Hi all, I'm hoping someone can solve my problem.
I keep getting webpages popping up all the time.
I've tried the following:
Spybot - Search & Destroy
Ad-Aware SE Personal
CWShredder.exe
McAfee VirusScan
all keep reporting that my computer is infected
and that errors have been fixed but if I run the apps
again then the same problems are reported.
McAfee reports nothing wrong.
below is my HiJackThis report.
thanks
Logfile of HijackThis v1.98.2
Scan saved at 3:54:04 PM, on 2004-12-08
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nslsvice.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\ePOAgent\naimas32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NILaunch.exe
C:\ePOAgent\naimag32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.roger.../bookmarks.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\System32\NILaunch.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {3CA57BA4-0497-11D2-A955-006008936C61} (VanRollupGraph.VanRollupGraphCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanRollup.CAB
O16 - DPF: {4B8351A1-7046-11D2-AA27-006008936C61} (VanForecastGraph.VanForecastGraphCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanFCast.CAB
O16 - DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} (Microsoft FlexGrid Control, version 6.0) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\msflxgrd.cab
O16 - DPF: {6313ACD5-705C-11D3-8ACA-004F4E002623} (EuroSup.EuroNation) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\EuroSup.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {72D78A82-8953-67B4-4792-9C034B139753} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/chm/files.chm::/file.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {99AC51A7-BEFF-11D1-B5B1-00A024CD30C6} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {A72C9639-8D4D-11D2-B52E-00105A986075} (prjVantiveFontPicker.ctlFontPicker) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VantiveFontPicker.CAB
O16 - DPF: {ADCBFFBC-DB3F-11D2-AADF-006008936C61} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {B2E0C2EA-A543-11CF-BC8C-207402C10627} (GMS Angular Gauge ActiveX Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\AGaugeM.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\edt32x20.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vanChevron.CAB
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bridgestrain...ing/ieatgpc.cab
O16 - DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} (VanViewer.VanViewerCrtl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanViewer.CAB
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\SSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanTree.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {FF1DACCD-3047-11D1-8028-00A024CA8C68} (VanPipelineGraph.VanPipelineGraphCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanPipeline.CAB
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
HiJackThis log
Started by
edinardo
, Dec 08 2004 09:08 PM
5 replies to this topic
#2
LoPhatPhuud
-
- General Admin
-
- 15,731 posts
Master of Disaster Recovery
Posted 09 December 2004 - 05:53 AM
OK, I believe we have a solution.
First:
Download DLLCompare in the attached zip file.
Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button
That should finish quickly, then:
Press the 'Compare' button.
That will run for a while longer.
When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.
Press 'Exit' to quit program.
Second:
Download the attached archive and unzip it to your Desktop. Open the FindIt folder and double click on Find.bat.
Copy the Notepad document that opens (output.txt) and paste it contents in this thread.
First:
Download DLLCompare in the attached zip file.
Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button
That should finish quickly, then:
Press the 'Compare' button.
That will run for a while longer.
When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.
Press 'Exit' to quit program.
Second:
Download the attached archive and unzip it to your Desktop. Open the FindIt folder and double click on Find.bat.
Copy the Notepad document that opens (output.txt) and paste it contents in this thread.
#3
edinardo
-
- Member
-
- 10 posts
Active Member
Posted 09 December 2004 - 01:28 PM
thanks for the help. below are the results
DLLCompare results:
Log of CWS Hidden File locator
These are files found that Windows does not See or cannot Access
________________________________________________
C:\WINNT\SYSTEM32\lbouse16.dll Wed 2004-12-08 17:58:54 ..S.R 223 349 218,11 K
C:\WINNT\SYSTEM32\ogeprn.dll Wed 2004-12-08 15:43:36 ..S.R 224 068 218,82 K
C:\WINNT\SYSTEM32\e420le~1.dll Wed 2004-12-08 18:58:56 ..S.R 223 349 218,11 K
C:\WINNT\SYSTEM32\lt2027~1.dll Wed 2004-12-08 20:10:24 ..S.R 226 238 220,93 K
C:\WINNT\SYSTEM32\trpiperf.dll Wed 2004-12-08 20:10:24 ..S.R 224 211 218,95 K
C:\WINNT\SYSTEM32\pigfilt.dll Tue 2004-12-07 21:21:06 ..S.R 222 787 217,56 K
C:\WINNT\SYSTEM32\ir46l5~1.dll Tue 2004-12-07 17:19:34 ..S.R 223 030 217,80 K
C:\WINNT\SYSTEM32\m8poli~1.dll Tue 2004-12-07 12:35:12 ..S.R 224 610 219,34 K
C:\WINNT\SYSTEM32\jt6q07~1.dll Tue 2004-12-07 15:49:24 ..S.R 225 155 219,88 K
C:\WINNT\SYSTEM32\mv80l9~1.dll Tue 2004-12-07 17:40:56 ..S.R 226 244 220,94 K
C:\WINNT\SYSTEM32\k8lq0i~1.dll Tue 2004-12-07 16:02:32 ..S.R 225 693 220,40 K
C:\WINNT\SYSTEM32\fsxevent.dll Wed 2004-12-08 8:07:10 ..S.R 223 326 218,09 K
C:\WINNT\SYSTEM32\ildkcs32.dll Tue 2004-12-07 21:18:46 ..S.R 225 155 219,88 K
1 095 items found: 1 095 files (13 H/S), 0 directories.
Total of file sizes: 197 108 682 bytes 187,98 M
--------------------------------------------------------------------
FINDIT RESULTS:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System32 Directory -------
Volume in drive C is WINDOWS 2K
Volume Serial Number is 2958-18F6
Directory of C:\WINNT\System32
2004-12-08 08:10p 226,238 lt2027fmg.dll
2004-12-08 08:10p 224,211 tRpiperf.dll
2004-12-08 06:58p 223,349 e420lefm1h2a.dll
2004-12-08 05:58p 223,349 LBOUSE16.DLL
2004-12-08 03:43p 224,068 ogeprn.dll
2004-12-08 08:07a 223,326 fSxevent.dll
2004-12-07 09:21p 222,787 pigfilt.dll
2004-12-07 09:18p 225,155 ildkcs32.dll
2004-12-07 05:40p 226,244 mv80l9lm1.dll
2004-12-07 05:19p 223,030 ir46l5hs1.dll
2004-12-07 04:02p 225,693 k8lq0i35e8.dll
2004-12-07 03:49p 225,155 jt6q07j5e.dll
2004-12-07 12:35p 224,610 m8poli7318.dll
2001-10-29 01:18p <DIR> dllcache
13 File(s) 2,917,215 bytes
1 Dir(s) 4,097,564,672 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is WINDOWS 2K
Volume Serial Number is 2958-18F6
Directory of C:\WINNT\System32
2001-10-29 01:49p <DIR> GroupPolicy
2001-10-29 01:32p 271 desktop.ini
2001-10-29 01:32p 21,692 folder.htt
2001-10-29 01:18p <DIR> dllcache
2 File(s) 21,963 bytes
2 Dir(s) 4,097,556,480 bytes free
---------- Files Named "Guard" -------------
Volume in drive C is WINDOWS 2K
Volume Serial Number is 2958-18F6
Directory of C:\WINNT\System32
2004-12-09 08:08a 222,493 guard.tmp
1 File(s) 222,493 bytes
0 Dir(s) 4,097,548,288 bytes free
--------- Temp Files in System32 Directory --------
Volume in drive C is WINDOWS 2K
Volume Serial Number is 2958-18F6
Directory of C:\WINNT\System32
2004-12-09 08:08a 222,493 guard.tmp
2004-12-06 05:15p 482 wer1316.tmp
2004-12-06 05:12p 27 qylEGEJ.tmp
2001-05-08 05:00a 2,577 CONFIG.TMP
4 File(s) 225,579 bytes
0 Dir(s) 4,097,540,096 bytes free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E49C4FB4-480B-4630-922A-DBE24C036541}"=""
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
---------------- Xfind Results -----------------
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
-------------- Locate.com Results ---------------
DLLCompare results:
Log of CWS Hidden File locator
These are files found that Windows does not See or cannot Access
________________________________________________
C:\WINNT\SYSTEM32\lbouse16.dll Wed 2004-12-08 17:58:54 ..S.R 223 349 218,11 K
C:\WINNT\SYSTEM32\ogeprn.dll Wed 2004-12-08 15:43:36 ..S.R 224 068 218,82 K
C:\WINNT\SYSTEM32\e420le~1.dll Wed 2004-12-08 18:58:56 ..S.R 223 349 218,11 K
C:\WINNT\SYSTEM32\lt2027~1.dll Wed 2004-12-08 20:10:24 ..S.R 226 238 220,93 K
C:\WINNT\SYSTEM32\trpiperf.dll Wed 2004-12-08 20:10:24 ..S.R 224 211 218,95 K
C:\WINNT\SYSTEM32\pigfilt.dll Tue 2004-12-07 21:21:06 ..S.R 222 787 217,56 K
C:\WINNT\SYSTEM32\ir46l5~1.dll Tue 2004-12-07 17:19:34 ..S.R 223 030 217,80 K
C:\WINNT\SYSTEM32\m8poli~1.dll Tue 2004-12-07 12:35:12 ..S.R 224 610 219,34 K
C:\WINNT\SYSTEM32\jt6q07~1.dll Tue 2004-12-07 15:49:24 ..S.R 225 155 219,88 K
C:\WINNT\SYSTEM32\mv80l9~1.dll Tue 2004-12-07 17:40:56 ..S.R 226 244 220,94 K
C:\WINNT\SYSTEM32\k8lq0i~1.dll Tue 2004-12-07 16:02:32 ..S.R 225 693 220,40 K
C:\WINNT\SYSTEM32\fsxevent.dll Wed 2004-12-08 8:07:10 ..S.R 223 326 218,09 K
C:\WINNT\SYSTEM32\ildkcs32.dll Tue 2004-12-07 21:18:46 ..S.R 225 155 219,88 K
1 095 items found: 1 095 files (13 H/S), 0 directories.
Total of file sizes: 197 108 682 bytes 187,98 M
--------------------------------------------------------------------
FINDIT RESULTS:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System32 Directory -------
Volume in drive C is WINDOWS 2K
Volume Serial Number is 2958-18F6
Directory of C:\WINNT\System32
2004-12-08 08:10p 226,238 lt2027fmg.dll
2004-12-08 08:10p 224,211 tRpiperf.dll
2004-12-08 06:58p 223,349 e420lefm1h2a.dll
2004-12-08 05:58p 223,349 LBOUSE16.DLL
2004-12-08 03:43p 224,068 ogeprn.dll
2004-12-08 08:07a 223,326 fSxevent.dll
2004-12-07 09:21p 222,787 pigfilt.dll
2004-12-07 09:18p 225,155 ildkcs32.dll
2004-12-07 05:40p 226,244 mv80l9lm1.dll
2004-12-07 05:19p 223,030 ir46l5hs1.dll
2004-12-07 04:02p 225,693 k8lq0i35e8.dll
2004-12-07 03:49p 225,155 jt6q07j5e.dll
2004-12-07 12:35p 224,610 m8poli7318.dll
2001-10-29 01:18p <DIR> dllcache
13 File(s) 2,917,215 bytes
1 Dir(s) 4,097,564,672 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is WINDOWS 2K
Volume Serial Number is 2958-18F6
Directory of C:\WINNT\System32
2001-10-29 01:49p <DIR> GroupPolicy
2001-10-29 01:32p 271 desktop.ini
2001-10-29 01:32p 21,692 folder.htt
2001-10-29 01:18p <DIR> dllcache
2 File(s) 21,963 bytes
2 Dir(s) 4,097,556,480 bytes free
---------- Files Named "Guard" -------------
Volume in drive C is WINDOWS 2K
Volume Serial Number is 2958-18F6
Directory of C:\WINNT\System32
2004-12-09 08:08a 222,493 guard.tmp
1 File(s) 222,493 bytes
0 Dir(s) 4,097,548,288 bytes free
--------- Temp Files in System32 Directory --------
Volume in drive C is WINDOWS 2K
Volume Serial Number is 2958-18F6
Directory of C:\WINNT\System32
2004-12-09 08:08a 222,493 guard.tmp
2004-12-06 05:15p 482 wer1316.tmp
2004-12-06 05:12p 27 qylEGEJ.tmp
2001-05-08 05:00a 2,577 CONFIG.TMP
4 File(s) 225,579 bytes
0 Dir(s) 4,097,540,096 bytes free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E49C4FB4-480B-4630-922A-DBE24C036541}"=""
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
---------------- Xfind Results -----------------
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
-------------- Locate.com Results ---------------
#4
LoPhatPhuud
-
- General Admin
-
- 15,731 posts
Master of Disaster Recovery
Posted 09 December 2004 - 08:19 PM
First:
Download LSPfix here: ?www.cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of calsp.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish
Reboot
Second:
Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop
[code=auto:0]REGEDIT4
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E49C4FB4-480B-4630-922A-DBE24C036541}"=-
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".
Third:
Hoster Instructions:
=== Begin Hosts File Reset ===
1.Download the Hoster from here:
http://members.aol.com/toadbee/hoster.zip
2. Install the program and run it.
3. Press 'Restore Original Hosts' and press 'OK'
4. Exit Program.
Note: This program also has a Hosts file backup facility that may want to use if you have added custom entries to the Hosts file.
Fourth:
Download Killbox from here: http://www.downloads.subratam.org/KillBox.zip
Run Killbox.exe and be sure that 'Delete on Reboot is checked'
Select the Folder Icon to the Right of the right of the Address Area and find the following file(s) one at a time:
C:\WINNT\SYSTEM32\lt2027fmg.dll
C:\WINNT\SYSTEM32\tRpiperf.dll
C:\WINNT\SYSTEM32\e420lefm1h2a.dll
C:\WINNT\SYSTEM32\LBOUSE16.DLL
C:\WINNT\SYSTEM32\ogeprn.dll
C:\WINNT\SYSTEM32\fSxevent.dll
C:\WINNT\SYSTEM32\pigfilt.dll
C:\WINNT\SYSTEM32\ildkcs32.dll
C:\WINNT\SYSTEM32\mv80l9lm1.dll
C:\WINNT\SYSTEM32\ir46l5hs1.dll
C:\WINNT\SYSTEM32\k8lq0i35e8.dll
C:\WINNT\SYSTEM32\jt6q07j5e.dll
C:\WINNT\SYSTEM32\m8poli7318.dll
C:\WINNT\System32\guard.tmp
C:\WINNT\System32\wer1316.tmp
C:\WINNT\System32\qylEGEJ.tmp
Note: You can also cut and paste the files listed above if the full path and file name has been specified. Most files are located in C:\Windows\ or C:\Windows\System32\
After each one, press the delete button on the far right of the address bar
Each time you will get a dialog box asking if you want to reboot
Press 'No' for all but the last file
After the last file has been entered, press 'Yes'
Your computer will reboot and delete the files
Verify that all the files have actually been deleted.
Fifth:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT
Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.rogers.com/edinardo/bookmarks.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {3CA57BA4-0497-11D2-A955-006008936C61} (VanRollupGraph.VanRollupGraphCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanRollup.CAB
O16 - DPF: {4B8351A1-7046-11D2-AA27-006008936C61} (VanForecastGraph.VanForecastGraphCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanFCast.CAB
O16 - DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} (Microsoft FlexGrid Control, version 6.0) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\msflxgrd.cab
O16 - DPF: {6313ACD5-705C-11D3-8ACA-004F4E002623} (EuroSup.EuroNation) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\EuroSup.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {72D78A82-8953-67B4-4792-9C034B139753} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/chm/files.chm::/file.exe
O16 - DPF: {99AC51A7-BEFF-11D1-B5B1-00A024CD30C6} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {A72C9639-8D4D-11D2-B52E-00105A986075} (prjVantiveFontPicker.ctlFontPicker) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VantiveFontPicker.CAB
O16 - DPF: {ADCBFFBC-DB3F-11D2-AADF-006008936C61} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {B2E0C2EA-A543-11CF-BC8C-207402C10627} (GMS Angular Gauge ActiveX Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\AGaugeM.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\edt32x20.cab
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vanChevron.CAB
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} (VanViewer.VanViewerCrtl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanViewer.CAB
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\SSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanTree.cab
O16 - DPF: {FF1DACCD-3047-11D1-8028-00A024CA8C68} (VanPipelineGraph.VanPipelineGraphCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanPipeline.CAB
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
Close all windows except HijackThis and click Fix checked.
While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Program Files\COmmon Files\WinTools\ <-- delete entire folder
C:\Program Files\Toolbar\ <-- delete entire folder
*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot in normal mode.
HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://www.computerc...s-file-328.html
http://tomcoyote.org/hjt/
Run HiJackThis again and post a new log in this thread.
Download LSPfix here: ?www.cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of calsp.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish
Reboot
Second:
Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop
[code=auto:0]REGEDIT4
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E49C4FB4-480B-4630-922A-DBE24C036541}"=-
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".
Third:
Hoster Instructions:
=== Begin Hosts File Reset ===
1.Download the Hoster from here:
http://members.aol.com/toadbee/hoster.zip
2. Install the program and run it.
3. Press 'Restore Original Hosts' and press 'OK'
4. Exit Program.
Note: This program also has a Hosts file backup facility that may want to use if you have added custom entries to the Hosts file.
Fourth:
Download Killbox from here: http://www.downloads.subratam.org/KillBox.zip
Run Killbox.exe and be sure that 'Delete on Reboot is checked'
Select the Folder Icon to the Right of the right of the Address Area and find the following file(s) one at a time:
C:\WINNT\SYSTEM32\lt2027fmg.dll
C:\WINNT\SYSTEM32\tRpiperf.dll
C:\WINNT\SYSTEM32\e420lefm1h2a.dll
C:\WINNT\SYSTEM32\LBOUSE16.DLL
C:\WINNT\SYSTEM32\ogeprn.dll
C:\WINNT\SYSTEM32\fSxevent.dll
C:\WINNT\SYSTEM32\pigfilt.dll
C:\WINNT\SYSTEM32\ildkcs32.dll
C:\WINNT\SYSTEM32\mv80l9lm1.dll
C:\WINNT\SYSTEM32\ir46l5hs1.dll
C:\WINNT\SYSTEM32\k8lq0i35e8.dll
C:\WINNT\SYSTEM32\jt6q07j5e.dll
C:\WINNT\SYSTEM32\m8poli7318.dll
C:\WINNT\System32\guard.tmp
C:\WINNT\System32\wer1316.tmp
C:\WINNT\System32\qylEGEJ.tmp
Note: You can also cut and paste the files listed above if the full path and file name has been specified. Most files are located in C:\Windows\ or C:\Windows\System32\
After each one, press the delete button on the far right of the address bar
Each time you will get a dialog box asking if you want to reboot
Press 'No' for all but the last file
After the last file has been entered, press 'Yes'
Your computer will reboot and delete the files
Verify that all the files have actually been deleted.
Fifth:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.
Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT
Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.rogers.com/edinardo/bookmarks.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O16 - DPF: {08288600-E9D9-11D1-9C84-006008319186} (VanTFind.VanTFindCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vantfind.cab
O16 - DPF: {0CBD083F-B6B3-11D0-AD20-0060976EA210} (DropBox Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vandropbox.cab
O16 - DPF: {3CA57BA4-0497-11D2-A955-006008936C61} (VanRollupGraph.VanRollupGraphCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanRollup.CAB
O16 - DPF: {4B8351A1-7046-11D2-AA27-006008936C61} (VanForecastGraph.VanForecastGraphCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanFCast.CAB
O16 - DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} (Microsoft FlexGrid Control, version 6.0) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\msflxgrd.cab
O16 - DPF: {6313ACD5-705C-11D3-8ACA-004F4E002623} (EuroSup.EuroNation) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\EuroSup.cab
O16 - DPF: {6D852581-7F1A-11D2-9CAB-006008319186} (VanColorPickProj.VanColorPick) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanColorPick.CAB
O16 - DPF: {72D78A82-8953-67B4-4792-9C034B139753} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/chm/files.chm::/file.exe
O16 - DPF: {99AC51A7-BEFF-11D1-B5B1-00A024CD30C6} (VanFind.VanFindCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VANFIND.cab
O16 - DPF: {A6928F2E-DDEF-11D1-804D-006097F95635} (vanStageTask.van_stage_task_ctl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vanStageTask.CAB
O16 - DPF: {A72C9639-8D4D-11D2-B52E-00105A986075} (prjVantiveFontPicker.ctlFontPicker) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VantiveFontPicker.CAB
O16 - DPF: {ADCBFFBC-DB3F-11D2-AADF-006008936C61} (VanGrid.VanGridCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vangrid.cab
O16 - DPF: {B2E0C2EA-A543-11CF-BC8C-207402C10627} (GMS Angular Gauge ActiveX Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\AGaugeM.cab
O16 - DPF: {B8958DE0-BAC9-101C-933E-0000C005958C} (FarPoint DateTime Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\edt32x20.cab
O16 - DPF: {B9FDDE3F-28E2-11D2-B461-006008936ABD} (vanChevron.van_chevron_ctl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\vanChevron.CAB
O16 - DPF: {C6CCA9AF-2B4E-11D1-9B21-0080C79EFE90} (VanPallet.VanPalletCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanPallet.CAB
O16 - DPF: {E0DB982A-E986-11D0-B2F8-00A0247B9D10} (VanViewer.VanViewerCrtl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanViewer.CAB
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\SSCALA32.cab
O16 - DPF: {EC9B6CDE-C5BF-11D2-820B-00A024CD30C6} (VanLiteralDLL.VanLiteral) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanLiteralDLL.CAB
