DrPMon.dll, etc.
-
Re: DrPMon.dll, etc.
Hi,varygoode
Please update the Ver of HijackThis you are using to this one
here run new scan show me logfile. by the way nice work
http://www.isecurity.org.uk/downloads/hijackthis.exe
HGD 
-
Thank you! Here's the new log with the new version:
Logfile of HijackThis v1.99.1
Scan saved at 1:07:31 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.exe
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
c:\windows\system32\gmehudi.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\winlogon.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride
= http://localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BD4402D7-2927-5418-38E1-2412D8C37E46} - (no file)
O2 - BHO: (no name) - {FCBB4C32-00A6-D9E4-7787-1A00E8BD7778} -
C:\WINDOWS\CDM\axvkedqato.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [BootSkin Startup Jobs]
"D:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BOOTSKIN.E XE"
/StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program
Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [yenqxo] c:\windows\system32\eqvxss.exe r
O4 - HKLM\..\Run: [fglcqp] c:\windows\system32\gmehudi.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program
Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
D:\Program Files\AIM\aim.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windupdates.com/cab/Do.../bridge-c9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://v5.windowsupdate.microsoft.co...t/wuweb_site.c
ab?1093055846938
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2...usecall/xscan5
3.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -
http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online
Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments
Control) - http://by99fd.bay99.hotmail.msn.com/...x/HMAtchmt.ocx
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -
C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - D:\Program
Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner
- C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony
Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony
Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program
Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
c:\windows\SvcProc.exe
-
Hi,varygoode
Ok lit's try this here first
Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.
Make sure you can view hidden and system files: Instructions here
Press control-alt-delete to get into the task manager and end the follow processes if they exist:
wupdt.exe
eqvxss.exe
gmehudi.exe
svhosts.exe<--This one not this one here-->C:\WINDOWS\System32\svchost.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BD4402D7-2927-5418-38E1-2412D8C37E46} - (no file)
O2 - BHO: (no name) - {FCBB4C32-00A6-D9E4-7787-1A00E8BD7778} -
C:\WINDOWS\CDM\axvkedqato.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [yenqxo] c:\windows\system32\eqvxss.exe
O4 - HKLM\..\Run: [fglcqp] c:\windows\system32\gmehudi.exe
O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://static.windupdates.com/cab/D...e/bridge-c9.cab
then close out of HijackThis & do this here
Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
Once in Safe Mode, please run Killbox.
Select "Delete on Reboot".
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\CDM\axvkedqato.dll
C:\WINDOWS\wupdt.exe
c:\windows\system32\eqvxss.exe
c:\windows\system32\gmehudi.exe
svhosts.exe<--This one here not this one-->C:\WINDOWS\System32\svchost.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
then till us how it is & post new logfile
HGD
-
Things seem to be operating smoothly... haven't gotten an Aurora pop-up yet... but I dunno, I might.
Logfile of HijackThis v1.99.1
Scan saved at 10:09:11 AM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
c:\windows\system32\tihfuc.exe
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BOOTSKIN.E XE" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iappadi] c:\windows\system32\tihfuc.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093055846938
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by99fd.bay99.hotmail.msn.com/...x/HMAtchmt.ocx
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
-
Hey,varygoode
Ok this is big time odd you should be seeing popups all over the place
lit's try this once more 
Press control-alt-delete to get into the task manager and end the follow processes if they exist:
tihfuc.exe
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O4 - HKLM\..\Run: [iappadi] c:\windows\system32\tihfuc.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
Make sure you can view hidden and system files: Instructions here
Then Boot to safe mode: Instructions here
Delete the following files\folders IF still present:
C:\WINDOWS\systb.dll<---This file
c:\windows\system32\tihfuc.exe<---This file
Then again do this here
click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS
That will change everything back to defaults (M$)......
Change your homepage and search engines to whatever you wish and reset your pc.
When it boots back up, open IE and see if the page stays the way that you set it.
also do this here
Clean out temporary files:
* Start | Run | type cleanmgr | OK
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Click "OK" to remove them.
* Click "Yes" to confirm the deletion.
once you are done with that show a new logfile & give me
any info you think i need to know
HGD
-
Sorry about taking so long there, I've been pretty busy lately with work and getting ready for PennState, but I finally did that stuff. Some notes of interest, though. That tihfuc.exe file, as well as systb.dll were not there. Also, I rarely use IE, but my siblings and parents use it. My default browser is Mozilla Firefox. Dunno if that matters, but, hey, you asked.
Logfile of HijackThis v1.99.1
Scan saved at 2:30:38 PM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.exe
c:\windows\system32\reclgw.exe
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BOOTSKIN.E XE" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [dtefiwt] c:\windows\system32\reclgw.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093055846938
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.36/ttinst.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by99fd.bay99.hotmail.msn.com/...x/HMAtchmt.ocx
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
Next step? 
-
Hey,varygoode
Ok not sure if i had you do this yet if so just do it again
Download Ewido, install then from within the program check for updates BUT dont scan yet
ewido security suite: http://fileforum.betanews.com/detail/ewido...te/1098736486/1
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful"), Now close the program.
Do NOT run a scan yet.
Notes: If you already have the program please make sure its version 3.5 you have and updated.
If the program just exits before it finishes start it again and set it up to do a custom scan:
Start the program click the scan button over to the left click custom scan, click add drive/directory/file
and add c:\documents and settings\
add c:\windows\
add c:\windows\system32\ also, then click start scan, have it remove everything found.
Please download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.exe
Unzip it to the desktop but please do NOT run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
Then please run Ewido, and run a full scan. Save the logfile from the scan.
Next please run HijackThis, click Scan, and check:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Close all open windows except for HijackThis and click Fix Checked.
Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
HGD
Last edited by HJThis; 17-07-2005 at 07:24 PM.
-
I've done as asked.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 6:03:22 PM, 7/17/2005
+ Report-Checksum: CC724D51
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVe r -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSI D -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurV er -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVe r -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned without backup
HKU\S-1-5-21-57989841-854245398-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned without backup
C:\WINDOWS\system32\lnsyvfd.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107475.sys -> Trojan.Rootkit.k : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107476.dll -> Adware.eZula : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107477.dll -> Spyware.Coupon : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107478.exe -> TrojanDownloader.VB.em : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107479.exe -> TrojanDownloader.VB.em : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107480.dll -> Spyware.Coreak : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107481.dll -> Adware.SAHA : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107482.exe -> Spyware.DealHelper : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107483.exe -> TrojanDownloader.VB.em : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107484.dll -> TrojanDownloader.Small.amg : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107485.exe -> Trojan.Popmon.a : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107486.dll -> Spyware.DealHelper : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107487.dll -> Spyware.VirtualBouncer : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107488.exe -> TrojanDownloader.VB.em : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107489.exe -> TrojanDownloader.VB.em : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107490.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107491.exe -> Spyware.MediaMotor : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107492.exe -> TrojanDownloader.Intexp.c : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107493.dll -> Spyware.NoName : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107494.exe -> Spyware.NewDotNet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107495.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107497.exe -> Backdoor.Agent.jn : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107498.exe -> TrojanDownloader.IstBar.is : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107499.exe -> Spyware.WinAD : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107501.exe -> Spyware.NoName : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107502.dll -> Spyware.SmartPops : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107503.exe -> Spyware.SmartPops : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107504.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107505.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107506.exe -> Spyware.Delfin : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107507.exe -> TrojanDownloader.TSUpdate.j : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107508.exe -> TrojanDownloader.TSUpdate.l : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107509.exe -> Spyware.Xupiter : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107510.dll -> Spyware.Wheaterbug : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107511.exe -> Spyware.WinAD : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107512.exe -> Backdoor.Agent.jn : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107513.exe -> Trojan.Crypt.d : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107514.exe -> TrojanProxy.Agent.fb : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107515.exe -> TrojanProxy.Fireby.c : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107516.exe -> TrojanDownloader.Apropo.ab : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107523.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107530.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107531.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP445\A0107580.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP446\A0107583.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP446\A0107586.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP446\A0107591.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP446\A0107592.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP446\A0107593.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP446\A0107601.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP446\A0107621.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP447\A0107637.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP448\A0107672.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP448\A0107673.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP449\A0107695.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP450\A0107713.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP450\A0107714.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP450\A0107719.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP450\A0107721.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP451\A0107725.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP451\A0107729.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP451\A0107732.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP452\A0107737.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP452\A0107738.EXE -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP452\A0108601.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP452\A0108602.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP452\A0108603.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP452\A0108604.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP452\A0108614.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP452\A0110601.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP452\A0110602.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP453\A0111601.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP453\A0111602.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP453\A0111603.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP454\A0111613.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP454\A0111628.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP454\A0111635.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP454\A0111684.dll -> Spyware.ImiBar : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP454\A0111685.exe -> TrojanDownloader.Intexp.c : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP454\A0111690.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP454\A0111692.EXE -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP454\A0111693.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP454\A0111694.dll -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP455\A0111709.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP455\A0111710.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP455\A0111718.dll -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP455\A0111719.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP455\A0111720.exe -> Trojan.Imiserv.c : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP455\A0111721.dll -> Spyware.ImiBar : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP455\A0111722.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP455\A0111723.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP455\A0112633.exe -> Adware.BetterInternet : Cleaned without backup
C:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP455\A0112634.exe -> Adware.BetterInternet : Cleaned without backup
F:\System Volume Information\_restore{8ABB6BDC-D5BD-4BBC-8FF4-A6E24F0B3D18}\RP444\A0107517.exe -> Heuristic.Win32.Hijacker1 : Cleaned without backup
::Report End
Bah! The two reports together are too big by 618 characters... Check next post!
-
Logfile of HijackThis v1.99.1
Scan saved at 6:07:54 PM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\bgjmgcn.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BOOTSKIN.E XE" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [zzweujk] c:\windows\system32\bgjmgcn.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093055846938
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.15.36/ttinst.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by99fd.bay99.hotmail.msn.com/...x/HMAtchmt.ocx
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
-
Hey,varygoode
Nice work now get this out of the way
Make sure you can view hidden and system files: Instructions here
Then Boot to safe mode: Instructions here
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [zzweujk] c:\windows\system32\bgjmgcn.exe
Delete the following files\folders IF still present:
C:\WINDOWS\wupdt.exe<---This file
c:\windows\system32\bgjmgcn.exe<---This file
Then close out of HijackThis & do this here
click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS
That will change everything back to defaults (M$)......
Change your homepage and search engines to whatever you wish and reset your pc.
When it boots back up, open IE and see if the page stays the way that you set it.
Also get this done
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
& for the logfile you should me do this here
To turn off Windows XP System Restore
1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore" or "Turn off System Restore on all drives"
Click Apply.
Click Yes to do this.
Click OK.
Then Restart your computer.
To turn on Windows XP System Restore
After you have restarted, turn System Restore back on
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
5. Click Apply, and then click OK.
NOTE
Please create a new restore point once you have System Restore back on.
To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.
When the System Restore Utility opens, click "Create a Restore Point" then click Next.
Enter a name for this Restore Point, and click Create.
HGD
Senior Member
