Virtual Memory problem.

  1. 09-03-2005  #1
    BC3841
    BC3841 is offline Newbie

    Angry Virtual Memory problem.

    I have a problem with my Mesh computer which has a 2.63GHz Intel Pentium 4 Processor and 512Mb RAM. My operating system is XP Home. Every time I switch it on, the virtual memory is pulled down to 0MB if not instantly, within a matter of minutes. I can see this by means of a software programme I have purchased called 'PC Booster', which displays the virtual memory curve live.

    When I click on 'Recover Memory', the memory is temporarily increased after a while, but is immediately pulled down again. The only way I can use my computer now is in 'Safe Mode with Networking', which I am in now. I suspect either spyware or a virus/es or both. I have the free version of AVG anti-virus installed, also Zone Alarm and I have tried other anti-virus programmes also, to no avail, unless I am using them incorrectly.

    I would be very grateful if anyone could possibly help by telling me what to do in basic terms, as my computer knowledge is not up to much. I am enclosing the 'Hijack It' log file.

    Thank you very much.

    -------------------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 11:58:37, on 07/03/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\ZoneLabs\vsmon.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Documents and Settings\ROBERT CLARKE\My Documents\hijackthis.exe
    C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
    C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
    C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/home.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll (file missing)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\ROBERT CLARKE\Application Data\Mozilla\Profiles\default\uis2bkud.slt\prefs.j s)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\ROBERT CLARKE\Application Data\Mozilla\Profiles\default\uis2bkud.slt\prefs.j s)
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: AtBHOObj Class - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
    O2 - BHO: tafbar - {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} - C:\WINDOWS\DOWNLO~1\taf.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\MYDOCU~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {82CE46F7-BED4-D1E4-907A-C4AC75411AF2} - C:\WINDOWS\System32\vdtarxja\cmtbeqkp.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll (file missing)
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {B0A98999-77E8-1135-D6A4-D9A3C8B05B50} - C:\WINDOWS\System32\jopxcooy\qecdrhvq.exe
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)
    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
    O3 - Toolbar: Mini Jeeves - {4E7D0B40-F575-4A29-9710-4675EAF4686A} - C:\WINDOWS\System32\minijvAB.dll
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
    O3 - Toolbar: tafbar - {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} - C:\WINDOWS\DOWNLO~1\taf.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
    O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Documents and Settings\ROBERT CLARKE\My Documents\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [SpeedUpMyPC] C:\My Documents\SpeedUpMyPC.exe traybar
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Documents and Settings\ROBERT CLARKE\My Documents\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [UStorag] c:\my documents\ustorage.exe sys_auto_run C:\My Documents
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
    O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
    O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
    O4 - HKLM\..\Run: [yklmqsjw] C:\WINDOWS\System32\ipjrjgfx\yklmqsjw.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [qecdrhvq] C:\WINDOWS\System32\jopxcooy\qecdrhvq.exe
    O4 - HKLM\..\Run: [qwljl] C:\WINDOWS\System32\uexfemmr\qwljl.exe
    O4 - HKLM\..\Run: [impu] C:\WINDOWS\System32\svtickt\impu.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [t39Q38l] oem9dmod.exe
    O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe
    O4 - HKLM\..\Run: [Ad-Eliminator] C:\Documents and Settings\ROBERT CLARKE\My Documents\Ad-Eliminator\ad-eliminator.exe /s
    O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
    O4 - HKLM\..\Run: [ixinpsa] c:\windows\system32\ixinpsa.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Ebg9YQjWK.exe] C:\documents and settings\robert clarke\local settings\temp\Ebg9YQjWK.exe
    O4 - HKLM\..\Run: [3S96A7D3BE7JJT] C:\WINDOWS\System32\CnyMt4.exe
    O4 - HKLM\..\Run: [M.exe] C:\documents and settings\robert clarke\local settings\temp\M.exe
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\qxineho.exe
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\pespqii..exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
    O4 - HKLM\..\Run: [nst] C:\WINDOWS\nst.exe
    O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ImInstaller\Inc rediMail\incredimail_install.exe -startup -product IncrediMail
    O4 - HKLM\..\Run: [AutoLoadertwqs1KYeONLO] C:\WINDOWS\System32\nppurity.exe /PC=AM.WILD /HideUninstall
    O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\dealhelper.exe
    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe /Upgrade
    O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\My Documents\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Twinkle Bulbs] C:\PROGRA~1\TWINKL~1\TBulbs.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
    O4 - HKCU\..\Run: [Ssri] C:\Documents and Settings\ROBERT CLARKE\Application Data\ofd?.exe
    O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - Startup: GraphicView 32.lnk = C:\Program Files\GraphicView32\GView32.exe
    O4 - Startup: Quick StartUp.lnk = C:\PENSOFT\fquick32.exe
    O4 - Startup: Uninstall GraphicView 32.lnk = C:\Program Files\GraphicView32\UNWISE.EXE
    O4 - Global Startup: GuruNet.lnk = C:\Program Files\GuruNet\GuruNet.exe
    O4 - Global Startup: Lotus Organizer EasyClip.lnk = D:\Lotus\organize\easyclip.exe
    O4 - Global Startup: Lotus QuickStart.lnk = ?
    O4 - Global Startup: Lotus SmartCenter.lnk = D:\Lotus\smartctr\SMARTCTR.EXE
    O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Postcode Anywhere Desktop.lnk = ?
    O4 - Global Startup: VoiceCentre.lnk = C:\Program Files\ViaVoice\Bin\speechbar.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O9 - Extra 'Tools' menuitem: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O9 - Extra button: DownloadLegalMusic - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\DownloadLegalMusic (file missing)
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net...ATPartners.cab
    O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} - http://dm.cometsystems.com/dm/dm_286.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
    O16 - DPF: {4C2C81B4-91DA-494D-8DBF-A7846BA07073} (Mini Jeeves Installer Control) - http://www.ask.co.uk/toolbar/download/MiniJv-inst.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} (tafbar) - http://www.tafbar.com/taf.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://encarta.msn.com/encnet/external/MSSurVid.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
    O16 - DPF: {E1BD16C0-9A29-4AC3-B85C-D65F8DFC0FBE} - http://www.jokaroo.com/jokaroo.exe
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/tri...aderSigned.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yaho...bio5_0_2_7.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Documents and Settings\ROBERT CLARKE\My Documents\Pavsrv51.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe (file missing)
    O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

    --------------------------------------------------------------------------
  2. 21-03-2005  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Hiya,
    Sorry about the response time. If you still require help could you post a fresh log because the infection may have morphed.
  3. 22-03-2005  #3
    BC3841
    BC3841 is offline Newbie
    Hello Owen,
    Thanks a lot for your message. Here is the latest log file, done today:
    -----------------------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 11:57:45, on 22/03/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\ROBERT CLARKE\My Documents\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\ROBERT CLARKE\My Documents\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/home.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll (file missing)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ROBERT CLARKE\Application Data\Mozilla\Profiles\default\5wfqynx4.slt\prefs.j s)
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: AtBHOObj Class - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
    O2 - BHO: tafbar - {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} - C:\WINDOWS\DOWNLO~1\taf.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\MYDOCU~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {82CE46F7-BED4-D1E4-907A-C4AC75411AF2} - C:\WINDOWS\System32\vdtarxja\cmtbeqkp.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll (file missing)
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {B0A98999-77E8-1135-D6A4-D9A3C8B05B50} - C:\WINDOWS\System32\jopxcooy\qecdrhvq.exe
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)
    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
    O3 - Toolbar: Mini Jeeves - {4E7D0B40-F575-4A29-9710-4675EAF4686A} - C:\WINDOWS\System32\minijvAB.dll
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
    O3 - Toolbar: tafbar - {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} - C:\WINDOWS\DOWNLO~1\taf.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
    O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Documents and Settings\ROBERT CLARKE\My Documents\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [SpeedUpMyPC] C:\My Documents\SpeedUpMyPC.exe traybar
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Documents and Settings\ROBERT CLARKE\My Documents\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [UStorag] c:\my documents\ustorage.exe sys_auto_run C:\My Documents
    O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
    O4 - HKLM\..\Run: [Ad-Eliminator] C:\Documents and Settings\ROBERT CLARKE\My Documents\Ad-Eliminator\ad-eliminator.exe /s
    O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
    O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
    O4 - HKLM\..\Run: [yklmqsjw] C:\WINDOWS\System32\ipjrjgfx\yklmqsjw.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [qecdrhvq] C:\WINDOWS\System32\jopxcooy\qecdrhvq.exe
    O4 - HKLM\..\Run: [qwljl] C:\WINDOWS\System32\uexfemmr\qwljl.exe
    O4 - HKLM\..\Run: [impu] C:\WINDOWS\System32\svtickt\impu.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [t39Q38l] oem9dmod.exe
    O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe /Upgrade
    O4 - HKLM\..\Run: [Ebg9YQjWK.exe] C:\documents and settings\robert clarke\local settings\temp\Ebg9YQjWK.exe
    O4 - HKLM\..\Run: [3S96A7D3BE7JJT] C:\WINDOWS\System32\CnyMt4.exe
    O4 - HKLM\..\Run: [M.exe] C:\documents and settings\robert clarke\local settings\temp\M.exe
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\qxineho.exe
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\pespqii..exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
    O4 - HKLM\..\Run: [nst] C:\WINDOWS\nst.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\dealhelper.exe
    O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ImInstaller\Inc rediMail\incredimail_install.exe -startup -product IncrediMail
    O4 - HKLM\..\Run: [AutoLoadertwqs1KYeONLO] C:\WINDOWS\System32\nppurity.exe /PC=AM.WILD /HideUninstall
    O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
    O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\My Documents\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Twinkle Bulbs] C:\PROGRA~1\TWINKL~1\TBulbs.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
    O4 - HKCU\..\Run: [Ssri] C:\Documents and Settings\ROBERT CLARKE\Application Data\ofd?.exe
    O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
    O4 - Startup: GraphicView 32.lnk = C:\Program Files\GraphicView32\GView32.exe
    O4 - Startup: Quick StartUp.lnk = C:\PENSOFT\fquick32.exe
    O4 - Startup: Uninstall GraphicView 32.lnk = C:\Program Files\GraphicView32\UNWISE.EXE
    O4 - Global Startup: GuruNet.lnk = C:\Program Files\GuruNet\GuruNet.exe
    O4 - Global Startup: Lotus Organizer EasyClip.lnk = D:\Lotus\organize\easyclip.exe
    O4 - Global Startup: Lotus QuickStart.lnk = ?
    O4 - Global Startup: Lotus SmartCenter.lnk = D:\Lotus\smartctr\SMARTCTR.EXE
    O4 - Global Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\SUITEST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Postcode Anywhere Desktop.lnk = ?
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O4 - Global Startup: VoiceCentre.lnk = C:\Program Files\ViaVoice\Bin\speechbar.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O9 - Extra 'Tools' menuitem: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O9 - Extra button: DownloadLegalMusic - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\DownloadLegalMusic (file missing)
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net...ATPartners.cab
    O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} - http://dm.cometsystems.com/dm/dm_286.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
    O16 - DPF: {4C2C81B4-91DA-494D-8DBF-A7846BA07073} (Mini Jeeves Installer Control) - http://www.ask.co.uk/toolbar/download/MiniJv-inst.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} (tafbar) - http://www.tafbar.com/taf.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://encarta.msn.com/encnet/external/MSSurVid.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
    O16 - DPF: {E1BD16C0-9A29-4AC3-B85C-D65F8DFC0FBE} - http://www.jokaroo.com/jokaroo.exe
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/tri...aderSigned.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yaho...bio5_0_2_7.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Documents and Settings\ROBERT CLARKE\My Documents\Pavsrv51.exe
    O23 - Service: qwljluexfemmr - Unknown owner - C:\WINDOWS\System32\uexfemmr\qwljl.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe (file missing)
    O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
    ---------------------------------------------------------------------------------
    Thanks very much,

    Regards,

    BC3841.
  4. 23-03-2005  #4
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Download PeperFix from http://downloads.subratam.org/PeperFix.exe. Leave it now we'll use it later.

    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll (file missing)
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
    O2 - BHO: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: tafbar - {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} - C:\WINDOWS\DOWNLO~1\taf.dll
    O2 - BHO: (no name) - {82CE46F7-BED4-D1E4-907A-C4AC75411AF2} - C:\WINDOWS\System32\vdtarxja\cmtbeqkp.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\Program Files\Toolbar\toolbar.dll (file missing)
    O2 - BHO: (no name) - {B0A98999-77E8-1135-D6A4-D9A3C8B05B50} - C:\WINDOWS\System32\jopxcooy\qecdrhvq.exe
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)
    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
    O3 - Toolbar: tafbar - {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} - C:\WINDOWS\DOWNLO~1\taf.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
    O3 - Toolbar: Searchfst Class - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe
    O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.5.1.0\WeatherOnTray.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
    O4 - HKLM\..\Run: [yklmqsjw] C:\WINDOWS\System32\ipjrjgfx\yklmqsjw.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [qecdrhvq] C:\WINDOWS\System32\jopxcooy\qecdrhvq.exe
    O4 - HKLM\..\Run: [qwljl] C:\WINDOWS\System32\uexfemmr\qwljl.exe
    O4 - HKLM\..\Run: [impu] C:\WINDOWS\System32\svtickt\impu.exe
    O4 - HKLM\..\Run: [t39Q38l] oem9dmod.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe /Upgrade
    O4 - HKLM\..\Run: [Ebg9YQjWK.exe] C:\documents and settings\robert clarke\local settings\temp\Ebg9YQjWK.exe
    O4 - HKLM\..\Run: [3S96A7D3BE7JJT] C:\WINDOWS\System32\CnyMt4.exe
    O4 - HKLM\..\Run: [M.exe] C:\documents and settings\robert clarke\local settings\temp\M.exe
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\qxineho.exe
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\pespqii..exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKLM\..\Run: [saie] c:\windows\system32\saie.exe
    O4 - HKLM\..\Run: [nst] C:\WINDOWS\nst.exe
    O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\dealhelper.exe
    O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\ImInstaller\Inc rediMail\incredimail_install.exe -startup -product IncrediMail
    O4 - HKLM\..\Run: [AutoLoadertwqs1KYeONLO] C:\WINDOWS\System32\nppurity.exe /PC=AM.WILD /HideUninstall
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
    O4 - HKCU\..\Run: [Ssri] C:\Documents and Settings\ROBERT CLARKE\Application Data\ofd?.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O9 - Extra 'Tools' menuitem: Advanced Searchbar - {43F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\Toolbar.dll (file missing)
    O9 - Extra button: DownloadLegalMusic - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\DownloadLegalMusic (file missing)
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne.../ATPartners.cab
    O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} - http://dm.cometsystems.com/dm/dm_286.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
    O16 - DPF: {4C2C81B4-91DA-494D-8DBF-A7846BA07073} (Mini Jeeves Installer Control) - http://www.ask.co.uk/toolbar/download/MiniJv-inst.cab
    O16 - DPF: {4E7BD74F-2B8D-469E-D4FF-EB2CF4D5FA7D} (tafbar) - http://www.tafbar.com/taf.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
    O16 - DPF: {E1BD16C0-9A29-4AC3-B85C-D65F8DFC0FBE} - http://www.jokaroo.com/jokaroo.exe
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O23 - Service: qwljluexfemmr - Unknown owner - C:\WINDOWS\System32\uexfemmr\qwljl.exe
    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

    Click Fix Checked

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Run PeperFix.exe and let it remove your Peper Trojan infection.

    Go to C:\documents and settings\robert clarke\local settings\temp and once in the folder click Edit> Select All. Then hit the delete key to get rid of the entire contents of the folder. Leave the folder itself intact though.


    Go to the Control Panel and double click Add/Remove programs. Uninstall:
    New.net Domains
    New.net Application
    WinTools
    Spyware Stormer
    Hotbar
    TV Media

    Delete the following files and folders:
    C:\Program Files\Toolbar
    C:\WINDOWS\BTGrab.dll
    C:\WINDOWS\srchfst.dll
    C:\Program Files\CxtPls
    C:\WINDOWS\DOWNLO~1\taf.dll
    C:\WINDOWS\System32\vdtarxja
    C:\PROGRA~1\COMMON~1\WinTools
    C:\WINDOWS\System32\jopxcooy
    C:\Program Files\Hotbar
    C:\Program Files\SEP
    C:\PROGRA~1\ADVANC~1
    C:\WINDOWS\System32\pupxpman.exe
    C:\Program Files\Spyware Stormer
    C:\WINDOWS\System32\ipjrjgfx
    C:\Program Files\Web_Rebates
    C:\WINDOWS\System32\jopxcooy
    C:\WINDOWS\System32\uexfemmr
    C:\WINDOWS\System32\svtickt
    oem9dmod.exe
    C:\WINDOWS\qxineho.exe
    C:\WINDOWS\pespqii..exe
    C:\Program Files\TV Media
    C:\WINDOWS\srchupdt.exe
    C:\WINDOWS\DHUpdt.exe
    C:\WINDOWS\dhbrwsr.exe
    c:\windows\system32\saie.exe
    C:\WINDOWS\nst.exe
    C:\WINDOWS\System32\dealhelper.exeC:\WINDOWS\System32\nppurity.exe
    C:\PROGRA~1\CLOCKS~1
    C:\PROGRA~1\COMMON~1\tsa
    C:\Documents and Settings\ROBERT CLARKE\Application Data\ofd?.exe
    C:\WINDOWS\System32\DownloadLegalMusic

    Reboot and post a fresh log
+ Reply to Thread
« Hijack this Log | Forum Rules »