windows sockets failed to initialize? [Resolved]

neogeo0823neogeo0823 Deep within the bowels of a sperm whale
edited October 2006 in Spyware & Virus Removal
hi there, hows it going? umm... yeah, im kind of at the end of my rope here with this computer of mine. for the past couple of months ive had a vundo virus infecting my computer and just yesterday i finally got it out. it was one those horrible ones that restart your computer when you try to run a virus scan. anyway, i finally got it cleaned by using a vundo fixer made by the people who made ad-aware se that i obtained from their forums. the very next restart that i had, after deleting the vundo and running an ad-aware scan, i got this odd error message from my etrust pest patrol that simply said "windows sockets initialization failed". since then, i havent been able to access the internet and my computer, on the whole, is lagging more than a one legged man in an uphill 100 meter sprint. i found a thread here than i think may help, but im only semi affluent(sp?) in the various anti-malware programs and most computer lingo. if one of you guys could help me out, id be really appreciative. im completely lost on where to start.:scratch:

thanks in advance :thumbup

Comments

  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Hi. Try this first and if it doesn't work we'll try a different method. From the broken computer click Start--->Run. In the run box type, verbatim:

    netsh winsock reset catalog

    Then press enter. A dark window will open and close quickly, that's normal. Reboot the PC.

    Next see if you have internet access. If not you'll need to get to another PC to download Hijack This so we can see a log from the infected computer.
  • neogeo0823neogeo0823 Deep within the bowels of a sperm whale
    edited October 2006
    i had tried that from the old thread before posting this one, as it was one of the few things i completely understood from that bit of advice, what i got was an error message, the details of which escape me at this time. if you need to know exactly what it said, ill be happy to try it again and see if it works and post the results.

    the nifty thing is that the desktop, which im currently using to post this, and my broken laptop can both use the same thumb drive, so if theres anything i need to download, i can do that here and transfer it to my laptop.
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    OK. Then you need to do this:

    Click here to download HJTsetup.exe. Save it to your Desktop!
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    • Copy and paste the log here
    DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

    Remember that I need this log from the infected PC so we can continue.
  • neogeo0823neogeo0823 Deep within the bowels of a sperm whale
    edited October 2006
    and here is my hjt log. when i did the scan, i recieved two errors, but i dont know if i was supposed to expect to get them or not. i can rescan and repost for you if youd like. anyway, heres the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:10:01 AM, on 10/20/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsel.dll
    O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\prflbmsgp32.dll (file missing)
    O2 - BHO: C:\WINDOWS\adsldpbd.dll - {5B623D7D-4214-4456-A595-4454B3926042} - C:\WINDOWS\adsldpbd.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\system32\adsldpbe.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {c5d9001d-760d-463f-9f76-bc645de2d9d8} - C:\WINDOWS\system32\avcstr.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\RunServices: [Microsoft Management] lmas.exe
    O4 - HKLM\..\RunServices: [MSN service] msnmsgr16.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O10 - Broken Internet access because of LSP chain gap (#16 in chain of 18 missing)
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
    O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
    O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVC Download Control) - http://www.shockwave.com/content/davincicode/sis/DVC%20Download%20Control.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweapon/popcaploader_v6.cab
    O20 - Winlogon Notify: avcstr - avcstr.dll (file missing)
    O20 - Winlogon Notify: mljgh - mljgh.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: pmnlk - pmnlk.dll (file missing)
    O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    You have no internet connection because of this entry:

    O10 - Broken Internet access because of LSP chain gap (#16 in chain of 18 missing)

    You also have a mighty bad Vundo infection that I think we'll deal with first, then we'll get to the other stuff later. I know you used the new Ad-Aware tool but you should use the one recommended below anyway. You'll need to download the below to your PC that's working then transfer it to the non-working PC.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  • neogeo0823neogeo0823 Deep within the bowels of a sperm whale
    edited October 2006
    ah, yeah thats the same tool i used to remove the thing in the first place. same version, everything. either way, though, i ran the one you provided, and it didnt find anything to delete this time around. and heres the new log for you as well. i would assume, though, that it hasnt changed.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:17:55 PM, on 10/20/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsel.dll
    O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\prflbmsgp32.dll (file missing)
    O2 - BHO: C:\WINDOWS\adsldpbd.dll - {5B623D7D-4214-4456-A595-4454B3926042} - C:\WINDOWS\adsldpbd.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\system32\adsldpbe.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {c5d9001d-760d-463f-9f76-bc645de2d9d8} - C:\WINDOWS\system32\avcstr.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\RunServices: [Microsoft Management] lmas.exe
    O4 - HKLM\..\RunServices: [MSN service] msnmsgr16.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O10 - Broken Internet access because of LSP chain gap (#16 in chain of 18 missing)
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
    O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
    O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVC Download Control) - http://www.shockwave.com/content/davincicode/sis/DVC%20Download%20Control.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweapon/popcaploader_v6.cab
    O20 - Winlogon Notify: avcstr - avcstr.dll (file missing)
    O20 - Winlogon Notify: mljgh - mljgh.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: pmnlk - pmnlk.dll (file missing)
    O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Yes you're right it hasn't changed. Well, we'll put that on the back burner for now. Please visit the site below:

