Functions being disabled...

Discussion in 'Malware Help (A Specialist Will Reply)' started by Joe Robinson, Apr 30, 2006.

  1. Joe Robinson

    Joe Robinson Private E-2

    I must start by saying that I am a novice when it comes to dealing with viruses and malware even though I have been in the IT industry for 18 years now. I have been blessed never to have had a major problem. The extent of my experiences have been a couple of minor viruses that I effectively removed by using some anti-virus software. Not so lucky this time.

    I have a Toshiba Laptop “Satellite” running Windows XP Home Edition that I recently purchased. Whatever virus I have, constantly generates ads based upon whatever websites I am visiting. It has disabled my Windows “Search” feature and “System Restore”. Many of the sites that I visit have the html button functions disabled. Not sure if that is related to an applet or script problem. Certain buttons on this site (including "Manage Attachments") were disabled while trying to navigate from my laptop. I had to go to my desktop to submit this post.

    I followed the steps in your “Read and Run This First” instructions. I have attached the logs files that resulted from those instructions.

    Ohh, I almost forgot. What about the recovery disks? Well, I ran out of CD-R disk since I purchased the laptop. Of course the day that I went to purchased the CD-R disk was the day that I got the virus. In other words, I never got the opportunity to make the back-up disk. As you can see, I really need your help before something major is destroy on my laptop.

    My Bit Defender file (bdscan.txt) is 928 kb, too large to upload to the site.
     

    Attached Files:

    Joe Robinson, Apr 30, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    If your Bitdefender log is that large perhaps you did not do some of what was recommended in step 0 of the READ & RUN ME. Or perhaps you just have a ton of bad stuff showing in the System Volume Information folder (this is System Restore).

    Just compress the log into a ZIP file and upload the ZIP.

    What about the PandaActiveScan log from step 6?

    Also based on your HJT log you have not run Bitdefender or Panda? They must be run before HijackThis. Run both scans and attach their logs. Then get a new HJT log and attach it.

    Let's get an installed programs list from HijackThis too!
    • Run HijackThis, click Open the Misc Tools section
    • Click Open Uninstall Manager
    • Click Save List (generates uninstall_list.txt)
    • Click Save, to save it to a file where you can find it.
    • Attach the uninstall_list.txt file to your next message.
     
    Last edited: Apr 30, 2006
    chaslang, Apr 30, 2006
    #2
  3. Joe Robinson

    Joe Robinson Private E-2

    Thank you so much for your prompt response, I had business and could not reply in a timely manner myself. You asked about the Bitdefender and Panda runs, well, do to the problem I am having, I was unable to run these scans. They both use html type buttons to execute. There was a "install and scan" for Bitdefender so I used that one, I had no luck with Panda. Don't forget, just to reply to your email I have to use my desktop.I have attached the compressed file.
     

    Attached Files:

    Joe Robinson, May 8, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach the Uninstall programs list from HijackThis that I requested.

    You must uninstall the BitDefender program you installed. You already had McAfee installed and you must only use one antivirus application. Uninstall it now before continuing.

    Look in Add/Remove programs for EQAdvice and uninstall if found! Also look for anything name Yazzle (or Yazzle Sudoku) and uninstall if found.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINDOWS\upahihoA.exe
    C:\WINDOWS\errorhandler.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [upahihoA] C:\WINDOWS\upahihoA.exe
    O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
    O4 - HKLM\..\Run: [w001ff20.dll] RUNDLL32.EXE w001ff20.dll,I2 0008649c0001ff20
    O4 - HKCU\..\Run: [fqrz] C:\PROGRA~1\COMMON~1\fqrz\fqrzm.exe
    O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
    O4 - HKCU\..\Run: [Eprc] "C:\Program Files\twen\coea.exe" -vt yazr
    O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\EQAdvice <--- the whole folder
    C:\Program Files\twen <--- the whole folder
    C:\Program Files\Common Files\fqrz <--- the whole folder
    C:\Program Files\WebRebates4 <--- the whole folder
    C:\WINDOWS\system32\dmonwv.dll
    C:\WINDOWS\system32\pqdsregj.exe
    C:\WINDOWS\system32\pwinrqag.exe
    C:\WINDOWS\system32\w001ff20.dll
    C:\WINDOWS\upahihoA.exe
    C:\WINDOWS\errorhandler.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, May 8, 2006
    #4
  5. Joe Robinson

    Joe Robinson Private E-2

    I ran through all the steps you suggested in your reply. I don't have the problem with the pop-up ads anymore but I still don't have some functionality. Hyperlinks work but it looks to me that the command html buttons still don't work. For instance, the "Manage Attachments" button on this site, doesn't even show-up on my laptop. My search window still does not work, the window just opens, but there is no text, I can see the little dog smiling at me. :) The formatting options at the top of this window are disabled.

