need major help - got 2 computers infected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by justagirl82, Jun 19, 2004.

  1. justagirl82

    justagirl82 Private E-2

    I need some MAJOR help. I have 2 computers that are infected. The first one is an XP and I know that it has for sure (probably has more than these):

    downloader-kl
    TROJ STILEN.A
    TROJ ISTBARO.O
    TROJ STILEN.A

    I have Mcafee, Adaware 6 and Spysweeper on both computers but I still can't get rid of this stuff! It's constant popups and assorted adware/spyware crud all over the place.

    The other computer I know has:
    HTML/Debeski
    Httper

    The second computer is a windows 98 I believe. It is likely to have a bunch more crud on it too. I can't even open a webpage no more because it just freezes up on me.

    Please tell me what info you need and how to obtain it so that you can help me, I'm not too familiar with really technical things - I'M DESPERATE!

    (Note: don't know whether this has any bearing or not, but the first computer is on cable and I have a wireless system that enables the 2nd computer to have internet.)
     
    justagirl82, Jun 19, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 19, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 19, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 19, 2004
    #4
  5. waxace

    waxace Private E-2

    waxace, Jun 19, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Waxace, She already said she has Ad-aware. Also please note that all items you request to be downloaded are available here on MG's. Please use MG links first.
     
    chaslang, Jun 19, 2004
    #6
  7. justagirl82

    justagirl82 Private E-2

    Well, I've run SpySweeper, AdAware and Mcafee numerous times. Tried the Panda one, the Shredder one, the Stinger one, the HouseCall one, the HijackThis one. Currently I am trying out Spybot. Between all these it HAS to get rid of this, right??? :( Ugh - why me?? I appreciate the help! One more Q - SpySweeper picks up Apropis like EVERYTIME I scan - why does it keep coming back?



    Logfile of HijackThis v1.97.7
    Scan saved at 2:06:46 AM, on 6/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\S3apphk.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\WildTangent\Apps\GameChannel.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\WINDOWS\System32\extpinst.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us5.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://register.starband.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8C490F78-AD23-1CCF-49F6-0873780A2359} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [0OIfXfCO] C:\documents and settings\owner\local settings\temp\0OIfXfCO.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AutoLoadert0o01ZSXONPM] "C:\WINDOWS\System32\rtutl30.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [t77i3tP] ctfrcl32.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [nvrsde] C:\WINDOWS\System32\nvrsde.exe
    O4 - HKCU\..\Run: [cwosRjj3V] extpinst.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1268/ftp.coupons.com/v6/brix6ie.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08cfa404b360bb691216/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://skill.skilljam.com/ssp/SSP.cab
    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned35.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37651.3219560185
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
    O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/eng/SysWebTelecomint.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
     
    justagirl82, Jun 20, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 20, 2004
    #8
  9. justagirl82

    justagirl82 Private E-2

    Well, I believe I have my 2nd computer cleaned. I haven't messed with the 1st one since 3am this morning - I think I got it clean, but am not so sure. On my second computer I have some processes running that I don't know for sure if they are ok or not.


    ACMonitor_X63.e

    AcBtnMgr_X63.ex

    WZCSLDR.exe

    loadqm.exe

    winlogon.exe


    Anyone know?

    (will update on the 1st computer after I try what you just posted - right now I am sick of them, lol)
     
    justagirl82, Jun 20, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    ACMonitor_X63.e ( you meant ACMonitor_X63.exe right?)
    Associated with the Lexmark Xxx (where "xx" is the model) all-in-one printer/scanner/copier. Required for correct operation

    AcBtnMgr_X63.ex

    Associated with the Lexmark Xxx (where "xx" is the model) all-in-one printer/scanner/copier. Required for correct operation

    WZCSLDR.exe

    Do you have some software by Alpha Networks? Is this some how related to D-Link equipment?
    A search gave a few lines, one of which is:
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

    loadqm.exe <--- this is Okay, part of windows

    winlogon.exe <--- this is Okay, part of windows
     
    chaslang, Jun 20, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If your 1st computer is the WinXP one that you gave the HijaakThis log for, you had a load of baddies in your log that probably will not be fixed just by using HijaakThis. Before continuing with suggestions though, I need to know a few things.

    1) Do you use Kazaa? Because there are several baddies in your system related to the PromulGate line of advertising products from The Delfin Project. Note that the de‑installation of Delfin products may incapacitate your copy of KaZaA.

    2) Do you use Wild Tangent (related to gaming stuff)? It is known to be bad. You do not want this on your PC. But if you uninstall it and go back to sites related to this, it will install again.
     
    chaslang, Jun 20, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    justagirl,

    Do you know what the lines with starband.net are for? Is this you ISP or is it some website you use? I did not ask you to fix those lines below

    because I assume it is something you know about. I that is a bad assumption then fix those lines too. I am also assuming that www.websearch.com is

    what you use for searching? If not fix those lines.

    Here are the things I would fix on your WinXp system. If you don't want to fix the Wild Tangent stuff because you use their junk then skip all the

    Wild Tangent stuff below. But first go here and just read only a small bit about Gamechannel: http://www.answersthatwork.com/Tasklist_pages/

    tasklist_g.htm

    If you do not play any Wild Tangent games, you should de-install anything "Wild Tangent" in the "Add/Remove Programs" in the Control Panel.

    Disable System restore: http://www.majorgeeks.com/vb/showthread.php?t=31668
    Reboot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Now in safe mode, do not run anything but HijaakThis and have it fix the following:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8C490F78-AD23-1CCF-49F6-0873780A2359} - (no file)
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe <---- Wild Tangent Related
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [0OIfXfCO] C:\documents and settings\owner\local settings\temp\0OIfXfCO.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AutoLoadert0o01ZSXONPM] "C:\WINDOWS\System32\rtutl30.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [t77i3tP] ctfrcl32.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe



    Did you or a system admin place the below restrictions? Or did you use SpyBot S&D or SpyBlaster to put these restrictions in place? If the answer is

    no for both those questions, fix the next two lines.
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    Also fix these:
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1.../v6/brix6ie.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08cfa40...ip/RdxIE601.cab
    O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://skill.skilljam.com/ssp/SSP.cab
    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars...erxsigned35.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/eng/SysWebTelecomint.cab
    O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab


    While still in safe mode, do the following:

    Delete the following if they still exist:
    C:\documents and settings\owner\local settings\temp\0OIfXfCO.exe <--- remove file
    C:\Program Files\WildTangent\ <--- WILD TanGENT - remove whole directory
    C:\Program Files\Common files\WinTools <--- remove whole directory
    C:\WINDOWS\System32\IEHost.exe <--- remove file
    C:\Program Files\Common files\updmgr <--- remove whole directory
    C:\WINDOWS\system32\pcs <--- remove whole directory
    C:\Program Files\Common Files\Dpi <--- remove whole directory
    C:\WINDOWS\System32\rtutl30.exe <--- remove file
    C:\WINDOWS\System32\dp-him.exe <--- remove file

    I'm not really sure what extpinst.exe is for. See if you can figure out what it is
    by right clicking on it and getting Properties and Version, manufacturer info. If
    you are not sure, leave it for now. But it is suspcious.
    C:\WINDOWS\System32\extpinst.exe <--- remove file
    If you decide to remove the above file, fix the next line in HijaakThis too.
    O4 - HKCU\..\Run: [cwosRjj3V] extpinst.exe

    I'm also not sure what nvrsde.exe is for. See if you can figure that out too.
    O4 - HKCU\..\Run: [nvrsde] C:\WINDOWS\System32\nvrsde.exe


    Click the Start button, and select Run
    Enter these command lines one at a time and click OK:
    regsvr32 /u C:\WINDOWS\System32\mxtarget.dll
    regsvr32 /u C:\WINDOWS\System32\twaintec.dll
    regsvr32 /u C:\WINDOWS\System\mxtarget.dll
    regsvr32 /u C:\WINDOWS\System\twaintec.dll
    regsvr32 /u C:\WINDOWS\twaintec.dll


    Remove this file if present:
    C:\WINDOWS\xgn.exe
    C:\WINDOWS\System\mxtarget.dll
    sC:\WINDOWS\System\twaintec.dll
    C:\WINDOWS\System32\mxtarget.dll
    sC:\WINDOWS\System32\twaintec.dll
    C:\WINDOWS\twaintec.dll
    regsvr32 /u C:\WINDOWS\twaintec.dll

    Now reboot in normal mode and lets see where we are.
     
    chaslang, Jun 20, 2004
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds