homesearch assistant, spyware, pop-ups, viruses

pnolanpnolan
edited March 2005 in Spyware & Virus Removal
hello, I've been hit hard. several problems and recurring ones
can you help me out.

I ran spybot, ad-aware, and pc-cillin and then ran hjt

here is my hjt log
can you tell me what to get rid of?

thanks!

Logfile of HijackThis v1.99.0
Scan saved at 9:42:35 PM, on 2/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\soft.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\ME\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wgoxh.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wgoxh.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wgoxh.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wgoxh.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wgoxh.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {DD7F1708-D0FC-9336-482E-B32F8180E1F3} - C:\WINDOWS\system32\iphj32.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\web.exe
O4 - HKLM\..\Run: [netvb.exe] C:\WINDOWS\system32\netvb.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\dddd.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteckj32.exe
O4 - HKLM\..\RunOnce: [atlyw.exe] C:\WINDOWS\system32\atlyw.exe
O4 - HKLM\..\RunOnce: [mfclm.exe] C:\WINDOWS\system32\mfclm.exe
O4 - HKLM\..\RunOnce: [windx.exe] C:\WINDOWS\windx.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\juno 2\Juno\exec.exe regrun
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\dddd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Windows.hta
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSxdm55251US
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted IP range: (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104048626937
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec - C:\WINDOWS\System32\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\d3js.exe (file missing)
«1

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Please download CWShredder but don't run it yet.
    http://cwshredder.net/bin/CWSInstall.exe


    Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

    Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


    Make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wgoxh.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wgoxh.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wgoxh.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wgoxh.dll/sp.html#14044
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wgoxh.dll/sp.html#14044
    O2 - BHO: (no name) - {DD7F1708-D0FC-9336-482E-B32F8180E1F3} - C:\WINDOWS\system32\iphj32.dll
    O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\web.exe
    O4 - HKLM\..\Run: [netvb.exe] C:\WINDOWS\system32\netvb.exe
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\dddd.exe
    O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteckj32.exe
    O4 - HKLM\..\RunOnce: [atlyw.exe] C:\WINDOWS\system32\atlyw.exe
    O4 - HKLM\..\RunOnce: [mfclm.exe] C:\WINDOWS\system32\mfclm.exe
    O4 - HKLM\..\RunOnce: [windx.exe] C:\WINDOWS\windx.exe
    O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\dddd.exe
    O4 - Global Startup: Microsoft Windows.hta
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted IP range: (HKLM)
    O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\d3js.exe (file missing)


    Reboot your computer into Safe Mode


    Now run CWShredder, making sure to click "Fix".


    Then delete these files or directories (Do not be concerned if they do not exist)

    C:\WINDOWS\wgoxh.dll
    C:\WINDOWS\system32\iphj32.dll
    C:\WINDOWS\System32\web.exe
    C:\WINDOWS\system32\netvb.exe
    C:\WINDOWS\System32\dddd.exe
    C:\windows\system32\eliteckj32.exe
    C:\WINDOWS\system32\atlyw.exe
    C:\WINDOWS\system32\mfclm.exe
    C:\WINDOWS\windx.exe
    C:\WINDOWS\System32\dddd.exe


    Run a full scan with Adaware.

    Reboot your computer to go back to normal mode.


    Please run these two online scans.
    Make sure they are set to clean automatically:

    http://housecall.trendmicro.com/

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    If there are files that can not be removed by the scans please include that information in your next post.