    I had to uninstall McAfee by hand, ZoneAlarm is my antivirus software.

    I have attached the latest HJT log file.
     

    Attached Files:

    Joe Robinson, May 8, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Third request for uninstall programs list!

    McAfee is still running! Look at your log. What to you mean by removed it by hand? You should have uninstalled it using Add/Remove programs!
     
    chaslang, May 8, 2006
    #6
  7. Joe Robinson

    Joe Robinson Private E-2

    It uses the same type of buttons that are being disabled. I am unable to uninstall it using Add/Remove Programs.
    I will send the uninstall list.
     
    Joe Robinson, May 8, 2006
    #7
  8. Joe Robinson

    Joe Robinson Private E-2

    I have attached the uninstall list.
     

    Attached Files:

    Joe Robinson, May 8, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you know what the below items are for in Add/Remove Programs?
    mCore
    mDrWiFi
    mHelp
    mIWA
    mIWCA
    mLogView
    mMHouse
    mPfMgr
    mPfWiz
    mProSafe
    mWlsSafe
    mXML
    mZConfig
    sibwinterdt.exe

    Are the ones beginning with an "m" for some kind of wireless card?

    I see Spy Sweeper! Is it a trial version or a paid version?

    When we get around to fixing the ability to uninstall programs, you need to uninstall the below:J2SE Runtime Environment 5.0 Update 4
    McAfee SecurityCenter

    Run the below procedure and attach the runkeys.txt log.

    Using GetRunKey
     
    chaslang, May 9, 2006
    #9
  10. Joe Robinson

    Joe Robinson Private E-2


    I did some checking on the internet and I could not find a definitive answer concerning the “m” programs.

    Spy Sweeper is a paid version.

    I was able to remove J2SE Runtime Environment 5.0 Update 4, I still cannot remove McAfee.

    I have attached the runkeys file.
     

    Attached Files:

    Joe Robinson, May 9, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What kind of ethernet card do you use? What about the other program: sibwinterdt.exe


    When you try to uninstall it, what happens? Try using the below to uninstall it!

    Your Uninstaller! 2006 5.0.0.235
     
    chaslang, May 9, 2006
    #11
  12. Joe Robinson

    Joe Robinson Private E-2

    I have a "Marvell Yukon 88E8036 PCI-E Fast Ethernet". The program sibwinterdt.exe was a desktop theme file, I deleted it.

    The Uninstaller 2006 was successful at removing McAfee.

    I ran a new HJT file, had trouble attaching it, so I listed it below.

    ---------------------------------------------------------------------------------------------------

    Edit by chaslang: Inline log attached.
     

    Attached Files:

    Last edited by a moderator: May 11, 2006
    Joe Robinson, May 11, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well not completely. We are going to have to perform some manual cleaning to finish getting rid of the remaining McAfee services.


    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to McAfee Framework Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Now repeat the above stop and disable for the following services:
    McAfee WSC Integration
    McAfee Task Scheduler
    McAfee SecurityCenter Update Manager

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    McAfeeFramework

    Now repeat the Delete NT Service steps for:
    McDetect.exe
    McTskshd.exe
    mcupdmgr.exe

    If you receive any error messages just ignore them and continue.

    Now exit HJT and reboot when it tells you it needs to.

    After reboot, locate the below folders and delete them if found:
    C:\Program Files\Network Associates
    C:\Program Files\mcafee.com

    Now attach a new HJT log and tell me if you had any problems performing these instructions.


    You should check to see if the file mentioned in the below service exists:

    O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)

    HijackThis indicates it to be missing but these detections by HJT are not always correct. If it is missing, it indicates some kind of problem with your Adobe software that may need a reinstall.


    I would like to get some more info on the C:\WINDOWS\System32\DLA\DLACTRLW.EXE file. Locate it using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too. It may be part of Sonic's drive letter access software but I want to be sure.
     
    Last edited: May 12, 2006
    chaslang, May 11, 2006
    #13
  14. Joe Robinson

    Joe Robinson Private E-2

    The Adobe file does exist.The company for the DLA file is Sonic.The new HJT log file is listed below.------------------------------Logfile of HijackThis v1.99.1Scan saved at 2:56:21 AM, on 5/12/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exec:\TOSHIBA\IVP\swupdate\swupdtmr.exeC:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exeC:\WINDOWS\system32\ZoneLabs\isafe.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Toshiba\Toshiba Applet\thotkey.exeC:\Program Files\TOSHIBA\ConfigFree\NDSTray.exeC:\Program Files\Toshiba\Tvs\TvsTray.exeC:\Program Files\ltmoh\Ltmoh.exeC:\WINDOWS\AGRSMMSG.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exeC:\WINDOWS\system32\TPSBattM.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Synaptics\SynTP\Toshiba.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\TOSHIBA\ConfigFree\CFSServ.exeC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\toshiba\ivp\ism\ivpsvmgr.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exeC:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exeC:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exeC:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\palmOne\Hotsync.exeC:\WINDOWS\system32\RAMASST.exeC:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HiJackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstartR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstartF2 - REG:system.ini: UserInit=userinit.exeO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exeO4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exeO4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exeO4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [TFncKy] TFncKy.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exeO4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /runO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeO4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClientO4 - HKLM\..\Run: [SMART Mirror Driver Monitor Service] &quot;C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exe&quot;O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exeO4 - HKLM\..\Run: [QuickTime Task] &quot;C:\Program Files\QuickTime\qttask.exe&quot; -atboottimeO4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exeO4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exeO4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exeO4 - HKCU\..\Run: [MSMSGS] &quot;C:\Program Files\Messenger\msmsgs.exe&quot; /backgroundO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstartO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.kcmsd.k12.mo.us/tsweb/msrdp.cabO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe&quot; -win32service (file missing)O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exeO23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeO23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies - C:\Program Files\SynchronEyes Teacher 5.1\MonitorService.exeO23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exeO23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Joe Robinson, May 12, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you happen to look at what you posted?

    Please do not post ANY logs in lines. This is all covered in the sticky threads.

    And when you do attach them. Make sure the content is correct. You log was not saved properly, thus resulting in no carriage return/line feed pairs. Please ATTACH a proper HijackThis log.
     
    chaslang, May 12, 2006
    #15
  16. Joe Robinson

    Joe Robinson Private E-2

    The Adobe file does exist.

    The company for the DLA file is Sonic.

    I have attached the new HJT file.
     

    Attached Files:

    Joe Robinson, May 17, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, May 17, 2006
    #17
  18. Joe Robinson

    Joe Robinson Private E-2

    Thank you for helping me remove all the malware on my system, but my original problem remains.

    I still do not have button functionality, my search page is still blank, even though I have enabled my System Restore, the process will not initiate. Just removing the malware did not restore the functionality that I lost.

    Any suggestions?
     
    Joe Robinson, May 17, 2006
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try the below for the System Restore problem.

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixSR.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixSR.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
    If the above does not help get System Restore working, try this. Open Windows Explorer and run C:\windows\inf\sr.inf by locating it and double clicking on it.



    For your problems with Windows Search, try the below.
    1. Log on to the computer by using an account with administrator permissions.
    2. Click Start, click Run, type %systemroot%\inf, and then click OK.
    3. Locate the Srchasst.inf file.
    4. Right-click the Srchasst.inf file, and then click Install. This reinstalls the files that Search Companion uses.
    NOTE: You may need your Windows XP CD-ROM to finish installing Search Companion.
     
    chaslang, May 17, 2006
    #19
  20. Joe Robinson

    Joe Robinson Private E-2

    I have tried all the things you suggested and still my search function has not been restored and some buttons still are not funtional. I have XP Home Edition on my laptop (pre-loaded) but the CD ROM I have is XP Professional, does it make a difference?
     
    Joe Robinson, May 30, 2006
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Which buttons exactly are you referring to that do not work?
    Do you mean things that are part of Windows?
    Or things on Web pages? If on web pages, disable your firewall and see if it helps. Also try another browser like, Mozilla FireFox
    Does that work!

    For some things yes the CD must match what you have installed. I'm not sure if it matters for Search Assistant or not. You should ask further questions about these problems in the Software Forum. Your system was free of malware (two weeks ago) so I would have to say it is not a malware related problem at this point.
     
    chaslang, May 30, 2006
    #21
  22. Joe Robinson

    Joe Robinson Private E-2

    I noticed that a high number of people viewed this thread so I wanted to make sure that I post the final out-come. First of all I want to thank you for you help with the removal of the malware on the system.

    I followed your suggestion and went over to the software forum and the instructions below resolved the lost functionality problems.


    _____________________________________________

    Re-register Jscript.dll and Vbscript.dll, see if that solves anything.

    1. Click Start, and then click Run.
    2. In the Open box, type regsvr32 jscript.dll, and then click OK.
    3. Click OK.
    4. Click Start, and then click Run.
    5. In the Open box, type regsvr32 vbscript.dll, and then click OK.
    6. Click OK.

    Steve
     
    Joe Robinson, Jun 3, 2006
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks for posting the followup info. I knew someone there (Matacumbie) could focus in on this while we spend our time thinking about malware. ;)
     
    chaslang, Jun 3, 2006
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds