Virus, adware, now no internet connection, please help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by SHAGGYSGIRL, Jul 12, 2004.

Page 1 of 2
  1. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    My mother in law is experiencing problems with her computer. I have loaded and run spybot 1.3 and Norton has remove trojan virus. Please help as I do not know what I can safely remove from Hijack this and do not know how to get the internet connection back. She has high speed cable connection.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:46:18 PM, on 7/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\documents and settings\owner\local settings\temp\Vslm.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\dpcproxy.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\windows\redirect7.exe
    C:\WINDOWS\System32\ddrtmib1.exe
    C:\WINDOWS\System32\oibsmo.exe
    C:\WINDOWS\System32\automove.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\WINDOWS\System32\lcodccmp.exe
    C:\WINDOWS\System32\delac12n.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Hi jack This\HijackThis.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
    O2 - BHO: (no name) - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {38F575DE-7DFF-02AE-3CD6-FA62B92FA65B} - C:\WINDOWS\System32\iacedcfz.dll
    O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Vslm] C:\documents and settings\owner\local settings\temp\Vslm.exe
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\VchsYQop.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [dpcproxy] C:\WINDOWS\System32\dpcproxy.exe
    O4 - HKLM\..\Run: [wfklgl] C:\WINDOWS\wfklgl.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [redirect] C:\windows\redirect7.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [vsrk3nW] ddrtmib1.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [sqjdky] C:\WINDOWS\System32\oibsmo.exe
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [srdpau] C:\WINDOWS\System32\srdpau.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [ey01k] C:\WINDOWS\System32\ey01k.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [xidngwp] C:\WINDOWS\System32\oibsmo.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [lcodccmp] C:\WINDOWS\System32\lcodccmp.exe
    O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [eB0qRha6i] delac12n.exe
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24c6229d7816f7b91a19/netzip/RdxIE601.cab
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} (SpeedCtrl Class) - http://www.atelys.com/src/Speedup.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Thanks for your help!

    Gayla
     
    SHAGGYSGIRL, Jul 12, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hi Gayla! Welcome to MGs.

    You need to run a few things (do not run scans until I tell you to)
    1) download Ad-aware from: http://www.majorgeeks.com/download506.html
    2) after installing click the Check for Updates now Button
    3) Download and install the VX2 Cleaner Plugin for Ad-aware. Get it using the link below and follow the directions at the link to install it. http://www.majorgeeks.com/download4283.html
    4) run these two online scans:
    - http://housecall.trendmicro.com/housecall/start_corp.asp select Auto Clean
    - http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    5) run this peper trojan cleaner: http://www.memorywatcher.com/uninst.exe
    6) reboot your PC now
    7) setup Ad-aware to do a fullscan. Here is how to do that:
    http://www.lavahelp.com/howto/fullscan/index.html
    8) run the fullscan with Ad-aware
    9) download the current version of HijackThis from here: http://www.majorgeeks.com/download3155.html
    10) post a new HijackThis log
     
    chaslang, Jul 12, 2004
    #2
  3. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    I cannot connect this computer to the internet so I cannot do the online scans unless adaware cleans up my problem. Will start there. I am having to download programs from my computer, then save to CD and load onto this computer. Will see what I can get done from your suggestions.

    Thanks, Gayla
     
    SHAGGYSGIRL, Jul 13, 2004
    #3
  4. krazykrl

    krazykrl Sergeant Major

    Since you can't do the on-line scans, do this.....

    Get Adaware, CW Shredder, Spybot S&D 1.3 (if you don't have 1.3 already) and Hijack This!. Put them on a CD if you can from a another system.

    Boot your Moms-In-Law's system into Safe Mode with Networking (press F8 at startup before Windows comes up).

    Once in Safe Mode, install and/or update Spybot. Run and fix problems.

    Install and update Ad-aware, run, fix problems.

    Install and run CW Shredder.

    Than, after that, boot normally, see how things are. If Internet Explorer is not playing well, run Hijack This! If you can post the log here. ;)
     
    krazykrl, Jul 13, 2004
    #4
  5. Kodo

    Kodo SNATCHSQUATCH

    if you can get THIS onto a floppy and run it on that PC, it should fix the problem of not getting onto the internet.

    Unzip it and run the exe.
     
    Kodo, Jul 13, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you do make a CD, put this on it too:
    run this peper trojan cleaner: http://www.memorywatcher.com/uninst.exe
    You need to run it.

    Also, add the latest HijackThis (as I said below) to the CD.

    There are a load of other problems I see in your log too. But let's get the initial scans run first.
     
    chaslang, Jul 13, 2004
    #6
  7. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    Chaslang,

    Let me tell you where I currently am with this situation. I downloaded everything in your 10 item list that there was. I was unable to do the online scans so skipped that. I had adaware running but had to leave and will go back and check it when I get off of work. So in essence, I am on #9.

    Norton DID run last night and found 13 adaware items. Sorry, did not get your message until this morning. I will make sure it is disabled from now on.

    Is there anything else you would like me to do prior to going to #10, posting the next log. I see that there are a couple of other responses from peope but don't know if you think I should try them. Should I try loading the WinsockXPfix.exe that is suggested by Kodo? Should I try rebooting in safe mode with network connection and try to do an online scan? If so, the scan would be out of the order sequence you requested. Please advise me, I will be going back and checking the computer in about 2 hours.
     
    SHAGGYSGIRL, Jul 13, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, run the WinsockXPfix.exe that Kodo suggested. It may fix what is preventing you from accessing the Internet.

    Did you get this file on your CD: http://www.memorywatcher.com/uninst.exe
    You need to run that.
    I'm not sure the online scans will run in safe mode (never tried it). The message from krazykrl was really referring to running Ad-aware and SpyBot in safe mode. Sometimes they can have problems fixing certain items when run in normal mode. Booting in safe mode will often get around that problem.

    After that post a new HijackThis log. Let us know where everything stands.
     
    chaslang, Jul 13, 2004
    #8
  9. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    Thanks.

    Yes, I did get memory watcher run but it did not show anything so I just closed it. I was able to pull the adaware update off of download.com and update it, it looked as if the reference file changed. I will run the winsock and see if the online scan will run in safe mode, I did not know safe mode with network option, not real familiar with XP. Will then post log and let you know what I did get completed.

    I grately appreciate your help! I am trying not to have to reformat, hate reloading everything.
     
    SHAGGYSGIRL, Jul 13, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download items from MG's not download.com. Almost everything you need is here!
     
    chaslang, Jul 13, 2004
    #10
  11. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    Okay, I loaded the winsock and it did not work. I also tried accessing the internet through safe mode and it still would not connect. Adaware detected 322 items of which I check marked all and hit next. Here is my new log. I did uncheck a few items in the msconfig that I knew we did not need like webrebates and a few others. I will not do anything until further instructed.

    Logfile of HijackThis v1.98.0
    Scan saved at 6:10:18 PM, on 7/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\documents and settings\owner\local settings\temp\Vslm.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\oibsmo.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\lcodccmp.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Hi jack This\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: iacedcfz - {38F575DE-7DFF-02AE-3CD6-FA62B92FA65B} - C:\WINDOWS\System32\iacedcfz.dll
    O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Vslm] C:\documents and settings\owner\local settings\temp\Vslm.exe
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\VchsYQop.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [wfklgl] C:\WINDOWS\wfklgl.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [vsrk3nW] ddrtmib1.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [sqjdky] C:\WINDOWS\System32\oibsmo.exe
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [srdpau] C:\WINDOWS\System32\srdpau.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [ey01k] C:\WINDOWS\System32\ey01k.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [xidngwp] C:\WINDOWS\System32\oibsmo.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [lcodccmp] C:\WINDOWS\System32\lcodccmp.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24c6229d7816f7b91a19/netzip/RdxIE601.cab
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

    Thanks.
     
    SHAGGYSGIRL, Jul 13, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure if you ran these or not yet. Please run these:

    CWShredder: http://www.majorgeeks.com/download4086.html
    CoolWWWSearch.SmartKiller: http://www.majorgeeks.com/download4113.html


    Also, you need to let the peper trojan cleaner run. It should finish
    and closeup on its own. If it does not that is typically because
    some other bad items are causing problems. I see a bunch of
    lines in your log that appear to be peper trojan problems.
    Please try this again and wait longer (not sure how long it should
    take since I never had an infection but if I run it on an uninfected
    PC it was done in a minute.)

    peper trojan uninstall: http://www.memorywatcher.com/uninst.exe


    Now Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINDOWS\VoiceIP.dll then click OK.
    If a dialog box confirming this action appears, click OK.



    Then shut down Internet Explorer and have HijackThis fix (if still there):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll
    O2 - BHO: iacedcfz - {38F575DE-7DFF-02AE-3CD6-FA62B92FA65B} - C:\WINDOWS\System32\iacedcfz.dll
    O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll (file missing)
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

    O4 - HKLM\..\Run: [Vslm] C:\documents and settings\owner\local settings\temp\Vslm.exe
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\VchsYQop.exe
    O4 - HKLM\..\Run: [wfklgl] C:\WINDOWS\wfklgl.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [vsrk3nW] ddrtmib1.exe
    O4 - HKLM\..\Run: [sqjdky] C:\WINDOWS\System32\oibsmo.exe
    O4 - HKLM\..\Run: [easywww] C:\windows\easywww2.exe
    O4 - HKLM\..\Run: [srdpau] C:\WINDOWS\System32\srdpau.exe
    O4 - HKLM\..\Run: [ey01k] C:\WINDOWS\System32\ey01k.exe
    O4 - HKLM\..\Run: [xidngwp] C:\WINDOWS\System32\oibsmo.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [lcodccmp] C:\WINDOWS\System32\lcodccmp.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24c6229...ip/RdxIE601.cab



    Reboot in SAFE MODE (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)

    Bring up task manager (using ctrl-alt-del) click the processes tab. See if you can locate any of the below processes, if so kill them.

    VchsYQop.exe
    wfklgl.exe
    IEHost.exe
    id53.exe
    oibsmo.exe
    ddrtmib1.exe
    easywww2.exe
    ey01k.exe
    Sync.exe
    stcloader.exe
    lcodccmp.exe


    Now Show Hidden Files/Folders (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) and delete if found,

    C:\WINDOWS\VoiceIP.dll
    C:\WINDOWS\System32\iacedcfz.dll
    C:\WINDOWS\SYSTEM\blank.htm
    C:\WINDOWS\System32\VchsYQop.exe
    C:\WINDOWS\wfklgl.exe
    C:\WINDOWS\System32\IEHost.exe
    c:\installer\id53.exe
    C:\WINDOWS\System32\oibsmo.exe
    C:\ddrtmib1.exe
    C:\WINDOWS\ddrtmib1.exe
    C:\windows\easywww2.exe
    C:\WINDOWS\System32\ey01k.exe
    C:\PROGRA~1\CLOCKS~1 <---- delete whole directory
    C:\WINDOWS\System32\stcloader.exe
    C:\WINDOWS\System32\lcodccmp.exe

    Reboot in normal mode and let's see how things are working. Post new HijackThis log too.
     
    chaslang, Jul 14, 2004
    #12
  13. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    I ran all of the programs that you listed, hope they did what they were supposed to do. CoolWWWSearch.SmartKiller did not really seem to do anything. I did get the peper trojan to run correctly this time, it closed on its own.

    I could not delete c:\\WINDOWS\System32\iacedcfz.dll. It said it could not delete because it was being used.

    Still cannot get on the internet. We were having some bad weather at the same time that the virus and adware hit this computer. Do NOT think the cable modem got damaged, is showing all the lights but the data light. I did get the light to flicker a couple of times like it was going to try to connect but that was prior to my inital post. So I really think something is blocking my connection, just don't know what.

    Here is my new log.

    Logfile of HijackThis v1.98.0
    Scan saved at 12:01:30 PM, on 7/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Hi jack This\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: iacedcfz - {38F575DE-7DFF-02AE-3CD6-FA62B92FA65B} - C:\WINDOWS\System32\iacedcfz.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

    Thanks
     
    SHAGGYSGIRL, Jul 15, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINDOWS\System32\iacedcfz.dll then click OK.
    If a dialog box confirming this action appears, click OK.

    Now try to delete it (may have to reboot to safe mode again).

    Your log looks okay other than these. Fix them too:
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: iacedcfz - {38F575DE-7DFF-02AE-3CD6-FA62B92FA65B} - C:\WINDOWS\System32\iacedcfz.dll


    Perhaps you need to look at your manual for you cable modem to make sure it is really working properly. Do you have a router behind you cable mode or is it a direct connect to your PC?
     
    chaslang, Jul 15, 2004
    #14
  15. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    There is a router connection but I will disconnect as there is only one computer connected now. I will set up direct connection to the modem and start seeing what we can do. I know however that I need to make sure the computer is clean of viruses, etc before trying to get help from the cable supplier. What do you think though? Does it look to you that it is maybe being blocked by some spyware, adware or virus?

    Will try deleting this file again regsvr32 /u C:\WINDOWS\System32\iacedcfz.dll in a couple of hours when I get off of work. Do you want a new log if I get it deleted or are you working on the last one I sent?

    Gayla
     
    SHAGGYSGIRL, Jul 15, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You don't need to remove the router. I just want to see what your configuration was. The problem could be anywhere in your network. Make sure all your provisioning is still okay. Are you using DHCP? Make sure you get an IP Address assigned. Can you ping the router and the cable modem? I don't know if any of this means anything to you or not. If not, we will have to go slower. But the general idea is to make sure your Cable Modem, Router, and PC are all setup correctly. And they are physically operating correctly.
     
    chaslang, Jul 15, 2004
    #16
  17. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    More explaination would be appreciated. I have only done pings in the past under instruction. One question I have is in the internet properties under connections, lan settings, there is a check mark in the "use a proxy server" box. I am looking at my computer at work as we use the same cable company and mine is not checked. I also pulled out some specific DNS server addresses that I was going to try. I was also thinking about trying to ping someone but have not tried yet, will try that. Will check out the setting some more to see if something has changed that has totally knocked us off.

    Will let you know.
     
    SHAGGYSGIRL, Jul 15, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    At work I would expect a proxy server. At home I would not. So you most likely will not have the option checked at home.

    When you get home, open up a command prompt. You do this by clicking Start, All Programs, Accessories and the select Command Prompt (I put a shortcut to this on my desktop). At the command prompt enter the following command:
    ipconfig /all

    That should give you info similar too below:
    C:\Documents and Settings\username> ipconfig /all
    Windows IP Configuration
    Host Name . . . . . . . . . . . . : PCName
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
    Physical Address. . . . . . . . . : your MAC address
    Dhcp Enabled. . . . . . . . . . . : Yes
    IP Address. . . . . . . . . . . . : Your assigned IP address (like 192.168.1.100)
    Subnet Mask . . . . . . . . . . . : Your subnet (like 255.255.255.0)
    Default Gateway . . . . . . . . . : Your Gateway IP addr (like 192.168.1.1)
    DNS Servers . . . . . . . . . . . : Your DNS Servers IP Addresses (like 167.206.3.156)
    and for a sencondary 167.206.112.138)

    These are not necessarily what you will see. They are just examples.
    See if you can ping your DNS server from the command prompt. That would be a start. Also ping your default gateway.

    Examples: ping 167.206.3.156
    ping 192.168.1.1
     
    chaslang, Jul 15, 2004
    #18
  19. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    I did the ipconfig/all to see that there was no gateway server or DNS server. I called the cable provider to find out that the account had been suspended do to spyware containing viruses in her email. I got the account reactivated and as soon as I made connection to the internet, norton found a backdoor virus. I have no downloaded stinger and have it running and set norton to do a full system scan later tonight.

    FYI, the C:\WINDOWS\System32\iacedcfz.dll was listed to contain the backdoor virus. I still have not found a way to delete it or what program is running it but hopefully I will figure it out soon.

    Thank you for all your help!!!!! You have done a great job in helping me get the computer running again. I appreciate everything!!

    Gayla
     
    SHAGGYSGIRL, Jul 15, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounding better. Did you unregister the iacedcfz.dll as I asked you to? If not do that and then fix the HijackThis line:
    O2 - BHO: iacedcfz - {38F575DE-7DFF-02AE-3CD6-FA62B92FA65B} - C:\WINDOWS\System32\iacedcfz.dll

    and then try to delete the file after booting to safe mode.
     
    chaslang, Jul 15, 2004
    #20
  21. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    Update. I ran the stinger program, did not save the log, did not know I had to. Anyhow, the C:\WINDOWS\System32\iacedcfz.dll is now gone. I have run norton and it only found some adaware things but no viruses. I have rebooted and still did not see the C:\WINDOWS\System32\iacedcfz.dll file. I wanted to show you final hijack log and make sure it still looks clean to you.
    Again, I greatly appreciate your help!!!!!

    Logfile of HijackThis v1.98.0
    Scan saved at 11:35:23 AM, on 7/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Hi jack This\HijackThis.exe

    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: msxml3lb - {F8E4AADC-235C-BB45-EC24-58384D094278} - C:\WINDOWS\System32\msxml3lb.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx


    Gayla :)
     
    SHAGGYSGIRL, Jul 16, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay just a few more things to fix. A few of these have been lingering here fro awhile. I asked you to fix them a few times. Did you forget to fix the R3 lines or have they been coming back.

    Please run this online scan first. You have a Trojan (the O16 line):
    http://housecall.trendmicro.com/housecall/start_corp.asp

    See this for info on the Trojan:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.BU


    Shut down IE sessions and have HijackThis fix the following:

    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)


    If the O16 line is still there after running the online scan then do the following:

    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\Windows\Downloaded Program Files\Speedup.ocx

    then click OK. If a dialog box confirming this action appears, click OK.

    Then shutdown IE sessions run HijackThis and fix:
    O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
     
    chaslang, Jul 16, 2004
    #22
  23. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    I have run a the housecall online scan. I did not really pay attention to what virus it showed. Told it to delete all. Then proceeded with your instructions. I still cannot delete the R3's, they keep popping back up. I just ran another housecall online scan to make sure all viruses were gone. The scan is clean. Please look at the newest log. So far, the computer is running stable but I am the only one that has been on it.

    I do now question how well Norton detects viruses because it did not find the ones that the online scan did. Norton is updated. I currently have her on a Norton trial, what software do you recommend is the best virus protection software to load onto her computer?

    Logfile of HijackThis v1.98.0
    Scan saved at 6:14:57 PM, on 7/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Hi jack This\HijackThis.exe

    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: msxml3lb - {F8E4AADC-235C-BB45-EC24-58384D094278} - C:\WINDOWS\System32\msxml3lb.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


    Thanks. :)
     
    SHAGGYSGIRL, Jul 17, 2004
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Remember awhile back when you said:
    "Anyhow, the C:\WINDOWS\System32\iacedcfz.dll is now gone"

    The reason it was gone was because it renamed itself to:
    O2 - BHO: msxml3lb - {F8E4AADC-235C-BB45-EC24-58384D094278} - C:\WINDOWS\System32\msxml3lb.dll

    We need to find out how this is respawing itself.

    So lets try again:

    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:

    regsvr32 /u C:\WINDOWS\System32\msxml3lb.dll

    then click OK. If a dialog box confirming this action appears, click OK.
    Tell me if that works okay or not.