    Reboot and post a new hijackthis log.
  • pnolanpnolan
    edited February 2005
    ok thanks

    I did all you said, but could not run pandasoftware. computer kept shutting it down

    ran pc-cillin and it found 17 viruses. deleted them
    btw: it found 15 yesterday

    I rebooted my computer 4 times and the desktop would not show up. finally did on the fifth try.

    new hjt log

    Logfile of HijackThis v1.99.0
    Scan saved at 5:55:20 PM, on 2/11/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\ME\Desktop\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
    O2 - BHO: (no name) - {6CB55B62-92A9-30DC-1708-C97DEE5E6821} - C:\WINDOWS\javazv32.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\dddd.exe
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
    O4 - HKLM\..\Run: [39.tmp] C:\DOCUME~1\ME\LOCALS~1\Temp\39.tmp.exe 0 10001
    O4 - HKLM\..\Run: [39.tmp.exe] C:\DOCUME~1\ME\LOCALS~1\Temp\39.tmp.exe 1 10001
    O4 - HKLM\..\Run: [javaod32.exe] C:\WINDOWS\javaod32.exe
    O4 - HKLM\..\RunOnce: [atlyw.exe] C:\WINDOWS\system32\atlyw.exe
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\juno 2\Juno\exec.exe regrun
    O4 - HKCU\..\Run: [Yahoo! Pager] 1
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.05p.com (HKLM)
    O15 - Trusted Zone: *.blazefind.com (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.scoobidoo.com (HKLM)
    O15 - Trusted Zone: *.searchbarcash.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.slotch.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104048626937
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalphon.com/dialer/internazionale_ver4.CAB
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec - C:\WINDOWS\System32\symlcsvc.exe
    O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\atlyw.exe



    what now?

    thanks
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    The infection that you have has gotten in pretty deep. Let's try another fix.

    1. Download this tool called AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

    Unzip it to your desktop but don't run it yet.

    2. Download Adaware from http://www.lavasoft.de/english/default.shtml. Install and open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. Exit Adaware.

    3. Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

    4. Make sure your PC is configured to show hidden files

    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

    Scroll down and find the service called Network Security Service. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

    6. Reboot to Safe Mode
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.

    7. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cxxlg.dll/sp.html#14044
    F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
    O2 - BHO: (no name) - {6CB55B62-92A9-30DC-1708-C97DEE5E6821} - C:\WINDOWS\javazv32.dll
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\dddd.exe
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
    O4 - HKLM\..\Run: [39.tmp] C:\DOCUME~1\ME\LOCALS~1\Temp\39.tmp.exe 0 10001
    O4 - HKLM\..\Run: [39.tmp.exe] C:\DOCUME~1\ME\LOCALS~1\Temp\39.tmp.exe 1 10001
    O4 - HKLM\..\Run: [javaod32.exe] C:\WINDOWS\javaod32.exe
    O4 - HKLM\..\RunOnce: [atlyw.exe] C:\WINDOWS\system32\atlyw.exe
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.05p.com (HKLM)
    O15 - Trusted Zone: *.blazefind.com (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.scoobidoo.com (HKLM)
    O15 - Trusted Zone: *.searchbarcash.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.slotch.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\atlyw.exe


    and delete the following files if present.


    C:\WINDOWS\system32\atlyw.exe
    C:\WINDOWS\System32\soft.exe
    C:\WINDOWS\javazv32.dll
    C:\WINDOWS\System32\dddd.exe
    C:\WINDOWS\javaod32.exe
    C:\WINDOWS\system32\atlyw.exe
    C:\WINDOWS\cxxlg.dll



    8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

    9. Scan with Adaware and let it remove any bad files found.

    10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

    Temporary Files
    Temporary Internet Files
    Recycle Bin

    11. Reboot to normal mode, scan again with Hijack This and post a new log here.

    12. Finally, do an online scan at the following site. Let it remove any infected files found.
    Trend Micro (PC-cillin) - Free on-line Scan
    http://housecall.antivirus.com

    Post a fresh HijackThis log and the AboutBuster report back here please.
  • pnolanpnolan
    edited February 2005
    Buckeye_Sam wrote:
    The infection that you have has gotten in pretty deep. Let's try another fix.