O16 - DPF: {F39FD815-E9C3-11D1-9C83-006008319186} (VanTree.VanTreeCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanTree.cab
O16 - DPF: {FF1DACCD-3047-11D1-8028-00A024CA8C68} (VanPipelineGraph.VanPipelineGraphCtrl) - file://C:\DOCUME~1\ADMINI~1.CAR\LOCALS~1\Temp\VanPipeline.CAB
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
Close all windows except HijackThis and click Fix checked.
While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Program Files\COmmon Files\WinTools\ <-- delete entire folder
C:\Program Files\Toolbar\ <-- delete entire folder
*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot in normal mode.
HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://www.computerc...s-file-328.html
http://tomcoyote.org/hjt/
Run HiJackThis again and post a new log in this thread.
#5
edinardo
-
- Member
-
- 10 posts
Active Member
Posted 10 December 2004 - 02:44 PM
all the changes above were made. so far this morning my system
seems to be working fine. no more popups yet. thanks so much.
here is the log
Logfile of HijackThis v1.98.2
Scan saved at 9:41:16 AM, on 2004-12-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nslsvice.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\ePOAgent\naimas32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NILaunch.exe
C:\ePOAgent\naimag32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\HiJack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.roger.../bookmarks.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\System32\NILaunch.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bridgestrain...ing/ieatgpc.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
seems to be working fine. no more popups yet. thanks so much.
here is the log
Logfile of HijackThis v1.98.2
Scan saved at 9:41:16 AM, on 2004-12-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nslsvice.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\ePOAgent\naimas32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NILaunch.exe
C:\ePOAgent\naimag32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\HiJack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.roger.../bookmarks.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINNT\System32\NILaunch.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab31267.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bridgestrain...ing/ieatgpc.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
#6
LoPhatPhuud
-
- General Admin
-
- 15,731 posts
Master of Disaster Recovery
Posted 10 December 2004 - 07:03 PM
At last, your system is clean and free of spyware! Want to keep it that way?
Here are some simple steps you can take to reduce the chance of infection in the future.
1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupd.../en/default.asp
2. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK. Now press "Custom Level."
In the ActiveX section:
Set the first option, 'Download signed controls', to 'Prompt.
Set the second option, 'Download unsigned controls', to 'Disable'.
Finally, set 'Initialize and Script ActiveX controls not marked as safe to 'Disable'.
3. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm
d. Bugoff: http://tools.zerosrealm.com/bugoff.zip
4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/]http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewa...nti-spyware,htm
5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick
6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.
7. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www/spywarewa...nti-spyware.htm
8. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://spywarewarrio...-test-guide.htm
For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857
"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."
Good luck, and thanks for coming to our forums for help with your security and malware issues.
Here are some simple steps you can take to reduce the chance of infection in the future.
1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupd.../en/default.asp
2. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK. Now press "Custom Level."
In the ActiveX section:
Set the first option, 'Download signed controls', to 'Prompt.
Set the second option, 'Download unsigned controls', to 'Disable'.
Finally, set 'Initialize and Script ActiveX controls not marked as safe to 'Disable'.
3. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm
d. Bugoff: http://tools.zerosrealm.com/bugoff.zip
4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/]http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewa...nti-spyware,htm
5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick
6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.
7. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www/spywarewa...nti-spyware.htm
8. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://spywarewarrio...-test-guide.htm
For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857
"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."
Good luck, and thanks for coming to our forums for help with your security and malware issues.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