    Now shutdown all IE sessions and run HijackThis. Put a check on the following lines and then select Fix checked:

    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: msxml3lb - {F8E4AADC-235C-BB45-EC24-58384D094278} - C:\WINDOWS\System32\msxml3lb.dll

    Now reboot in safe mode, make sure you can see hidden files/folders (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) and delete if found:

    C:\WINDOWS\System32\msxml3lb.dll

    Tell me whether you were able to find and delete this file.
    While in safe mode, run HijackThis again and if those R3 lines are there, fix them again.

    Now Reset Web Settings by right clicking on your desktop Internet Explorer icon. Then click Tools, Internet Options, Programs, and click the Reset Web Settings button. Then go back to the General tab and set your home page back to what you prefer (like www.majorgeeks.com).

    Reboot in normal mode and post a new HijackThis log.
     
    chaslang, Jul 17, 2004
    #24
  25. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    Chaslang

    I went over to start fixing the computer this morning to find out that popups have reappeared, etc. Over the last couple of days, I have found out that she has checked her email (I had told her not to!!!), the granddaughter has been on the computer using Instant Messaging, and some other surfing of the website has been done (I think). So, needless to say, the computer is not in the same status as I left it last time. I ran CWShredder this morning, it found 1 registry item. I ran Spybot and it came back with 83 items. I left the computer running Adaware.

    I am really debating right now and leaning toward reformatting with the hopes that this will be resolved, otherwise, I may waste several more hours trying to fix this and end up reformatting anyway.

    What are your thoughts? Do you think I should reformat or do you really think we can clean the computer up and find out what is "respawing" itself, etc.

    Gayla
     
    SHAGGYSGIRL, Jul 20, 2004
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's always an option. Depends on how much is already on the system that you may need to backup somewhere first and do you have the ability to do that. Also need to reinstall all applications and set all user provisioning and options, preferences, favorites etc up all over again. Can be a bunch of work too. Problem is that if you do not put the required protection in place ASAP, you will be back here againg with problems very soon after reformatting.

    How about sending a new HijackThis log and did you try what I sent in the my last message for that msxml3lb.dll file?
     
    chaslang, Jul 20, 2004
    #26
  27. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    On your last message, when I ran
    regsvr32 /u C:\WINDOWS\System32\msxml3lb.dll, I got the following message
    "C:\WINDOWS\System32\msxml3lb.dll wass loaded, but the Dllunregister server entry point was not found. The file can not be unregistered.

    I tried deleting the R3's, they did not show up in safe mode.

    In safe mode, when tried to delete C:\WINDOWS\System32\msxml3lb.dll, I got the following message:

    "cannot delete msxml3ld.dll It is being used by another person or program. Close any programs that might be using file and try again"

    Here is the current hijack log:

    Logfile of HijackThis v1.98.0
    Scan saved at 6:19:11 PM, on 7/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\documents and settings\owner\local settings\temp\jhCTEIO.exe
    C:\documents and settings\owner\local settings\temp\3LoKP4Ee.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\WINDOWS\System32\webystem.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Hi jack This\HijackThis.exe

    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    R3 - URLSearchHook: (no name) - 3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
    O2 - BHO: msxml3lb - {F8E4AADC-235C-BB45-EC24-58384D094278} - C:\WINDOWS\System32\msxml3lb.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [jhCTEIO] C:\documents and settings\owner\local settings\temp\jhCTEIO.exe
    O4 - HKLM\..\Run: [3LoKP4Ee] C:\documents and settings\owner\local settings\temp\3LoKP4Ee.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [eB0qRha6i] webystem.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

    Will hold off on reformatting. I have not reformatted because of reloading everything. Will see if we can troubleshoot some more.

    Gayla
     
    SHAGGYSGIRL, Jul 21, 2004
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Where in the world have you been going since your log on 7/17/2004. You have brought back a whole bunch of problems and some new ones. You have the peper trojans back, you have WinTools, you have WinPage Affiliate, you have dp-him.exe. You need to pick better places to surf and get some better protection in place on this computer.
     
    chaslang, Jul 21, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to go back and do all the stuff I gave you in my very first post to you again.

    Also if you do not have SpyBot S&D, install it and make sure you use its Immunize feature.
    If you do not have SpywareBlaster install: http://www.majorgeeks.com/download2859.html
    And also since you seem to keep having to many reoccurring problems you should use SpywareGuard too: http://www.majorgeeks.com/download3045.html


    See this http://www.pchell.com/support/wintools.shtml for removal of WinTools.

    After doing all above scans and installing this new stuff and immunizing, and removal of WinTools. Post a new HijackThis log.
     
    chaslang, Jul 21, 2004
    #29
  30. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    Trust me, my initial reaction was like yours!!!!! I could not believe all this stuff was back and I had to start from scratch again on removing it! Now you see why I said reformat. I do have a couple of questions.

    In the history section of internet explorer, when I look at sites that were visited I do not recognize some of them. ?, Can these websites actually be the popups that appeared or are they only sites that really were visited?

    Do you know if AOL's instant messenger possibly caused this? I personally hate instant messanger but my mother-in-law allows it to be used, I would not allow it!

    Mother-in-law had opened her outlook express and deleted the messages, says she did not open the messages, could something have come from them? Norton was installed at that time.

    Could someone be hacking her computer and causing this? If not, how would I know what website is doing it?

    What other protection would you suggest?

    I am starting from the first post again and I do know that sypbot only came back with the DSO exploit (5 entries). Had housecall onlinescan running when I left.

    Thanks, Gayla
     
    SHAGGYSGIRL, Jul 22, 2004
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re-format is not the answer. You need protection. Otherwise you would be re-formatting every week.

    Some malware will add items into History and or Favorites. You should run CCleaner (formerly called CrapCleaner) on this PC. Get it here
    Just run it and on the Windows tab (you'll see when you run it) leave the defaults and click Run Cleaner.

    All kinds of virus problems and malware can get transferred thru email (possible AIM too). Your virus protection program must be kept up to date with definitions. Check for updates and load them if out of date. Run a full virus scan on the PC. This is not the same thing as just having it loaded at boot time. If anything has gotten into your PC in between updates a full scan should find it.

    You need to check if you are you up to data with Microsoft's Critical updates? Double check by going to Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
    Then click scan for updates.
    Download ALL of the critical updates.

    Let me know if you were missing any.

    After getting all the Critical Updates we are going to fix some issues in SpyBot. Let me know when you get to this point where all scans have been run with UPDATED reference lists (always check for updates each time you run Ad-aware & SpyBot).

    Did you install SpywareBlaster and SpywareGuard yet?
     
    chaslang, Jul 22, 2004
    #31
  32. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    No I have not run SpywareBlaster and SpywareGuard yet. Have only run Spybot, Housecall and Panda. Am heading there after work and will do the remainder of the first post then go get the SpywareBlaster and SpywareGuard. Will do everything, plus check the microsoft updates and check for updates on each of the software. Will take a while to do.

    Thanks.
     
    SHAGGYSGIRL, Jul 22, 2004
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! But just to keep you busy while waiting for me to return (I'll be out until about 12:30 am EST tonight) here is what I wanted to fix in SpyBot:

    Run SpyBot and get into the Advanced mode by selecting Mode and then Advanced mode. Then select Settings and the in the left column select Ignore Products. In the right window pane make sure the All products tab is selected. Then in that window, right click your mouse and choose "Deselect all". Now in the left pane click at the top on SpyBot S&D and then choose Search for Updates. Download any updates required. Now click Check for Problems. Fix any that are found and let me know what it finds (if any).
     
    chaslang, Jul 22, 2004
    #33
  34. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    I have run the following

    Spybot without the update as the update is giving me an error "!!!Bad Checksum". Not sure what the problem is.

    result: DSO Exploit
    Huntbar

    Adaware and it found 18 items.

    Housecall found nothing

    Panda found a TRJ/Nedibed.A but disinfected it.

    Stinger found nothing

    Memorywatcher ran and closed itself

    Norton ran and delete a couple of items that were labeled
    Adware.Binet
    Adware.Delfin
    Spyware.Apropos

    Did the windows critical updates

    Removed Wintools in the registery, deleted the folder in Windows directory, and deleted the host file.

    Loaded the SpywareBlaster and SpywareGuard, did not "run" them as I did not see that they did anything like that. SpyGuard is loaded in the system tray, next to the Norton icon. I do not see SpywareBlaster but do not know if it should show in the system tray or not.

    Here is my new hijack log:


    Logfile of HijackThis v1.98.0
    Scan saved at 7:46:34 AM, on 7/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\documents and settings\owner\local settings\temp\jhCTEIO.exe
    C:\documents and settings\owner\local settings\temp\3LoKP4Ee.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Hi jack This\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: qdvnmy - {599EB0DD-855D-75FD-603F-DCB23AFEBBD7} - C:\WINDOWS\System32\qdvnmy.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [jhCTEIO] C:\documents and settings\owner\local settings\temp\jhCTEIO.exe
    O4 - HKLM\..\Run: [3LoKP4Ee] C:\documents and settings\owner\local settings\temp\3LoKP4Ee.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [eB0qRha6i] webystem.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

    Thanks
     
    SHAGGYSGIRL, Jul 23, 2004
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should create a default hosts file if the system has not already done that for you.
    For WinXP, it should be c:\windows\system32\drivers\etc\hosts
    Here is what should be in the file:

    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    127.0.0.1 localhost
     
    chaslang, Jul 23, 2004
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try to update SpyBot again. If you get the checksum error, try a few more times. I have seen it lately too and when I retried it worked okay.