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cxxlg.dll/sp.html#14044



    HI Sam,

    I will try this tomorrow, or actually later today, but need to sleep now.

    a question I have though:

    [as an exmple - this had happened in the past]
    in this line
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cxxlg.dll/sp.html#14044

    when I run hjt after cleaning - I see that line, only the letters (cxxlg.dll) are different. everything else is the same. and I beleive there were also more lines than the first hjt log showed.

    does this make a difference?
    sould I only delete the lines that match ver batum?

    thanks for all your help! I really appreciate it.

    btw: I am originally from the Cleveland area. GO Buckeyes !
  • pnolanpnolan
    edited February 2005
    ok,
    when I ran hjt - not one of the files listed was found in the log. there was nothing fixed.

    about buster found no ads

    house call was shut down and showed this prompt
    clean failed TROJ_IESER.A

    my desktop picture still does not show up.
    my homepage still gets changed.
    there is an annoying search bar attached to task bar in the right corner that pops up every time my mouse goes over the taskbar.
    my restore computer feature keeps getting turned off.
    I am not able to set automatic updates.
    pc-cillin is slow to load. - security page showed AV as off.

    here is the new hjt log and about buster log


    Logfile of HijackThis v1.99.0
    Scan saved at 10:24:24 AM, on 2/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\System32\symlcsvc.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\isrvs\desktop.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\ME\Desktop\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\juno 2\Juno\exec.exe regrun
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104048626937
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec - C:\WINDOWS\System32\symlcsvc.exe
    O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



    Scanned at: 10:15:09 AM on: 2/12/2005


    -- Scan 1
    About:Buster Version 4.0
    Reference List : 19

    No ADS found on system
    Attempted Clean Of Temp folder.
    Pages Reset... Done!

    -- Scan 2
    About:Buster Version 4.0
    Reference List : 19

    No ADS found on system
    Attempted Clean Of Temp folder.
    Pages Reset... Done!
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Ok, from your description of what's happening and what I am seeing in your log it sounds like you have something new. But don't worry we'll get you fixed up.

    I see evidence of Symantec(Norton) in your log but you are running Trend Micro. Do you still have Norton on your computer or have you uninstalled it? Are you connecting to the Internet with Juno or AOL?


    Download(right click and select Save file as or Save link as): DelDomains.inf
    http://mvps.org/winhelp2002/DelDomains.inf

    To use: Close all open browsers
    Right-click DelDomains.inf and select: Install

    This should remove those 015 entries.



    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\boln.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    If you no longer run any Symantec(Norton) software you can remove these lines also.

    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec - C:\WINDOWS\System32\symlcsvc.exe



    Everything we've done up to this point will make your computer run better and boot up faster, but it does not solve your problem. I want you to run a trial version of Kapersky antivirus. Make sure you disable Trend Micro before installing it and then get all updates before running a full scan.

    http://www.kaspersky.com/trials?chapter=146481750

    If it freezes up or shuts down on you try running it in Safe Mode.




    Let me know how it goes. Give me as much information as possible and post a new hijackthis log.
  • pnolanpnolan
    edited February 2005
    OK

    I was able to clean those files with hjt.
    I could not run kapersky - I got the page not available prompt every time I tried to go there.

    I seem to be able to keep my homepage now.
    homesearch appears to be gone
    several of the pop-ups are gone
    but , not finished yet.

    system restore appears to remain on now.
    still can not set to automatic update however.

    desktop picture is not there. just a blank grey or white screen with the icons. when i switch users or shut down, the pic appears. it is under this blank screen.

    I connect with yahoo DSL from my local Bell company.
    I'm wondering if my desktop trouble might be associated with Yahoo somehow
    if I try to go to Yahoo homepage - I get a blank white screen.
    I can go to Yahoo Mail, or my local yahoo page and then access the main yahoo home page from there. but, if I try to save that and get to the home page again, I get the blank screen again.

    what do you know about "Security Task Manager" ?
    do you recommend that tool?

    the other users get prompts on there desktop saying "inetdata services.exe"
    can not be found.
    how do I eliminate those prompts?

    here is my hjt log
    thanks so much for all your help!

    Logfile of HijackThis v1.99.0
    Scan saved at 10:21:13 PM, on 2/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\isrvs\desktop.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
    C:\Documents and Settings\ME\Desktop\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\juno 2\Juno\exec.exe regrun
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104048626937
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Download and install A2. It's free, but you'll have to register in order to download updates.

    http://www.emsisoft.com/en/software/free/

    Let it remove anything that it finds.



    Next, see if you can download and run Stinger.

    http://download.nai.com/products/mcafee-avert/stinger.exe

    Let me know if you can't get the link to work.



    Let me know what either of these programs finds.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    what do you know about "Security Task Manager" ?
    do you recommend that tool?
    Never used it, but it looks good to me.

    the other users get prompts on there desktop saying "inetdata services.exe"
    can not be found.
    how do I eliminate those prompts?

    That's part of a virus. If we can get the automated tools to run it should eliminate these error messages. Otherwise we'll go in and edit your registry manually.
  • pnolanpnolan
    edited February 2005
    Buckeye_Sam wrote:
    Download and install A2. It's free, but you'll have to register in order to download updates.

    http://www.emsisoft.com/en/software/free/

    Let it remove anything that it finds.



    Next, see if you can download and run Stinger.

    http://download.nai.com/products/mcafee-avert/stinger.exe

    Let me know if you can't get the link to work.



    Let me know what either of these programs finds.


    I couldn't get a2, I tried to sign up for an account and got an error message.

    stinger found 1 and cleaned it

    C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
    Found the Qhosts.apd trojan !!!
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts has been repaired.
    Number of clean files: 197706
    Number of files repaired: 1
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    The issue you are having with your desktop seems to indicate a very new virus that is showing up in some other logs on other sites, but very few antivirus apps have updated for it. Isn't nice to among the first to get infected. :)

    I just found out that AVG antivirus is supposed to go after this virus. You can download it here. Just be sure to disable your Trend Micro before running AVG.

    http://free.grisoft.com/softw/70free/setup/avg70free_300a419.exe


    Let me know what AVG finds, if you are able to run it.
  • pnolanpnolan
    edited February 2005
    ok
    I ran AVG. it found over 200 infected files.

    it cleared most of them.
    scanned again.
    it found more and i could not do anything with them.
    I opend the hidden folders, turned off system restore and ran it in safe mode, it found no infected files.

    I rebooted in normal mode, ran it again, it found no infected files.

    I still have the desktop problem though.
    my desktop is simply a blank screen with the icons.
    that annoying search bar on my task bar is still there.

    the search bar goes away when I end the process desktop.exe
    comes back on every reboot

    AVG scanned desktop.exe and cleared it as ok.

    here is a new HJT log

    Logfile of HijackThis v1.99.0
    Scan saved at 4:02:15 PM, on 2/16/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ME\Desktop\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [New application] C:\Program Files\Trend Micro\Internet Security 2005\tmproxy.exe
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104048626937
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: AOL Connectivity Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Over 200 viruses found? Well that's a step in the right direction.

    Can you see if you can get this online virus scan to work? It's reported to also look for the infection that you may have.

    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx


    Let me know how it turns out and then we'll see what we can do about your desktop.
  • pnolanpnolan
    edited February 2005
    Buckeye_Sam wrote:
    Over 200 viruses found? Well that's a step in the right direction.

    Can you see if you can get this online virus scan to work? It's reported to also look for the infection that you may have.

    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx


    Let me know how it turns out and then we'll see what we can do about your desktop.


    Ok I ran it. it found 28 infected filed - deleted them
    scanned again - it found 20 infected files - they all had restore in the location
    deleted them
    scanned again - found 0 infected files

    inetdata was one that was found
    however when I swithed users, the prompts came up still
    windows cannot find inetdata/services.exe
    and windows cannot run inetdata/services.exe

    and my desktop problem still exists

    man, these things got in deep

    why do they keep coming back on after they have been detected and deleted?
  • pnolanpnolan
    edited February 2005
    these .exe files are in my windows folder

    what the heck are they?
    are they bad? safe?

    dfsdf.exe
    dfe.exe
    d3ot32.exe
    crfo.exe
    gx9fzj83m9.exe
    sideb.exe
    browser.exe
    LPT$VPN.404
    VPTNFILE.404
    there are more , but I won't list them all.
    also, there are several .LOG files what are they?
    are they needed?
    e.g KB823182.log
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    All of those files are bad that you listed. It's important to look at the date of the files to see when they were created. If they are very recently created they may be bad, but not necessarily. Refrain from deleting anything right now.

    Kapersky antivirus is the key to removing this virus. I just received an email as I typed this that links to an excellent tutorial. Rather than recreate it here, just follow this link and try to follow it.

    http://www.bleepingcomputer.com/forums/topict11662.html


    Here are some alternate download sites that you can try.


    http://www.kaspersky.com/trials
    (download version 5.0 personal)
    or this one;
    http://www.kaspersky.com/trials?chapter=146481750
    (pick download site nearest to you and download)
    or this;
    ftp://downloads-us2l.kaspersky-labs.com/t...8017F63KM1T941/
    (direct download link (U.S.A.), click on second link on page)


    Let me know if you still can not download it and I will figure something else out.
  • pnolanpnolan
    edited February 2005
    KAPERSKY IS HORRIBLE !!!

    I ran it, it removed the annoying search bar in my task bar.

    it must have had A VIRUS ATTACHED TO IT however.

    after it ran, i could not browse
    I could not open system restore

    everytime I tried to open a website, the insignia for kapersky would flash rapidly in the status bar and explorer would shut down.

    everytime I tried to open system restore, it would start but fail to open.

    I had to uninstall kapersky for things to work again.
    I hope nothing was permanently damaged.
  • pnolanpnolan
    edited February 2005
    ok so apparently I've lost explorer.exe. that's why my desktop is a blank page

    how do I fix that?

    there are several entries on my taskbar under past items for displayed icons.

    how do i clean those off?


    and then the bad .exe. files under windows in windows explorer?

    other users still get those prompts about inetdata.
    these av programs seem to have cleaned up most of problems, how come those prompts still appear?


    thanks for all of your help, it is greatly appreciated!
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    The virus that you have infects the explorer.exe file. Kapersky is the only known program right now that can disinfect it. Kapersky had to shut down explorer.exe in order to attempt to disinfect it. Your problems are caused by the virus, not by Kapersky.

    Please post a hijackthis log and let me know what's working and what's not as of now.
  • pnolanpnolan
    edited February 2005
    ok

    the desktop still does not work - blank page with icons
    other users still get inetdata prompts

    annoying search bar is gone

    popping up now on my taskbar is xadsj-o.offeroptimizer.com

    these were all installed on 2-20
    BJAXSecurityManager.dll
    RGWInterfaces_DSR.dll
    RGWLib_2-0-0_DSR.dll
    TrustInhouse.dll

    can you tell what they belong to? are they junk?

    here is hjt log

    Logfile of HijackThis v1.99.0
    Scan saved at 7:17:30 PM, on 2/21/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Grisoft\AVG Free\avgcc.exe
    C:\Program Files\Grisoft\AVG Free\avgwb.dat
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\windows\system32\gmsytwnl.exe
    C:\windows\system32\calc.exe
    C:\Documents and Settings\ME\Desktop\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O4 - HKLM\..\Run: [gmsytwnl] c:\windows\system32\gmsytwnl.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104048626937
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • pnolanpnolan
    edited February 2005
    Buckeye_Sam wrote:
    The virus that you have infects the explorer.exe file. Kapersky is the only known program right now that can disinfect it. Kapersky had to shut down explorer.exe in order to attempt to disinfect it. Your problems are caused by the virus, not by Kapersky.

    .


    I ran kapersky, it detected and deleted some files. then when I tried to operate my computer - nothing would work

    I could not open system restore
    I could not open a webpage

    I could do those things before I ran kapersky and after I removed kapersky

    how does it help if it removes the virus but I cannot run my computer?
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    I'm checking into the proper prodedure for restoring your explorer.exe file. But for now let's clean up a few leftover pieces of malware.

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O4 - HKLM\..\Run: [gmsytwnl] c:\windows\system32\gmsytwnl.exe


    Delete these files.

    c:\windows\system32\gmsytwnl.exe
    C:\WINDOWS\BTGrab.dll


    Reboot and post a new hijackthis log.
  • pnolanpnolan
    edited February 2005
    I think I got rid of those when i did a system restore to an earlier date.

    I ran hjt and did not find those. here is the new log.

    I have some new pop-up: xjads-optimizer

    is that represented in this list?

    Logfile of HijackThis v1.99.0
    Scan saved at 3:22:32 AM, on 2/24/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\ME\Desktop\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104048626937
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


    THANKS !!!!!!
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Your log is looking very good right now. Just one line to fix.

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll

    Then delete this file, if found.

    C:\WINDOWS\dlmax.dll


    Now run a full scan with Adaware.



    One of the things that this virus does is tries to download and install all sorts of spyware to your computer. Since you should be clean now, let's put in some protection.

    Download and install SpywareBlaster.
    http://www.javacoolsoftware.com/sbdownload.html

    Check for updates and enable all protection. Then follow these directions from BleepingComputer to take a System Snapshot.
    SpywareBlaster has the ability to take a snapshot, or backup, of certain settings in your browser and your registry. These settings will saved in a database that is stored in your SpywareBlaster directory. If in the future you make a mistake on a setting in your browser, or things start acting strange, possibly due to Spyware/Hijackers, you can restore from this backup.

    The first step is to click on the System Snapshot button on the left. If this is your first time using it, you will want to create a snapshot of your system. You should select the radio button that is labeled "Create new System Snapshot" and press the Go button. Give the snap shot a name that you will remember and make sure the "Append date + time..." checkbox is check marked. I usually use a name like Snapshot. When this is done, press the "Create Snapshot" button to continue. SpywareBlaster will then save settings from your computer in a database on your computer. When it is done you can press the Finish button.

    If in the future you want to restore from this backup, you can choose the System Snapshot section and then select the radio button for "Restore System to Saved Snapshot Point" and press the Go button. You should click once on a snapshot to select it and then press the Next button. If there were any changes from your current settings to the ones saved in the snap shot you specified, it will notify you and give you the option to restore them, otherwise it will tell you there was no difference in your current settings to the ones in the snapshot.


    Has anything changed with your desktop?
    Will your Trend Micro antivirus allow you to download any updates?
    Do you have your Windows XP installation disc?
  • pnolanpnolan
    edited February 2005
    Has anything changed with your desktop? no
    Will your Trend Micro antivirus allow you to download any updates? no
    Do you have your Windows XP installation disc? yes

    ok I have installed spyware blaster


    can all infected files be safely deleted? or are some needed and should be healed rather than deleted?

    I wonder if I screwed up anything going through this cleaning process.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    The files that I have listed for you to delete can be safely deleted. There are however, certain legitimate files that an antivirus would detect that are actually infected and you wouldn't want to delete. They should be healed.

    Insert your Windows XP set up CD. Click Start -> Run and type sfc /scannow

    This should verify all system files and restore anything that is missing or corrupted. I'm not sure if this will restore your explorer.exe file.

    Let me know how it goes and if you run into any problems. Let me know if there are any changes in how your computer is running.

    Also please post a new hijackthis log.
  • pnolanpnolan
    edited March 2005
    couldn't do it
    the disk I have is a reinstallation cd.
    I tried to check compatability and it told me the version I have is newer than the one on the disk.

    I typed sfc/scannow and it said it could not find it.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Make sure the spacing is right. There is a space between sfc and /

    sfc /scannow
  • pnolanpnolan
    edited March 2005
    ok now I did that and I saw a quick flash on the screen and that was it. I don't know if anything else was happening or not. appeared not to be
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    I have some new information that might help you out. But first please run this online scan and let me know if it comes back clean. It will be pointless to start restoring things if you are still infected.

    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
This discussion has been closed.