    http://windowsxp.mvps.org/winsock.htm

    Download the Winsock fix tool. You might also want to read the tutorial provided on that page as well. Hopefully we can get internet back to this PC by running this utility.
  • neogeo0823neogeo0823 Deep within the bowels of a sperm whale
    edited October 2006
    ok, ive run the utility and now my laptop has the internet again! :rockon:

    do you want me to post another hjt log or is there a next step? my computer actually seems to be fairly back to normal, but i dont want to almost nearly get rid of something and then have it come back, know what i mean?
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    Yes please post a fresh Hijack This log.
  • neogeo0823neogeo0823 Deep within the bowels of a sperm whale
    edited October 2006
    sorry i didnt reply sooner, errands and all. anyway, heres the newest log, just obtained not 30 seconds ago:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:49:45 PM, on 10/20/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsel.dll
    O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\prflbmsgp32.dll (file missing)
    O2 - BHO: C:\WINDOWS\adsldpbd.dll - {5B623D7D-4214-4456-A595-4454B3926042} - C:\WINDOWS\adsldpbd.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\system32\adsldpbe.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {c5d9001d-760d-463f-9f76-bc645de2d9d8} - C:\WINDOWS\system32\avcstr.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\RunServices: [Microsoft Management] lmas.exe
    O4 - HKLM\..\RunServices: [MSN service] msnmsgr16.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
    O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
    O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVC Download Control) - http://www.shockwave.com/content/davincicode/sis/DVC%20Download%20Control.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweapon/popcaploader_v6.cab
    O20 - Winlogon Notify: avcstr - avcstr.dll (file missing)
    O20 - Winlogon Notify: mljgh - mljgh.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: pmnlk - pmnlk.dll (file missing)
    O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited October 2006
    OK, please download ATF cleaner from here.

    Locate ATF Cleaner.exe and open it.

    Under Main select the following:

      Windows Temp
      Current User Temp
      All Users Temp
      Cookies
      Temporary Internet Files
      Prefetch
      Java Cache

      *The other boxes are optional*
      Then click the Empty Selected button.

      If you use Firefox:
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      Click Exit on the Main menu to close the program.

      Next, please download AVG Anti-Spyware from my signature below. It is a free trial of the software. Save the install file to your desktop.
      • Install AVG by double clicking the installer.
      • Follow the prompts. Make sure that Launch AVG is checked.
      • On the main screen under Your Computer's security.
        • Click on Change state next to Resident shield. It should now change to inactive.
        • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
        • Wait until you see the Update succesfull message.
          Note: If the Update now option is grayed out, follow the steps below.
          • Click on Update on the toolbar.
          • Under Manual update, click on the Start Update button.
          • Wait until you see the Update succesfull message.
      • Right-click the AVG Tray Icon and select Exit. Confirm by clicking Yes.
      If you are having problems with the updater, you can use this link to manually update AVG.
      AVG manual updates.
      Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG is closed before installing the update.

      ______________________________


      Reboot your computer in Safe Mode.
      • If the computer is running, shut down Windows, and then turn off the power.
      • Wait 30 seconds, and then turn the computer on.
      • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
      • Ensure that the Safe Mode option is selected.
      • Press Enter. The computer then begins to start in Safe mode.
      • Login on your usual account.
      ______________________________

      Close ALL open Windows / Programs / Folders. Please start AVG and run a full scan.
      • Click on Scanner on the toolbar.
      • Click on the Settings tab.
        • Under How to act?
          • Click on Recommended Action and choose Quarantine from the popup menu.
        • Under How to scan?
          • All checkboxes should be ticked.
        • Under Possibly unwanted software:
          • All checkboxes should be ticked.
        • Under Reports:
          • Select Automatically generate report after every scan and uncheck Only if threats were found.
        • Under What to scan?
          • Select Scan every file.
      • Click on the Scan tab.
      • Click on Complete System Scan to start the scan process.
      • Let the program scan the machine.
      • When the scan has finished, follow the instructions below.
        IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
        • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
        • At the bottom of the window click on the Apply all Actions button. (3)
          scanavgjk2.jpg
      • When done, click the Save Scan Report button.(4)
        • Click the Save Report as button.
        • Save the report to your Desktop.
      • Right-click the AVG Tray Icon and select Exit. Confirm by clicking Yes.
      Reboot in Normal Mode.

      Please post the AVG Log and a fresh Hijack This log in your next reply.
    • neogeo0823neogeo0823 Deep within the bowels of a sperm whale
      edited October 2006
      ok, ive done everything here, and i think im all in the clear. heres the two logs, hjt first, then avg.

      Logfile of HijackThis v1.99.1
      Scan saved at 7:31:37 PM, on 10/21/2006
      Platform: Windows XP (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 (6.00.2600.0000)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      C:\WINDOWS\system32\cisvc.exe
      C:\Program Files\Symantec AntiVirus\DefWatch.exe
      C:\WINDOWS\System32\nvsvc32.exe
      C:\Program Files\Symantec AntiVirus\Rtvscan.exe
      C:\WINDOWS\System32\MsPMSPSv.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\QuickTime\qttask.exe
      C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
      C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
      C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
      C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
      C:\WINDOWS\System32\ctfmon.exe
      C:\WINDOWS\System32\wuauclt.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
      C:\Program Files\Hijackthis\HijackThis.exe

      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
      R3 - Default URLSearchHook is missing
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsel.dll (file missing)
      O2 - BHO: C:\WINDOWS\adsldpbd.dll - {5B623D7D-4214-4456-A595-4454B3926042} - C:\WINDOWS\adsldpbd.dll (file missing)
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
      O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
      O2 - BHO: (no name) - {c5d9001d-760d-463f-9f76-bc645de2d9d8} - C:\WINDOWS\system32\avcstr.dll (file missing)
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
      O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
      O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
      O4 - HKLM\..\RunServices: [Microsoft Management] lmas.exe
      O4 - HKLM\..\RunServices: [MSN service] msnmsgr16.exe
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
      O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
      O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
      O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
      O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
      O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
      O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
      O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
      O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
      O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
      O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
      O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
      O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
      O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
      O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVC Download Control) - http://www.shockwave.com/content/davincicode/sis/DVC%20Download%20Control.cab
      O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
      O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweapon/popcaploader_v6.cab
      O20 - Winlogon Notify: avcstr - avcstr.dll (file missing)
      O20 - Winlogon Notify: mljgh - mljgh.dll (file missing)
      O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
      O20 - Winlogon Notify: pmnlk - pmnlk.dll (file missing)
      O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
      O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
      O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
      O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
      O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
      AVG Anti-Spyware - Scan Report

      + Created at: 7:26:04 PM 10/21/2006

      + Scan result:



      C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
      HKLM\SOFTWARE\Preview AdService -> Adware.BlazeFind : Cleaned with backup (quarantined).
      C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
      C:\Program Files\Common Files\Sandlot Shared\slghex.dll -> Adware.SpywareStorm : Cleaned with backup (quarantined).
      C:\downloaded\OregonTrail-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
      C:\WINDOWS\s.hta -> Downloader.Agent.ae : Cleaned with backup (quarantined).
      HKLM\SOFTWARE\Classes\CLSID\{7507739F-BC2E-4DC3-B233-816783C25DC9} -> Downloader.Delf : Cleaned with backup (quarantined).
      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7507739F-BC2E-4DC3-B233-816783C25DC9} -> Downloader.Delf : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP360\A0073328.dll -> Downloader.Delf.agw : Cleaned with backup (quarantined).
      C:\WINDOWS\system32\ssf.dll -> Downloader.Delf.uy : Cleaned with backup (quarantined).
      C:\WINDOWS\1.d -> Downloader.Delf.vt : Cleaned with backup (quarantined).
      HKLM\SOFTWARE\Classes\CLSID\{16875E09-927B-4494-82BD-158A1CD46BA0} -> Downloader.Delf.vt : Cleaned with backup (quarantined).
      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16875E09-927B-4494-82BD-158A1CD46BA0} -> Downloader.Delf.vt : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP359\A0070947.dll -> Trojan.Agent.cs : Cleaned with backup (quarantined).
      C:\VundoFix Backups\kbdrv.dll.bad -> Trojan.Agent.cs : Cleaned with backup (quarantined).
      C:\WINDOWS\Config\olemfc.dll -> Trojan.Agent.cs : Cleaned with backup (quarantined).
      C:\WINDOWS\Fonts\mcwin.dll -> Trojan.Agent.cs : Cleaned with backup (quarantined).
      C:\WINDOWS\system\raswin.dll -> Trojan.Agent.cs : Cleaned with backup (quarantined).
      C:\WINDOWS\system32\drivers\etc\hosts.bak -> Trojan.Qhost.r : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP356\A0070704.rbf -> Trojan.QQPass.ly : Cleaned with backup (quarantined).
      C:\System Volume Information\_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}\RP357\A0070729.rbf -> Trojan.QQPass.ly : Cleaned with backup (quarantined).


      ::Report end
    • skywalker45skywalker45 Bloomington, IN. USA
      edited October 2006
      Not quite done yet. Run Hijack This again and have it do a system scan only. Put a check (tick) next to the following entries:


      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

      R3 - Default URLSearchHook is missing

      O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsel.dll (file missing)
      O2 - BHO: C:\WINDOWS\adsldpbd.dll - {5B623D7D-4214-4456-A595-4454B3926042} - C:\WINDOWS\adsldpbd.dll (file missing)
      O2 - BHO: (no name) - {c5d9001d-760d-463f-9f76-bc645de2d9d8} - C:\WINDOWS\system32\avcstr.dll (file missing)

      O4 - HKLM\..\RunServices: [Microsoft Management] lmas.exe
      O4 - HKLM\..\RunServices: [MSN service] msnmsgr16.exe

      O20 - Winlogon Notify: avcstr - avcstr.dll (file missing)
      O20 - Winlogon Notify: mljgh - mljgh.dll (file missing)
      O20 - Winlogon Notify: pmnlk - pmnlk.dll (file missing)
      O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

      Close all other browsers/windows and click Fix Checked. Close Hijack This.

      Make sure you can see all hidden files and folders:
      • Click "Start".
      • Click "My Computer".
      • Select the "Tools" menu and click "Folder Options".
      • Select the "View" tab.
      • Under the "Hidden files and folders" heading, select "Show hidden files and folders".
      • Uncheck the "Hide protected operating system files (recommended)" option.
      • Click "Yes" to confirm.
      • Uncheck the "Hide file extensions for known file types".
      • Click "OK".

      Use Windows Explorer to delete the following (don't worry if they don't exist):

      C:\WINDOWS\system32\st3.dll<---This file.

      Use the Windows search feature to search for and delete every instance of the following files. Make sure you search in hidden files and folders (do not worry if they don't exist):


      lmas.exe
      msnmsgr16.exe

      Reboot the PC into normal mode and post a fresh Hijack This log.
      :)
    • neogeo0823neogeo0823 Deep within the bowels of a sperm whale
      edited October 2006
      alrighty, done and done. heres your latest hjt log.

      Logfile of HijackThis v1.99.1
      Scan saved at 2:15:44 AM, on 10/22/2006
      Platform: Windows XP (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 (6.00.2600.0000)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\QuickTime\qttask.exe
      C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
      C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
      C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
      C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
      C:\WINDOWS\System32\ctfmon.exe
      C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      C:\WINDOWS\system32\cisvc.exe
      C:\Program Files\Symantec AntiVirus\DefWatch.exe
      C:\WINDOWS\System32\nvsvc32.exe
      C:\Program Files\Symantec AntiVirus\Rtvscan.exe
      C:\WINDOWS\System32\MsPMSPSv.exe
      C:\Program Files\Hijackthis\HijackThis.exe

      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
      O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
      O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
      O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
      O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
      O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
      O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
      O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
      O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
      O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
      O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
      O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
      O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
      O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
      O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
      O16 - DPF: {7C5D062A-7A1E-4A46-A02B-A928084CBD66} (MLauncherNew Class) - http://legendofares.netgame.com/download/MusaLauncherNew.cab
      O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/mjolauncher.cab
      O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVC Download Control) - http://www.shockwave.com/content/davincicode/sis/DVC%20Download%20Control.cab
      O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
      O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/heavyweapon/popcaploader_v6.cab
      O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
      O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
      O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
      O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
      O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
      O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
      O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    • skywalker45skywalker45 Bloomington, IN. USA
      edited October 2006
      Your log is clean, but I should warn you that your Windows installation needs updated badly. Without being updated this machine will always be more susceptible to infection. At least try to update XP to SP1 if possible but SP2 will give you the most protection. Is there anything else I can help you with?
    • neogeo0823neogeo0823 Deep within the bowels of a sperm whale
      edited October 2006
      yeah, i wish i could update it. theres a problem with the software key that i bought and because of this, i cant get updates from the microsoft website for my machine. umm... as for other problems, i do actually have a problem with my old desktop that id like to get solved. however, i have to run out to do some errands very soon, so ill post more about it when i get back in a few hours.

      thanks for all the help so far, though! i cant believe i was lucky enough to find this forum. i know tons of people who would greatly benefit from a place like this. i will, of course, be recommending this site to all my friends for their future problems.
    • skywalker45skywalker45 Bloomington, IN. USA
      edited October 2006
      You're welcome for the help and please send your friends to us and tell others about Short Media! I will close this thread now. Please start a new thread for your problem with the desktop PC. Read below for some suggestions on how to stay clean.

      Congratulations. Your log is clean! You should reward yourself very liberally! Now some pointers on how to stay clean and keep your sanity. You may be thinking now "how did I get infected?" Please read this great article: So how did I get infected in the first place.

      Next follow the instructions below to keep yourself free from infection.

      Disable and then enable system restore to purge infected restore points.

      Turn OFF System Restore.
      1. On the Desktop, right-click My Computer.
      2. Click Properties.
      3. Click the System Restore tab.
      4. Check Turn off System Restore.
      5. Click Apply.
      6. Click OK.

      To enable system restore:
      1. Uncheck the box by Turn off system restore
      2. Click Apply.
      3. System restore is now on.
      4. Create a restore point by clicking Start--->All programs--->Accessories--->System tools--->System restore
      5. Select the bubble that says Create restore point. Then click Next.
      6. Give the restore point a meaningful name like post malware removal. Then click OK.

      Rehide hidden files and folders. During your fix if you were asked to "show hidden files and folders" you should go back now and re-hide them. You wouldn't want to accidentally delete important files. Follow the instructions below:
      • Click "Start".
      • Click "My Computer".
      • Select the "Tools" menu and click "Folder Options".
      • Select the "View" tab.
      • Under the "Hidden files and folders" heading, select "Do not show hidden files and folders".
      • Check the "Hide protected operating system files (recommended)" option.
      • Check the "Hide file extensions for known file types".
      • Click Apply then click "OK".


      Update with SP2 if you don't aleady have it.
      Visit Windows Update and follow the onscreen instructions to download and install SP2.
      This is a time consuming process, even with a fast connection. If you use a dial-up connection you should consider getting a FREE copy
      directly from Microsoft or get a friend with a fast connection to burn a copy of the upgrade to CD for you.

      Update the OS regularly

      Set up system to ensure a regular update of the Operating System.

      Manually:

      Visit Windows Update on a weekly/fortnightly REGULAR basis.

      Automatically:
      1. On the Desktop, right-click My Computer.
      2. Click Properties.
      3. Click on Automatic Updates.
      4. Check the option of choice (I use Automatic (Recommended)). If you use dial-up I would recommend using the
        Notify Me option so that you can download when you can afford the time and bandwidth overheads.
      5. Select the Day/Time of choice
      6. Click Apply
      7. Click OK


      Secure your web browser
      1. Open Internet Explorer and click on the Tools menu and then click on
        Security
      2. Click the Internet icon
      3. Click onCustom Level.
      4. Change the Download signed ActiveX controls to Prompt
      5. Change the Download unsigned ActiveX controls to Disable
      6. Change the Initialize and script ActiveX controls not marked as safe to Disable
      7. Change the Installation of desktop items to Prompt
      8. Change the Launching programs and files in an IFRAME to Prompt
      9. Change the Navigate sub-frames across different domains to Prompt
      10. Change the Allow paste operations via script to Disable
      11. Click on OK
      12. Save (if asked).
      13. Click on Applybutton
      14. Click on OK

      Alternatively you could use another browser such as
      Mozilla Firefox (My personal favorite!)
      Opera

      Get Some Protection
      The following programs are useful in the fight against Malware. Best of all, they're FREE.
      Download and install any or all . Be warned though ---- You must update regularly. Check once a week!
      • Ad-Aware SE - This is a
        program that scans for and removes known spyware from your machine.
      • Spybot Search &
        Destroy         -Similar to Ad-Aware but more configurable and incorporates Teatime, a memory resident utility that protects the system
        registry. I recommend
      • Spyware Blaster -
        It Prevents the addition of ActiveX Controls on your machines by
        isolating the system registry.
      A good antiviral program is essential. AVG is one of the better known, and trusted, antivirals.

      And Finally.........Lock the door with a Firewall . XP comes with its own simple firewall but I prefer to substitute it with
      ZoneAlarm.

      I wish you very happy, and most importantly, safe surfing on the information superhighway. Just remember it can be dangerous.
    This discussion has been closed.