    You still have some items to fix in your log:

    First bring up Task Manager (by hitting CTRL-ALT-DEL) then select processes, click on the Image Name column to sort. Look for these and if found, End Process:
    3LoKP4Ee.exe
    dp-him
    jhCTEIO.exe
    webystem.exe

    Now close all applications and have HijackThis fix the following:

    O4 - HKLM\..\Run: [jhCTEIO] C:\documents and settings\owner\local settings\temp\jhCTEIO.exe
    O4 - HKLM\..\Run: [3LoKP4Ee] C:\documents and settings\owner\local settings\temp\3LoKP4Ee.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKCU\..\Run: [eB0qRha6i] webystem.exe


    Enable viewing of hidden file: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
    Now reboot to safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

    Delete these files:
    C:\documents and settings\owner\local settings\temp\jhCTEIO.exe
    C:\documents and settings\owner\local settings\temp\3LoKP4Ee.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\webystem.exe or
    C:\Windows\webystem.exe or
    C:\Windows\system\websystem or
    C:\Windows\system32\websystem
     
    chaslang, Jul 23, 2004
    #36
  37. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    I changed the place of download in spybot and was able to update it. It found 18 items. Ran the scan after boot and it only found the DSO Exploit.

    I have a host file that was created called host.bho. So I have left it as is.

    Here is my new log after deleting the items that I could find.



    Logfile of HijackThis v1.98.0
    Scan saved at 6:16:08 PM, on 7/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\S3tray2.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Hi jack This\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: qdvnmy - {599EB0DD-855D-75FD-603F-DCB23AFEBBD7} - C:\WINDOWS\System32\qdvnmy.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2001.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

    Thanks
     
    SHAGGYSGIRL, Jul 23, 2004
    #37
  38. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    Any more suggestions? Or do you think it is okay now?

    Gayla
     
    SHAGGYSGIRL, Jul 27, 2004
    #38
  39. NeoNemesis

    NeoNemesis Moutharrhea

    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    O2 - BHO: (no name) - SOFTWARE - (no file)

    I would delete those because the no file ones are nothing and the other ones are for search assistant. Which is spyware.
     
    NeoNemesis, Jul 27, 2004
    #39
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I guess your last log got lost in the load of HSA and About:Blank issues that have been coming in non-stop.

    Yes, a couple in addition to what Neo has already indicated. I'm not sure that the res://C:\PROGRA~1\Toolbar\toolbar.dll/sa lines are going to be fixed by just fixing those lines though. But let's give it a try. I believe they may be tied into the qdvnmy.dll. We will also run About:Buster just in case. Download the current About:Buster Do not run yet.


    Type, or copy and paste, the following text:
    regsvr32 /u C:\WINDOWS\System32\qdvnmy.dll
    then click OK. If a dialog box confirming this action appears, click OK.

    Type, or copy and paste, the following text:
    regsvr32 /u C:\Program Files\Common Files\midaddle\midaddle.dll
    then click OK. If a dialog box confirming this action appears, click OK.

    Then shutdown Internet Explorer and have HijackThis fix these two lines:
    O2 - BHO: qdvnmy - {599EB0DD-855D-75FD-603F-DCB23AFEBBD7} - C:\WINDOWS\System32\qdvnmy.dll
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll

    Now reboot in safe mode and delete:
    C:\WINDOWS\System32\qdvnmy.dll
    C:\Program Files\Common Files\midaddle\midaddle.dll

    Run About:Buster and save the log to ABlog1.txt
    Run About:Buster a second time and save the log to ABlog2.txt

    Now reboot in normal mode and read the new guidelines on posting HijackThis logs:
    http://forums.majorgeeks.com/showthread.php?t=35407

    Then put the two About:Buster logs and HijackThis log in one text file and attach it to your next message. Tell me if all this worked okay or if there were any snags along the way.
     
    chaslang, Jul 27, 2004
    #40
  41. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    I have done what you have indicated here is the about.buster log and the hijack log:


    Edit by chaslang: Please follow directions. Attachments only!
     

    Attached Files:

    • hjt.txt
      File size:
      5.1 KB
      Views:
      4
    Last edited by a moderator: Jul 28, 2004
    SHAGGYSGIRL, Jul 28, 2004
    #41
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not follow my directions or something did not work and you did not tell me about it.
    You still have the C:\WINDOWS\System32\qdvnmy.dll file I told you to delete.

    Also, very important, I told you in my last message:

    Now reboot in normal mode and read the new guidelines on posting HijackThis logs:
    http://forums.majorgeeks.com/showthread.php?t=35407

    Then put the two about:Buster logs and HijackThis log in one text file and attach it to your next message. Tell me if all this worked okay or if there were any snags along the way.

    You did not post it as an attachment. Logs will get deleted if direction are not followed.
    I reposted it for you this time. Next time... it will be deleted.
     
    chaslang, Jul 28, 2004
    #42
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 28, 2004
    #43
  44. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    Sorry, you are right, I fogot to read the new guidlines.

    I could not do several of the things that you told me but I will try them again and give you the results of each one.

    Thanks
     
    SHAGGYSGIRL, Jul 29, 2004
    #44
  45. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    I hope I have done this new thread posting right. My new thread containing the hijack log and the Ablog1.txt and Ablog2.txt is posted as SHAGGYSGIRL'S NEW LOG FILE.

