The inet20003 folder in C:\Windows should be deleted. We will sort the other files/folders shortly.
Also, the prefetch folder has a few files with ssk or ssk3 in the name--SurfSideKick3, I assume?
You can delete those and yes, they are part of SurfSideKick3
To get rid of VCClient and other undesirables, is it enough to send them to the recycle bin?
I presume its enough BUT its always best to empty the bin
Middle of the night again. I'm giving up earlier this time. Here's what I've found: In the Add/Remove Programs window, New.net Domains 6.38 appears, but when I click Change/Remove, I get an error message from XP, telling me it may already have been unisntalled, and asking if I'd like to remove it from the Add/Remove programs list. Is this for real? If I noticed it before, then I certainly tried to remove it. Is it safe to take it off the list?
This line somehow is showing in your log. O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
Before you do anything, I would like you to follow PROCEDURE 4 at this site. Let me know If you have any difficulties in doing that.
On to other things:
L2Mfix did its job perfectly.
Before we continue, I would like to know whats working and whats not and where we are up to so far?
NNuninstall.exe worked fine just now, and somehow the internet came back to life afterwards. The CD drive still won't detect a blank CD, though it's doing all right with Billy Joel. The whole system is still very slow--even slower when the wi-fi card is in, so I leave it out as much as possible for fear of contracting more viruses.
There appears to be nothing in the Add/Remove programs list anymore that shouldn't be there, and I've deleted inet20003. All the remaining 'ufio' files have totally disappeared, whatever they were. I've left the deleted ones in the recycle bin because I'm not positive they're malicious.
I tried the suggestion in the other thread for the desktop icons, but it doesn't seem to have had any effect. Right-click still won't work. I'm going to try downloading some of the fixes mentioned earlier in this thread when the internet was down and see what happens. If you have any suggestions in the meantime, I'd appreciate it. I should have a new HJT log up in minutes. Thank you!
Logfile of HijackThis v1.99.1
Scan saved at 8:23:04 PM, on 2/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Try getting rid of these. Make sure you do it in Safe Mode and after you turn System Restore off. Once you've removed them with HijackThis, search the hard drive for any files referenced by the items (msupdate32.dll, etc) and delete them if found.
Reboot, then turn System Restore back on.
This one is a known Trojan masquerading as a Windows System File.
Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the log file c\windelf.txt.
I have never turned off System Restore before. Do I need to make any backups first (registry, etc.) or would that defeat the purpose? Just concerned about doing something irreversible. This computer has four years of business records on it that were never backed up (the only way I can back it up at present is on a large number of 3 1/2" floppies).
Party Poker was downloaded legitimately, according to my boss. The HJT entries associated with it are probably left over from earlier when I got suspicious and deleted the program. Should I still fix those entries?
My father recommends that I run Windows Update and get Service Pack 2 before I do anything else. All my problems seem to get worse every time I connect to the internet for any length of time, so I am wary of trying this. What do you think?
At least I have a normal desktop now, albeit under a different user--thanks for the great advice.
I have never turned off System Restore before. Do I need to make any backups first (registry, etc.) or would that defeat the purpose? Just concerned about doing something irreversible. This computer has four years of business records on it that were never backed up (the only way I can back it up at present is on a large number of 3 1/2" floppies).
Don't turn system restore before fixing. If something goes wrong then there will be no restore point.
Party Poker was downloaded legitimately, according to my boss. The HJT entries associated with it are probably left over from earlier when I got suspicious and deleted the program. Should I still fix those entries?
Looks like leftovers of PartyPoker. I suggest fixing those entries and redownload PartyPoker if your boss wants it back
My father recommends that I run Windows Update and get Service Pack 2 before I do anything else. All my problems seem to get worse every time I connect to the internet for any length of time, so I am wary of trying this. What do you think?
Never install SP2 on a infected computer as this will cause you more problems.
At least I have a normal desktop now, albeit under a different user--thanks for the great advice.
Great a desktop. Hopefully, we can get this cleaned up
How do I end those processes?
Do the following:
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
FIND THE FILES ABOVE
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
--
Can you post a new HJT log and hopefully with a working desktop, we can get this sorted
I fixed all the HJT entries mentioned above except the ufio and fonaac ones, which did not appear after the last scan. I did a search while I was in safe mode and found no files with msupdate32 in the name. The only place it appeared at all was in scan reports, one registration entry and twice in C:\WINDOWS\PCHEALTH\HELPCTR\DataColl.
Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 3:12:58 PM, on 2/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Just switched to the other account. It's still running slowly, and I still can't right-click. Here's the HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 3:49:33 PM, on 2/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
=====
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
None of those things turned up in safe mode, but I was logged on as "Administrator" instead of "Owner" (the user with all the problems). Logging on as "Owner" is not an option in safe mode. Should I try it in normal mode?
The only thing I found were those two HJT entries. I fixed them, and now the computer is running at a normal speed again!
I am doing a search for any files with ufio in the name. Several were found in the recycle bin, and about 50 more were found in a file called C:\RECYCLER - I'm assuming that's the recycle bin?
No files found containing the word "fonaac" in the filename. I'm running ewido. Why does Short-Media log me off every few minutes? Is there some setting I need to change?
The only thing I found were those two HJT entries. I fixed them, and now the computer is running at a normal speed again!
Excellent
I am doing a search for any files with ufio in the name. Several were found in the recycle bin, and about 50 more were found in a file called C:\RECYCLER - I'm assuming that's the recycle bin?
I'm not too sure what that is but don't delete anything in there just yet. I hope prof knows and can answer when he reads this.
Why does Short-Media log me off every few minutes? Is there some setting I need to change?
This is it:
ewido anti-malware - Scan report
+ Created on: 5:42:40 PM, 2/8/2006
+ Report-Checksum: DF316348
+ Scan result:
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
::Report End
The desktop still isn't allowing me to right-click. Internet isn't up, but that is most likely because of a security block from the network (I took the laptop home for the day. Ewido was last updated last night). I have a lesson to teach right now, but I'll be back this evening to fix the internet connection and see what else needs to be done.
..Why does Short-Media log me off every few minutes? Is there some setting I need to change?
The problem must be with your Internet connection. There have been times when I've forgotten to close my browser before going to bed. The connection was still active the next morning. See if the problem persists now that your system seems to be back to normal.
Is the right-clicking issue only on the old account? If so, it would be best to save and move everything to the new account like prof mentioned in the other thread.
Ewido is coming up clean now - thats good news.
The HJT log is clean. All infections, including Look2Me have been removed
The internet problem is actually with another computer--or rather, every computer I have used to access Short Media. I have to log back on after every few minutes of inactivity.
The only problem I know of with the freshly-cleaned laptop besides the vanished desktop icons is that it is still taking its time loading things up for some reason. It's not as slow as it was before, but I don't know why it thinks so hard during bootup and opening and closing new windows. I haven't had the internet connected to it for two days now (the logs I posted were all copied via floppy to my laptop first). The wifi card is not picking up the connection at my house, and when I tried to plug the cable in it didn't automatically detect it. I tried to go through the New Connection Wizard, but it just confused me. So I'm not positive the popup problem is fixed. I'll let you know as soon as I get a connection.
Please tell me how to switch all the old data and programs over to a new user. Trogan_1000 and profdlp, thank you very much for all your patience and assistance so far! I hope this is the last there is to do.
Manually copy the contents of the My Documents folder to My Documents under the new user. If you have trouble accessing the files there is a tool you can use called Takeown to work around that.
It would help if we knew exactly what data, etc, you needed to moved. Provide a list (in general terms) of what all you'd like to have set up under the new user. A rough idea of what the computer is used for would be helpful, too.
I'm back after a 2-day break from working on this. Most of the files that need to be copied are Word, PDF, and Excel files used for keeping business records and writing up flyers, newsletters, personal correspondence etc. for a marketing firm. There is very little besides that.
The system is running incredibly slowly. It take forever to respond to a simple click on an icon. How can I figure out what is taking it so long?
An easier way to view and copy the running processes is to:
Open HJT
Click on Open the Misc Tools section button
Under System Tools, click Open process manager
Press the clipboard icon, next to the disk icon - upper right. That will copy the processes
Press Ctrl+V here to paste the running processes
=====
Can you do this please.
Go here and download then run Silent Runners.vbs. It generates a log, please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.
Since we're pretty sure at this point that there is nothing rotten going on with the computer, the next step is to see exactly which programs are using up the resources and making the machine seem sluggish.
Comments
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
Before you do anything, I would like you to follow PROCEDURE 4 at this site. Let me know If you have any difficulties in doing that.
On to other things:
L2Mfix did its job perfectly.
Before we continue, I would like to know whats working and whats not and where we are up to so far?
NNuninstall.exe worked fine just now, and somehow the internet came back to life afterwards. The CD drive still won't detect a blank CD, though it's doing all right with Billy Joel. The whole system is still very slow--even slower when the wi-fi card is in, so I leave it out as much as possible for fear of contracting more viruses.
There appears to be nothing in the Add/Remove programs list anymore that shouldn't be there, and I've deleted inet20003. All the remaining 'ufio' files have totally disappeared, whatever they were. I've left the deleted ones in the recycle bin because I'm not positive they're malicious.
I tried the suggestion in the other thread for the desktop icons, but it doesn't seem to have had any effect. Right-click still won't work. I'm going to try downloading some of the fixes mentioned earlier in this thread when the internet was down and see what happens. If you have any suggestions in the meantime, I'd appreciate it. I should have a new HJT log up in minutes. Thank you!
Logfile of HijackThis v1.99.1
Scan saved at 8:23:04 PM, on 2/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware2\ewidoctrl.exe
C:\Program Files\ewido anti-malware2\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 03] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 03] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd5.exe
O4 - HKLM\..\Run: [0wso0x0s.dll] RUNDLL32.EXE 0wso0x0s.dll,b 376545633
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ufio] C:\PROGRA~1\COMMON~1\ufio\ufiom.exe
O4 - HKCU\..\Run: [fonaac] C:\WINDOWS\System32\fonaac.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139098310532
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\n0l80a3ued.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware2\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware2\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Reboot, then turn System Restore back on.
This one is a known Trojan masquerading as a Windows System File.
First
Remove webHancer from Add/Remove programs if listed.
Second
Can you end these processes before fixing. If you need help on how to end them, just give us a shout.
C:\windows\winsysupd5.exe
C:\WINDOWS\System32\fonaac.exe
C:\Program Files\webHancer\Programs\whsurvey.exe
C:\PROGRA~1\COMMON~1\ufio\ufiom.exe
Third
This tool should remove msupdate32.dll
Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the log file c\windelf.txt.
Party Poker was downloaded legitimately, according to my boss. The HJT entries associated with it are probably left over from earlier when I got suspicious and deleted the program. Should I still fix those entries?
My father recommends that I run Windows Update and get Service Pack 2 before I do anything else. All my problems seem to get worse every time I connect to the internet for any length of time, so I am wary of trying this. What do you think?
At least I have a normal desktop now, albeit under a different user--thanks for the great advice.
Looks like leftovers of PartyPoker. I suggest fixing those entries and redownload PartyPoker if your boss wants it back
Never install SP2 on a infected computer as this will cause you more problems.
Great a desktop. Hopefully, we can get this cleaned up
Do the following:
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
FIND THE FILES ABOVE
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
--
Can you post a new HJT log and hopefully with a working desktop, we can get this sorted
************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie
BEFORE RUNNING WIN32DELFKIL
***************************
File(s) found in Windows directory
File(s) found in system32 folder
SharedTaskScheduler key
SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F} REG_SZ OutPost FireWall
Notify key
AFTER RUNNING WIN32DELFKIL
**************************
File(s) found in Windows directory
File(s) found in system32 folder
SharedTaskScheduler key
SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{4F141CBA-1457-6CCA-03A7-7AA21B61EA0F} REG_SZ OutPost FireWall
Notify key
Looks awfully clean.
I fixed all the HJT entries mentioned above except the ufio and fonaac ones, which did not appear after the last scan. I did a search while I was in safe mode and found no files with msupdate32 in the name. The only place it appeared at all was in scan reports, one registration entry and twice in C:\WINDOWS\PCHEALTH\HELPCTR\DataColl.
Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 3:12:58 PM, on 2/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware2\ewidoctrl.exe
C:\Program Files\ewido anti-malware2\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 03] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 03] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139098310532
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware2\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware2\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
That log is clean now. Could you post a HJT log from the other account please? I feel there might be difference in HJT logs between the two accounts.
How is the laptop so far?
Logfile of HijackThis v1.99.1
Scan saved at 3:49:33 PM, on 2/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware2\ewidoctrl.exe
C:\Program Files\ewido anti-malware2\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 03] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 03] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ufio] C:\PROGRA~1\COMMON~1\ufio\ufiom.exe
O4 - HKCU\..\Run: [fonaac] C:\WINDOWS\System32\fonaac.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139098310532
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware2\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware2\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
I suppose I need to fix the 04 ufio and fonaac entries. Anything else? Shall I reboot in safe mode first?
You see those files are showing in this account.
Can you do the following:
Update Ewido so it has the latest files.
You may want to print these instructions or save them as you'll have no internet connection once in Safe Mode
View hidden files and folders – explained here
Go into Safe Mode - explained here
=====
Once in Safe Mode, do the following:
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\System32\fonaac.exe
C:\PROGRA~1\COMMON~1\ufio\ufiom.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
=====
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O4 - HKCU\..\Run: [ufio] C:\PROGRA~1\COMMON~1\ufio\ufiom.exe
O4 - HKCU\..\Run: [fonaac] C:\WINDOWS\System32\fonaac.exe
- Close ALL open windows
Click Fix Checked
=====
Find and Delete the following, if found:
C:\PROGRA~1\COMMON~1\ufio\ufiom.exe << this file
C:\WINDOWS\System32\fonaac.exe << this file
=====
Still in Safe Mode: scan with Ewido and save a log.
Reboot back into Normal Mode and post a new HJT log along with the Ewido Log
I am doing a search for any files with ufio in the name. Several were found in the recycle bin, and about 50 more were found in a file called C:\RECYCLER - I'm assuming that's the recycle bin?
Post the Ewido log when its the scan is complete
Whats left now?
ewido anti-malware - Scan report
+ Created on: 5:42:40 PM, 2/8/2006
+ Report-Checksum: DF316348
+ Scan result:
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
::Report End
The desktop still isn't allowing me to right-click. Internet isn't up, but that is most likely because of a security block from the network (I took the laptop home for the day. Ewido was last updated last night). I have a lesson to teach right now, but I'll be back this evening to fix the internet connection and see what else needs to be done.
Thanks again! Things are looking much better.
The problem must be with your Internet connection. There have been times when I've forgotten to close my browser before going to bed. The connection was still active the next morning. See if the problem persists now that your system seems to be back to normal.
EDIT: I see that you've tracked the problem down.
Ewido is coming up clean now - thats good news.
The HJT log is clean. All infections, including Look2Me have been removed
Thank you for your help prof, its appreciated
The only problem I know of with the freshly-cleaned laptop besides the vanished desktop icons is that it is still taking its time loading things up for some reason. It's not as slow as it was before, but I don't know why it thinks so hard during bootup and opening and closing new windows. I haven't had the internet connected to it for two days now (the logs I posted were all copied via floppy to my laptop first). The wifi card is not picking up the connection at my house, and when I tried to plug the cable in it didn't automatically detect it. I tried to go through the New Connection Wizard, but it just confused me. So I'm not positive the popup problem is fixed. I'll let you know as soon as I get a connection.
Please tell me how to switch all the old data and programs over to a new user. Trogan_1000 and profdlp, thank you very much for all your patience and assistance so far! I hope this is the last there is to do.
It would help if we knew exactly what data, etc, you needed to moved. Provide a list (in general terms) of what all you'd like to have set up under the new user. A rough idea of what the computer is used for would be helpful, too.
The system is running incredibly slowly. It take forever to respond to a simple click on an icon. How can I figure out what is taking it so long?
- Open HJT
- Click on Open the Misc Tools section button
- Under System Tools, click Open process manager
- Press the clipboard icon, next to the disk icon - upper right. That will copy the processes
- Press Ctrl+V here to paste the running processes
=====Can you do this please.
Go here and download then run Silent Runners.vbs. It generates a log, please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.
Since we're pretty sure at this point that there is nothing rotten going on with the computer, the next step is to see exactly which programs are using up the resources and making the machine seem sluggish.