62-a890-42d96245f8d6}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "qvhuvy"=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nsovw"=- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Open notepad(start>run> type "notepad" without the quotes>ok) and paste the registry fix in it.Go to File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg and allow it to be merged into the registry which will remove the entries. Post a new HT log.
Report Offensive Follow Up For Removal
|
|
Response Number 15
|
Name: jabuck
Date: April 7, 2006 at 22:41:32 Pacific
|
Reply: (edit)One more thing, run this batch file. Copy everything between the X"s: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX @echo off sc stop dll host sc delete dll host XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Open notepad(start>run> type "notepad" without the quotes>ok) and paste the above script into it.Go to File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it reg.bat and save it to your desktop, double click reg.bat, it will run quickly.
Report Offensive Follow Up For Removal
|
|
Response Number 16
|
|
Reply: (edit)Here is the new HT log : Logfile of HijackThis v1.99.1 Scan saved at 11:14:08 AM, on 4/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\RioMSC.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\carpserv.exe C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE C:\Compaq\EAKDRV\EAUSBKBD.EXE C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\inthv.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,sjblghr.exe O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe O4 - HKLM\..\Run: [AuthStart] C:\Program Files\SafeandSecure\SafeandSecure\app\authstart.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegClean.exe" O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Microsoft® JavaScript® Console - {86FB0D2D-1D8F-4EF8-803A-F3A422F925D9} - C:\WINDOWS\system32\COMDLG32.OCX (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {86FB0D2D-1D8F-4EF8-803A-F3A422F925D9} - C:\WINDOWS\system32\COMDLG32.OCX (HKCU) O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4734/mcfscan.cab O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing) O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe Patrick
Report Offensive Follow Up For Removal
|
|
Response Number 17
|
Name: jabuck
Date: April 8, 2006 at 08:51:41 Pacific
|
Reply: (edit)You have the newest version of Qoologic, a tough one. Run HT again, close all windows and browsers except HT, the remove these items: F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\inthv.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,sjblghr.exe O9 - Extra button: Microsoft® JavaScript® Console - {86FB0D2D-1D8F-4EF8-803A-F3A422F925D9} - C:\WINDOWS\system32\COMDLG32.OCX (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {86FB0D2D-1D8F-4EF8-803A-F3A422F925D9} - C:\WINDOWS\system32\COMDLG32.OCX (HKCU) Post a new HT log
Report Offensive Follow Up For Removal
|
|
Response Number 18
|
|
Reply: (edit)should these two be removed from my system? because everytime i run hijackthis on them they are the only two remaining: F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\inthv.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,sjblghr.exe
here is my new HT log Logfile of HijackThis v1.99.1 Scan saved at 9:51:15 PM, on 4/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\RioMSC.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE C:\Compaq\EAKDRV\EAUSBKBD.EXE C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\inthv.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,sjblghr.exe O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe O4 - HKLM\..\Run: [AuthStart] C:\Program Files\SafeandSecure\SafeandSecure\app\authstart.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [Registry Defender] "C:\Program Files\Registry Defender Trial\RegClean.exe" O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4734/mcfscan.cab O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing) O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe Patrick
Report Offensive Follow Up For Removal
|
|
Response Number 19
|
Name: jabuck
Date: April 8, 2006 at 19:14:18 Pacific
|
Reply: (edit)Reboot into safe mode. Run HT and remove the two F2'S Run Killbox and delete these items: C:\WINDOWS\system32\inthv.exe C:\WINDOWS\SYSTEM32\SJBLGHR.EXE Reboot into normal mode and run HT to see if they remain. If they do run Run FindQool once more and post that log.
Report Offensive Follow Up For Removal
|
|
Response Number 20
|
|
Reply: (edit)Killbox is telling me that these files cannot be deleted. C:\WINDOWS\system32\inthv.exe C:\WINDOWS\SYSTEM32\SJBLGHR.EXE They are persistent little buggers Patrick
Report Offensive Follow Up For Removal
|
|
Response Number 21
|
|
Reply: (edit)here is the findqool log: Sat 04/08/2006 Running from: C:\FindQool PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE. Known file names MD5 Check.... C:\WINDOWS\system32\wcrgi.dat C:\WINDOWS\system32\reddvb.exe C:\WINDOWS\system32\inthv.exe C:\WINDOWS\system32\xlddnjd.dll C:\WINDOWS\system32\sjblghr.exe Files found with locate com. C:\WINDOWS\SYSTEM32\SJBLGHR.EXE C:\WINDOWS\SYSTEM32\XLDDNJD.DLL C:\WINDOWS\SYSTEM32\WCRGI.DAT C:\WINDOWS\SYSTEM32\REDDVB.EXE C:\WINDOWS\SYSTEM32\INTHV.EXE C:\WINDOWS\NCBLNO.DAT C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\KLOEC.EXE Re-check using dir /a:-d C:\Documents and Settings\All Users\Start Menu\Programs\Startup 04/03/2006 03:29 PM 127,488 kloec.exe ... HKEY_LOCAL_MACHINE\software\classes\folder\shellex\columnhandlers\{ce3a44d8-bc88-4d62-a890-42d96245f8d6} ... Runs, Listed here as a Doublecheck for the locate com results HKLM "qvhuvy"="C:\\WINDOWS\\system32\\reddvb.exe reg_run" HKCU "nsovw"="C:\\WINDOWS\\system32\\reddvb.exe reg_run" ... Files In Winlogon shell and userinit Listed here as a Doublecheck for the locate com results shell REG_SZ Explorer.exe, C:\WINDOWS\system32\inthv.exe userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,sjblghr.exe ... SWReg utility Written by Bobbi Flekman © 2005 Findqool edited 4/05/2006 Patrick
Report Offensive Follow Up For Removal
|
|
Response Number 22
|
Name: jabuck
Date: April 8, 2006 at 20:57:32 Pacific
|
Reply: (edit)I think we didn't get "all" the files copied into killbox. You can see where I added in bold "Press all files button". If the version of killbox you have does not have this feature we need to get an updated version. From the top once more. Run HT and remove the F2's Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button Copy this whole list into the windows clipboard, all the Bolded below. Copy the following list of files to clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\WINDOWS\system32\wcrgi.dat
C:\WINDOWS\system32\reddvb.exe C:\WINDOWS\system32\inthv.exe C:\WINDOWS\system32\xlddnjd.dll C:\WINDOWS\system32\sjblghr.exe C:\WINDOWS\NCBLNO.DAT C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\KLOEC.EXE Next in Killbox go to File > Paste from clipboard Click on the All Files button. Next click on the button that has the red circle with the white X in the middle. It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now. Click Yes and let the computer reboot. Next copy the registry fix between the x"S: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX REGEDIT4
[-HKEY_CLASSES_ROOT\CLSID\{ce3a44d8 -bc88-4d62-a890-42d96245f8d6}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "qvhuvy"=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nsovw"=- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Open notepad(start>run> type "notepad" without the quotes>ok) and paste the registry fix in it.Go to File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg and allow it to be merged into the registry which will remove the entries. Next run this batch file. Copy everything between the X"s: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX @echo off sc stop dll host sc delete dll host XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Open notepad(start>run> type "notepad" without the quotes>ok) and paste the above script into it.Go to File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it reg.bat and save it to your desktop, double click reg.bat, it will run quickly. Pst a new HT log.
Report Offensive Follow Up For Removal
| |