Sponsored By

Dankwsc

Been Hijacked-please Help

Recommended Posts

Before computer froze, I noticed that my homepage would default to a Winn/32 file and then I got large text on my desktop saying that my computer may be infected...Now my computer freezes when I reboot and it even freezes in safe mode when I went to run a "Hijack This Log". How do I run a log if I cannot do anything in safe mode...Please help!! thanks in advance!

Share this post


Link to post
Share on other sites

Fortunately I was able to get a Logfile: Please Help

gfile of HijackThis v1.99.1

Scan saved at 7:43:37 AM, on 9/28/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\csvun.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\DOCUMENTS AND SETTINGS\SHANE DANKWORTH\DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SHANED~1\LOCALS~1\Temp\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {6CFE85D3-C654-2F79-FA77-6D16801545BB} - C:\WINNT\system32\Z59JFLk0.dll

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\dkslz.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [RunDLL] C:\WINNT\system32\rund11.exe

O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe

O4 - HKLM\..\Run: [icasServ] C:\WINNT\system32\icasServ.exe

O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn72.exe rundll.dll,LoadMouseProfile

O4 - HKLM\..\Run: [dmehk.exe] C:\WINNT\system32\dmehk.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h

O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sysvcs.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 85.255.113.123,85.255.112.14

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O21 - SSODL: qCmQLSyh - {6CFE85CD-C654-2F67-40F3-5C2A801545B8} - C:\WINNT\system32\mmrd.dll

O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_9.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Share this post


Link to post
Share on other sites

Hi,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.

Download CWShredder Here.

Download SpSeHjfix Here.

Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster

  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster

Update CWShredder

  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:

  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

dk

Share this post


Link to post
Share on other sites

dknoppix,

-Thanks for the instructions...Unfortunately I cannot seem to run any of the programs that you had me download except for CWShredder. Even when I'm working in safe mode my computer freezes and I cannot complete your instructions...Very frustrated...Please advise...Thanks!

Share this post


Link to post
Share on other sites

Hi,

Lets see if you can get into Safe Mode again.

When in there, press Ctrl-Alt-Delete to get into the task manager. Click the processes tab. Find the following process, click it, and select "End Process":

csvun.exe

Now, open Hijackthis, click the scan button, and check the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SHANED~1\LOCALS~1\Temp\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: (no name) - {6CFE85D3-C654-2F79-FA77-6D16801545BB} - C:\WINNT\system32\Z59JFLk0.dll

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\dkslz.dll

O4 - HKLM\..\Run: [RunDLL] C:\WINNT\system32\rund11.exe

O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe

O4 - HKLM\..\Run: [icasServ] C:\WINNT\system32\icasServ.exe

O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn72.exe rundll.dll,LoadMouseProfile

O4 - HKLM\..\Run: [dmehk.exe] C:\WINNT\system32\dmehk.exe

O4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sysvcs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 85.255.113.123,85.255.112.14

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O21 - SSODL: qCmQLSyh - {6CFE85CD-C654-2F67-40F3-5C2A801545B8} - C:\WINNT\system32\mmrd.dll

O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_9.dll

Close all windows except HijackThis, and click the Fix Checked button.

Locate the following files and delete them:

C:\WINNT\system32\rund11.exe

C:\WINNT\system32\perfcl.exe

C:\WINNT\system32\icasServ.exe

C:\WINNT\system32\popcorn72.exe

C:\WINNT\system32\dmehk.exe

C:\WINNT\system32\sysvcs.exe

C:\WINNT\system32\mmrd.dll

C:\WINNT\system32\dcom_9.dll

Now, please RIGHT-CLICK HERE to download Silent Runner's.

  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO

    [*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)

    [*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here in your next post.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Finally, Run HijackThis and post a new log, as well as your SilentRunners log.

dk

Share this post


Link to post
Share on other sites

dknoppix,

Thanks...will do! Won't be able to post the results until tonight or tommorow as I have to download all programs from another computer till we can get the safe mode fixed. Thanks for your patience!

Share this post


Link to post
Share on other sites

dknoppix,

-tried to delete "csvun.exe" in task manager as you instructed...unfortunately, it said:

process could not be completed...access denied...

nothing seems to be working...please advise...thanks!

Share this post


Link to post
Share on other sites

Ok, lets try it this way.

Boot into Safe Mode, and click Start --> Run. Type "cmd" and press enter.

In the command prompt, type: taskkill /f csvun.exe

Now locate "C:\WINNT\system32\csvun.exe and rename it csvun.old.

Now do the instructions in the fix in my previous post.

Good luck,

dk

Share this post


Link to post
Share on other sites

dknoppix,

did as you instructed, however, when I clicked start and typed "cmd" into the run type it froze...I then tried to enter your instructions in the "cmd" through "safe mode with command prompts"...it then said that "taskkill" is not recognized as an internal or external command, operable program or batch file...are there any other ways to access it? :(

Share this post


Link to post
Share on other sites

Ok...lets try this:

Download http://www.atribune.org/downloads/csvun.zip, and unzip it to your desktop using Winzip or a simliar program (If you don't have winzip, just unzip them on another computer, and just copy the files over)

After you have unziped them, run csvun.bat.

Now, please RIGHT-CLICK HERE to download Silent Runner's.

  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO

    [*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)

    [*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here in your next post.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

dk

Share this post


Link to post
Share on other sites

Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/

Operating System: Windows 2000

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"AIM" = "C:\PROGRA~1\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

"ares" = ""C:\Program Files\Ares Lite Edition\Ares.exe" -h" [file not found]

"NCLaunch" = "C:\WINNT\NCLAUNCH.EXe" ["Northcode Inc."]

"ctfmon.exe" = "ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Synchronization Manager" = "mobsync.exe /logon" [MS]

"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]

"PerformCl" = "C:\WINNT\system32\perfcl.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {CLSID}\InProcS

erver32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{D3796116-94D3-4009-96D7-51578411CC7D}" = "Outpost Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll" [file not found]

"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! "{6AC3806F-8B39-4746-9C38-6B01CB7331FF}" = "Memory monitor"

-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\q20924938_disk.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

INFECTION WARNING! "System" = "csvun.exe" [file not found]

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Active Desktop and Wallpaper:

-----------------------------

Active Desktop is enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINNT\Firefox Wallpaper.bmp"

Enabled Screen Saver:

---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\

"SCRNSAVE.EXE" = "C:\WINNT\system32\ss3dfo.scr" [MS]

Startup items in "Shane Dankworth" & "All Users" startup folders:

-----------------------------------------------------------------

C:\Documents and Settings\Shane Dankworth\Start Menu\Programs\Startup

"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dkslz.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{40D41A8B-D79B-43D7-99A7-9EE0F344C385}" = "AIM Search" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\AIMBar.dll" [file not found]

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dkslz.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" [file not found]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

{AF6CABAB-61F9-4F12-A198-B7D41EF1CB52}\

"ButtonText" = "WeatherBug"

"CLSIDExtension" = "{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}"

"Exec" = "C:\Program Files\AWS\WeatherBug\Weather.exe" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\

"ButtonText" = "AIM"

"Exec" = "C:\PROGRA~1\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

"ButtonText" = "Real.com"

Miscellaneous IE Hijack Points

------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):

[strings]: START_PAGE_URL=http://www.aol.com

Missing lines (compared with English-language version):

[strings]: 1 line

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

---------------------------------------------------------------------------

Adobe LM Service, Adobe LM Service, ""C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"" [null data]

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]

Logical Disk Manager Administrative Service, dmadmin, "C:\WINNT\System32\dmadmin.exe /com" ["VERITAS Software Corp."]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

Network DDE DSDM, NetDDEdsdm, "C:\WINNT\system32\netdde.exe" [MS]

Office Source Engine, ose, "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [MS]

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 665 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

took 454 seconds.

---------- (total run time: 1483 seconds)

Finally, I was able to get this posted...I hope this helps! Please advise. Thanks! :(

Share this post


Link to post
Share on other sites

Hi,

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SHANED~1\LOCALS~1\Temp\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: (no name) - {6CFE85D3-C654-2F79-FA77-6D16801545BB} - C:\WINNT\system32\Z59JFLk0.dll

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\dkslz.dll

O4 - HKLM\..\Run: [RunDLL] C:\WINNT\system32\rund11.exe

O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe

O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn72.exe rundll.dll,LoadMouseProfile

O4 - HKLM\..\Run: [dmehk.exe] C:\WINNT\system32\dmehk.exe

O4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sysvcs.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 85.255.113.123,85.255.112.14

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O21 - SSODL: qCmQLSyh - {6CFE85CD-C654-2F67-40F3-5C2A801545B8} - C:\WINNT\system32\mmrd.dll

O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_9.dll

Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

dk

Share this post


Link to post
Share on other sites

dk,

-Here is the fixwareout report:

Check for missing files

.....

C:\WINNT\system32\AUTOEXEC.NT not there

.....

End check for missing files

.....

VXD Check

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]

"VDD"=hex(7):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,6c,77,69,6c,\

20,53,6f,66,74,77,61,72,65,5c,41,76,61,73,74,34,5c,61,73,77,4d,6f,6e,56,64,\

2e,64,6c,6c,00,00

.....

End vxd check

.....

please post this at the forum

du to the fact that my computer freezes when I do more than one task at a time I will post the new hijack this log shortly. Please note that when I ran FixWareout it automatically posted my log after I clicked finish without asking me to reboot.

Share this post


Link to post
Share on other sites

dk,

-below is the hijack log:

file of HijackThis v1.99.1

Scan saved at 7:15:38 PM, on 10/4/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Shane Dankworth\Desktop\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h

O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Share this post


Link to post
Share on other sites

dk,

-downloaded W2kfiles.exe...not sure it worked though since this "thing" keeps blocking everything we try( it says it is installed, but doesn't seem to do anything)...after doing that though I ran fixwareout again and this time it said:

download Brute Force Unistaller at www.merijn.com

-should I do this? Please advise

Share this post


Link to post
Share on other sites

dk,

--I cannot run anything is normal mode...as the desktop icons do not even come up on the screen and it freezes as soon as the actual desktop appears...I tried to follow your instructions in safe mode by running BFU then fixwareout but as usual it only lets me start to run BFU then it freezes and I can't even try to run fixwareout...very frustrating...are we running out of options??? :(:(

Share this post


Link to post
Share on other sites

I am able to download BFU to the desktop, but everytime I try to save to the C drive it freezes. Everytime I run fixwareout it says it is downloading BFU.

Share this post


Link to post
Share on other sites

So it's on your desktop now? If it's not please download it to your desktop!

  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the (Safe Mode with) Command Prompt menu item.
  • Press the Enter key.

xpmenu.gif

Probably you will see this: C:\DOCUMENTS AND SETTINGS\SHANE DANKWORTH

If not type: CD DOCUMENTS AND SETTINGS then hit enter and type: CD SHANE DANKWORT and hit enter again.

Now you'll be in C:\DOCUMENTS AND SETTINGS\SHANE DANKWORTH

Type: CD DESKTOP and hit enter.

Type: COPY bfu.zip C:\fixwareout\SUB and hit enter.

Then you can exit the command prompt by typing: EXIT

Then try the wareoutfix again!

Edited by didom

Share this post


Link to post
Share on other sites

It worked!!!! Here is the hijack log after fixwareout ran...Please advise.

ile of HijackThis v1.99.1

Scan saved at 6:56:01 PM, on 10/9/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\fixwareout\SUB\BFU.exe

C:\hijackthis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h

O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Share this post


Link to post
Share on other sites

Scan again with HijackThis and check the following items:

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Then reboot your computer and post a fresh HJT log!

-----------------------------

09 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Did you installed WeatherBug yourself?

Are you able to run your computer in normal mode again?

Share this post


Link to post
Share on other sites

- no I did not install Weather Bug and I would hopefully like to remove all traces of AOL as well...Unfortunately I still cannot run in normal mode as the desktop icons still do not come up, and it still freezes immediately...even in safe mode, it seems to have defaulted back to what it was doing before we fixed with fixwareout yesterday...here is the fresh hijack this log....thanks

ogfile of HijackThis v1.99.1

Scan saved at 7:51:02 AM, on 10/10/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Shane Dankworth\Desktop\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h

O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Share this post


Link to post
Share on other sites

Step #1

Scan again with HijackThis and check the following items:

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

We need to make sure all hidden files are showing so please:

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Step #3

Reboot Your System in Safe Mode:

  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.

Step #4

Find and delete these files and folders (if they are still there):

C:\Program Files\AWS <= this folder

Step #5

  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the (Safe Mode with) Command Prompt menu item.
  • Press the Enter key.

Step #6

At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.

Typing this will start the program, and a box should appear telling you how much longer the process should take.

Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:

  • My Computer
    Tools
    Folder Options
    View
    "Uncheck" Hide protected operating system files.

Then rerun the scan. If this still asks you to put in your windows XP CD, and you do not have the CD (If you bought it preinstalled) post back for more tips, otherwise enter Windows CD.

Once the scan is complete:

Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.

Please reboot, and let me know if anything has changed.

Also, please rehide the protected files:

  • My Computer
    Tools
    Folder Options
    View
    "Check" Hide protected operating system files.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.