    Type, or copy and paste, the following text:
    regsvr32 /u C:\WINDOWS\System32\qdvnmy.dll
    then click OK. If a dialog box confirming this action appears, click OK
    window said "was loaded but the dllunregister server entry point was not found. The file can not be registered"

    Type, or copy and paste, the following text:
    regsvr32 /u C:\Program Files\Common Files\midaddle\midaddle.dll
    then click OK. If a dialog box confirming this action appears, click OK.
    window said "loadlibrary ("c:\Program") failed - The specified module count not be found"


    Then shutdown Internet Explorer and have HijackThis fix these two lines:
    O2 - BHO: qdvnmy - {599EB0DD-855D-75FD-603F-DCB23AFEBBD7} - C:\WINDOWS\System32\qdvnmy.dll - Deleted
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll - not found


    Now reboot in safe mode and delete:
    C:\WINDOWS\System32\qdvnmy.dll
    window said "cannot delete qdvnmy.dll: It is being used by another person or program. close any programs that might be using the file and try again.

    C:\Program Files\Common Files\midaddle\midaddle.dll
    did not find file but deleted the folder labeled midaddle


    Now reboot in normal mode and read the new guidelines on posting HijackThis logs:
    http://forums.majorgeeks.com/showthread.php?t=35407
    Did the Getting Started steps 1-5 and the Time to Start Scanning and Cleaning Steps 1-4. Did not delete anything out of the hijack log. Not sure what to do.

    Norton: found adaware as follows: Did not delete these files. dll's?
    ATPartners.dll
    AtPart~1.dll
    Dc95.exe
    mxtarget.dll

    Spybot found in regular mode: I fixed
    Twaintech (1)
    Clarseach.inet (1)
    DSO Exploit (5)

    Spybot found in safe mode: I fixed
    mediaplex
    AvenueA, Inc


    TrendMicro and PandaSoftware came back clean

    Adaware found
    Ezula (could not find)
    Win32.Backdoor.afcore (hijack backups so I deleted them)
    Midaddle (deleted)

    Hope I have detailed everything.

    Thanks

    Edit by chaslang: moved HJT log file from new thread to here.
     

    Attached Files:

    Last edited by a moderator: Jul 31, 2004
    SHAGGYSGIRL, Jul 30, 2004
    #45
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should not have started a new thread! I moved your log here and I killed the new thread. You only had one comment thus far in that new thread from NeoNemesis. This is what Neo said

    "The only thing that I recognized was a blank line:
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)"

    While this can be fix. It does not address the problem we are working on. I'll continue with that soon.

    So fix the above line and also fix this one:
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
     
    Last edited: Jul 31, 2004
    chaslang, Jul 31, 2004
    #46
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run Ad-aware in safe mode (make sure you are updated before booting in safe mode) but run a fullscan. Read this: http://www.lavahelp.com/howto/fullscan/index.html

    Also, run your Norton Virus scan again in safe mode and see if it cleans those files up

    Boot normal mode. Use windows explore to locate C:\WINDOWS\System32\qdvnmy.dll
    Now right click on it and Select Properties. Tell me if there is a Version tab. If so, click on it and get information about Company and other info on the DLL.
     
    chaslang, Jul 31, 2004
    #47
  48. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    SHAGGYSGIRL, Aug 4, 2004
    #48
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The reason you could not connect to the link I gave you is because Lavasoft changed from .com to .net. Try this link and do the fullscan in safe mode:
    http://www.lavahelp.net/howto/fullscan/index.html

    You did not attach you HijackThis log as stated but don't do that yet. First download the new HijackThis from here.

    Then I want you to download FINDnFIX from here: http://downloads.subratam.org/FINDnFIX.exe

    Run FINDnFIX.exe, it will extract some files to a folder called c:\findnfix
    Use Windows Explorer to bring that directory up. Now if necessary print the remaining instructions because you will be disconnecting from the Internet in the next step. I want you to physically unplug your analog modem phone line or ADSL/Cable modem ethernet cable to your PC so that there is no way any running program get get access to the Internet from your PC.

    Disconnect your network connection now!

    In the c:\findnfix directory double click on the file !log!.bat
    This will run the program and it will create a log.txt file (it will also pop up in notepad when done). Be patient, it takes a little while for it to scan thru all the files it needs to look for.

    When it is finished, reboot your PC and reconnect your network connection.
    Now run create a new HijackThis log and come back here and post as Attachments yourHijackThis log and the log.txt file from FINDnFIX.
     
    chaslang, Aug 4, 2004
    #49
  50. SHAGGYSGIRL

    SHAGGYSGIRL Private E-2

    I ran FindnFix in regular mode as I could not disable the network connection in safe mode.

    Norton had found a virus in the C:\recyclers so I delted the whole folder as it would not let me delete the one file. Norton has been run 2 times since then and has not found a virus just an adware.

    Attached are my files
     

    Attached Files:

    SHAGGYSGIRL, Aug 6, 2004
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds