Adware.Wurldmedia - Spyware.ISearch - Trojan.BHO.g - Infostealer [Resolved]

MsJessicaDzMsJessicaDz Dallas, TX
edited October 2006 in Spyware & Virus Removal
Adware.Wurldmedia - Spyware.ISearch - Trojan.BHO.g - Infostealer

These are some of the Virus names I've seen since being hit. I've tried to follow a few of your threads to fix my PC but still getting Pop-ups (WinAntiVirus, You've been infected!, Visit our Sponser ads) - Microsoft Outlook 'Not Responding', fixed it at one point but it is back to 'Not Responding'. AutoCAD (whole PC) running slow, CPU Usage jumps to 100% when using program.

This is my PC at work, small firm w/no IT on staff, did not have an AntiVirus Program running at the time. I think I got hit while at this site: yourspacenow.com (not sure but that's when I noticed my PC freaking out)
Thanks in advance. Jessica
******************************************************

Logfile of HijackThis v1.99.1
Scan saved at 12:12:57 PM, on 10/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\PDFCreatorMessages.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\WINNT\System32\khooker.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\PELMICED.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Documents and Settings\jdiaz\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = \SOFTWARE\Microsoft\Internet Explorer\Search
R3 - URLSearchHook: (no name) - {8E88C8DC-0F4C-0EE2-1401-5DF076B86E91} - C:\WINNT\system32\elnb.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher\MailWasher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4BEF854E-6531-40D8-825E-5228A12861F3} (pwrUpl2 Class) - https://hks.thruinc.net/Components/PowerUpload.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINNT\system32\PDFCreatorMessages.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe

Comments

  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Hi. Could you please rename HijackThis.exe to scanner.exe and then run the program again and post another log.
  • MsJessicaDzMsJessicaDz Dallas, TX
    edited October 2006
    Here's the requested log after ranaming hijackthis.exe to scanner.exe
    fyi: I'm leaving at 3:30PM today will be back Mon.
    ***************************************************

    Logfile of HijackThis v1.99.1
    Scan saved at 2:38:36 PM, on 10/13/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\System32\NALNTSRV.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\PDFCreatorMessages.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wm.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\dpmw32.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\WINNT\System32\khooker.exe
    C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINNT\system32\PELMICED.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\Explorer.exe
    C:\HJT\Scanner.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = \SOFTWARE\Microsoft\Internet Explorer\Search
    R3 - URLSearchHook: (no name) - {8E88C8DC-0F4C-0EE2-1401-5DF076B86E91} - C:\WINNT\system32\elnb.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINNT\system32\crdmrogh.dll
    O2 - BHO: (no name) - {3E874654-961B-4CFA-B09C-EAB539165868} - C:\WINNT\system32\opnol.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8E88C8DC-0F4C-0EE2-1401-5DF076B86E91} - C:\WINNT\system32\elnb.dll (file missing)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher\MailWasher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4BEF854E-6531-40D8-825E-5228A12861F3} (pwrUpl2 Class) - https://hks.thruinc.net/Components/PowerUpload.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160425962531
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O20 - Winlogon Notify: opnol - C:\WINNT\system32\opnol.dll
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINNT\system32\PDFCreatorMessages.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    OK, that worked. Please follow these instructions:

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  • MsJessicaDzMsJessicaDz Dallas, TX
    edited October 2006
    Good morning. Here's the latest.

    When running Vundofix there was a "Registry Editor - cannot import Vundofix.reg" Error message.
    **************************************************

    VundoFix V6.2.4

    Checking Java version...

    Scan started at 9:05:35 AM 10/16/2006

    Listing files found while scanning....

    C:\WINNT\system32\crdmrogh.dll
    C:\WINNT\system32\opnol.dll
    C:\WINNT\system32\lonpo.ini
    C:\WINNT\system32\lonpo.bak1
    C:\WINNT\system32\lonpo.bak2
    C:\WINNT\system32\opnol.dll
    C:\WINNT\system32\lonpo.ini
    C:\WINNT\system32\lonpo.bak1
    C:\WINNT\system32\lonpo.bak2
    C:\WINNT\system32\lonpo.ini
    C:\WINNT\system32\lonpo.bak1
    C:\WINNT\system32\lonpo.bak2

    Beginning removal...

    Attempting to delete C:\WINNT\system32\crdmrogh.dll
    C:\WINNT\system32\crdmrogh.dll Has been deleted!

    Attempting to delete C:\WINNT\system32\opnol.dll
    C:\WINNT\system32\opnol.dll Has been deleted!

    Attempting to delete C:\WINNT\system32\lonpo.ini
    C:\WINNT\system32\lonpo.ini Has been deleted!

    Attempting to delete C:\WINNT\system32\lonpo.bak1
    C:\WINNT\system32\lonpo.bak1 Has been deleted!

    Attempting to delete C:\WINNT\system32\lonpo.bak2
    C:\WINNT\system32\lonpo.bak2 Has been deleted!

    Performing Repairs to the registry.
    Done!
    **************************************************

    Logfile of HijackThis v1.99.1
    Scan saved at 9:24:35 AM, on 10/16/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\System32\NALNTSRV.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\PDFCreatorMessages.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wm.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\dpmw32.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\WINNT\System32\khooker.exe
    C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINNT\system32\PELMICED.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\HJT\Scanner.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = \SOFTWARE\Microsoft\Internet Explorer\Search
    R3 - URLSearchHook: (no name) - {8E88C8DC-0F4C-0EE2-1401-5DF076B86E91} - C:\WINNT\system32\elnb.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINNT\system32\crdmrogh.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8E88C8DC-0F4C-0EE2-1401-5DF076B86E91} - C:\WINNT\system32\elnb.dll (file missing)
    O2 - BHO: (no name) - {AD396368-4DDB-4AE1-A92B-31B6BC4EE553} - C:\WINNT\system32\opnol.dll (file missing)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher\MailWasher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4BEF854E-6531-40D8-825E-5228A12861F3} (pwrUpl2 Class) - https://hks.thruinc.net/Components/PowerUpload.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160425962531
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINNT\system32\PDFCreatorMessages.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Hi. That looks much better. Please run Hijack This again and put a check (tick) next to the following entries:


    R3 - URLSearchHook: (no name) - {8E88C8DC-0F4C-0EE2-1401-5DF076B86E91} - C:\WINNT\system32\elnb.dll (file missing)

    O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINNT\system32\crdmrogh.dll (file missing)
    O2 - BHO: (no name) - {8E88C8DC-0F4C-0EE2-1401-5DF076B86E91} - C:\WINNT\system32\elnb.dll (file missing)
    O2 - BHO: (no name) - {AD396368-4DDB-4AE1-A92B-31B6BC4EE553} - C:\WINNT\system32\opnol.dll (file missing)

    Close all other browsers/windows and click Fix Checked. Close Hijack This. Reboot the PC and post a fresh Hijack This log.
    :)
  • MsJessicaDzMsJessicaDz Dallas, TX
    edited October 2006
    Latest Hijackthis.log after your Fix Checked request.
    (I'm so excited that you're helping me, by the way!)

    ***************************************************
    Logfile of HijackThis v1.99.1
    Scan saved at 9:51:06 AM, on 10/16/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\System32\NALNTSRV.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINNT\system32\PDFCreatorMessages.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wm.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\dpmw32.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\WINNT\System32\khooker.exe
    C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINNT\system32\PELMICED.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\HJT\Scanner.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = \SOFTWARE\Microsoft\Internet Explorer\Search
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher\MailWasher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4BEF854E-6531-40D8-825E-5228A12861F3} (pwrUpl2 Class) - https://hks.thruinc.net/Components/PowerUpload.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160425962531
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINNT\system32\PDFCreatorMessages.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Can you tell me how the symptoms are now? By the looks of your log I would say the PC should be running well.
    :D
  • MsJessicaDzMsJessicaDz Dallas, TX
    edited October 2006
    Well so far so good. I was trying to not to do too much but let me get in there and use some programs and let you know. Thanks Again
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    No problem. Just keep me posted.

    I did just see one more entry you should fix with Hijack This:

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    Sorry I missed that one before.
  • MsJessicaDzMsJessicaDz Dallas, TX
    edited October 2006
    I've been online, working, and using MSOutlook(which is NOW working!) - No Pop-ups, and all seems to be running like before. I should have asked for help sooner. You ROCK :Rocker: for being willing to give ur time to us folks in need. I was loosing it. LOL

    If you have any more info. or suggestions about anything u saw on my logs, I'm all ears.

    Thanks SOOOOO much!
    http://www.myspace.com/msjessicadz
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    You logs look fine. No other suggestions except for the below. I'll close this thread now. If you need any further assistance please start a new thread. :D

    Congratulations. Your log is clean! You should reward yourself very liberally! Now some pointers on how to stay clean and keep your sanity. You may be thinking now "how did I get infected?" Please read this great article: So how did I get infected in the first place.

    Next follow the instructions below to keep yourself free from infection.

    Rehide hidden files and folders. During your fix if you were asked to "show hidden files and folders" you should go back now and re-hide them. You wouldn't want to accidentally delete important files. Follow the instructions below:
    • Click "Start".
    • Click "My Computer".
    • Select the "Tools" menu and click "Folder Options".
    • Select the "View" tab.
    • Under the "Hidden files and folders" heading, select "Do not show hidden files and folders".
    • Check the "Hide protected operating system files (recommended)" option.
    • Check the "Hide file extensions for known file types".
    • Click Apply then click "OK".



    Update the OS regularly

    Set up system to ensure a regular update of the Operating System.


    Visit Windows Update on a weekly/bi-weekly REGULAR basis.


    Secure your web browser
    1. Open Internet Explorer and click on the Tools menu and then click on
      Security
    2. Click the Internet icon
    3. Click onCustom Level.
    4. Change the Download signed ActiveX controls to Prompt
    5. Change the Download unsigned ActiveX controls to Disable
    6. Change the Initialize and script ActiveX controls not marked as safe to Disable
    7. Change the Installation of desktop items to Prompt
    8. Change the Launching programs and files in an IFRAME to Prompt
    9. Change the Navigate sub-frames across different domains to Prompt
    10. Change the Allow paste operations via script to Disable
    11. Click on OK
    12. Save (if asked).
    13. Click on Applybutton
    14. Click on OK

    Alternatively you could use another browser such as
    Mozilla Firefox (My personal favorite!)
    Opera

    Get Some Protection
    The following programs are useful in the fight against Malware. Best of all, they're FREE.
    Download and install any or all . Be warned though ---- You must update regularly. Check once a week!
    • Ad-Aware SE - This is a
      program that scans for and removes known spyware from your machine.
    • Spybot Search &
      Destroy       -Similar to Ad-Aware but more configurable and incorporates Teatime, a memory resident utility that protects the system
      registry. I recommend
    • Spyware Blaster -
      It Prevents the addition of ActiveX Controls on your machines by
      isolating the system registry.
    A good antiviral program is essential. AVG is one of the better known, and trusted, antivirals.

    And Finally.........Lock the door with a Firewall .
    ZoneAlarm is one of the best.

    I wish you very happy, and most importantly, safe surfing on the information superhighway. Just remember it can be dangerous.
This discussion has been closed.