Qoologic help!

TimE · 01-17-2005, 08:57 PM

Hello,
After weeks of trying to clean up my computer, I come to you for help please! I think I have been infected by a host of nasty buggers over last few weeks. The worst one appears to be Qoologic that just will not go away no matter what I try to do. Other problems include a plague of pop-ups, folders appearing in "MY Favorites", massive sloooow down of pc, daily freeze-ups, and failure to get a brand new printer to work. The most annoying pop-up is called "loadingwebsite.com". I have downloaded & run the follwing programs:
* AVG free antivirus 7.0
* ZoneAlarm free firewall 5.5
* SpywareBlaster 3.2
* Spysubtract Pro 2.60
* CWShredder 2.0
* Panicware Pop-up Stopper 3.1
These programs have caught & deleted many nasty things over last few weeks, but the problems continue. I tried to download Ad-Aware SE Personal Edition 1.05 several times, but I always got an error message & failure.

I am running Internet Explorer 6.0 on a Compaq pc with Windows ME.

Below is my HijackThis log after using hijack analyzer. I greatly appreciate any assistance you can provide.

TimE

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/7/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 11:38:55 PM, on 1/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\SHPC32.EXE
C:\WINDOWS\EBYJF.EXE
C:\WINDOWS\WUKWVG.EXE
C:\WINDOWS\SYSTEM\HLIMSG.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALEVENT.EXE
C:\WINDOWS\SYSTEM\KALVYMT32.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\PHOTOWISE\QUICKLNK.EXE
C:\HJT\HIJACK_THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-sea...=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-sea...=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\ebyjf.exe] C:\WINDOWS\ebyjf.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wukwvg.exe
O4 - HKLM\..\Run: [qm7V36Q] HLIMSG.EXE
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVYMT32.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - Startup: hgnhki.exe
O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/actm...karaokeCom.ocx

End of HijackThis Analyzer Log.
===========================================================================================================================

greyknight17 · 01-17-2005, 09:14 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check Disable System Restore. Click OK. Click Yes when you are prompted to restart Windows. When we have confirmed that your log file is clean, you may enable System Restore again by following the same steps as above except you should uncheck Disable System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\SYSTEM\SHPC32.EXE
C:\WINDOWS\EBYJF.EXE
C:\WINDOWS\WUKWVG.EXE
C:\WINDOWS\SYSTEM\HLIMSG.EXE
C:\WINDOWS\SYSTEM\KALVYMT32.EXE

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SVA Player

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\ebyjf.exe] C:\WINDOWS\ebyjf.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wukwvg.exe
O4 - HKLM\..\Run: [qm7V36Q] HLIMSG.EXE
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVYMT32.EXE
O4 - Startup: hgnhki.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/act.../karaokeCom.ocx

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\SHPC32.EXE
C:\WINDOWS\EBYJF.EXE
C:\WINDOWS\WUKWVG.EXE
C:\WINDOWS\SYSTEM\HLIMSG.EXE
C:\WINDOWS\SYSTEM\KALVYMT32.EXE
hgnhki.exe - most likely in startup folder
C:\Program Files\SVA Player\

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided.

TimE · 01-21-2005, 09:10 PM

I followed your directions, but my pc still seems to be running very slow. Below is my latest HJT file. Is my pc clean?

Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 12:10:37 AM, on 1/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\PHOTOWISE\QUICKLNK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSWP.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKGDCACH.EXE
C:\HJT\HIJACK_THIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

greyknight17 · 01-21-2005, 09:29 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to c:\windows\ and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like:

127.0.0.1 localhost

If you have anything after that, please post them here.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

VBouncer

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\VBouncer\

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided.

TimE · 01-22-2005, 11:31 AM

Well, I am still having problems. PC very slooow. I had 2 new icons plastered onto my screen (from loadingwebsite.com????). I still need help!

I did the following:
1) Went into Add/Remove to remove VBouncer as you said. I could not find it. However, I found the following & removed:
* Search Assistant
* Search Function
* Sidebar Search
Now, the following programs I tried to remove, but they would not go away:
# Elite Internet Explorer Toolbar
# SVA Player
Also, the following programs I was unfamiliar with & didn't know what to do:
? BMSE dbl
? IEC system
? SE Assistant
? SE help

2) I ran HJT & deleted what you suggested. I could not find Files/VBouncer

3) I checked the hosts files & there were two (one in all caps). Here they are:
hosts:
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch

HOSTS:
# Copyright (c) 1998 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

4) Here is my latest HJT file:

Logfile of HijackThis v1.98.2
Scan saved at 2:09:55 PM, on 1/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
C:\PROGRAM FILES\PHOTOWISE\QUICKLNK.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HJT\HIJACK_THIS\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Your help is appreciated!

CTSNKY · 01-22-2005, 01:15 PM

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe
VX2Finder http://www.greyknight17.com/spy/VX2Finder.exe
Hoster http://www.greyknight17.com/spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe
KillBox http://www.greyknight17.com/spy/KillBox.exe
DllCompare http://www.greyknight17.com/spy/DllCompare.exe

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip
ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip

2. Run Kill2Me.

3. Run VX2Finder and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum.

4. Run DllCompare now and click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit ...), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare.

5. Go to C:\WINDOWS\SYSTEM\ and sort the files by date. Look for more recent created files and post them here. They are usually random named DLL files.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

Post all of the logs in your next post. We need them all to get a fix for this infection.

TimE · 01-22-2005, 04:41 PM

Will there be any problem downloading the list of programs you suggested while I have a bunch of other programs downloaded to fight viruses, pop-ups etc...?

I have AVG antivirus program, ZoneAlarm firewall, Spyware Blaster, Ad-Aware, CWShredder, Panicware Pop-up Stopper, NoAdware, and Spysubtract. I just wanted to be sure there wouldn't be a problem with conflicting programs. I have had that happen before.

Thanks!

greyknight17 · 01-22-2005, 07:19 PM

These programs should not conflict with each other. After we are finished with the fix and verified that you are clean, you may delete all of those programs we mentioned to download above. You may however, keep CleanUp if you want. It's a good cleanup program.

TimE · 01-23-2005, 08:34 AM

OK, I downloaded all the programs you suggested & ran the ones you said to do. A few questions:
1) I didn't see anywhere that you said to run these programs - Hoster, CleanUp!, & KillBox. I downloaded them but did not run. Is that correct?
2) When I ran VX2Finder it said "files found" & under that said "user agent string". When I clicked "Make Log" nothing happenned. What do I need to do?
3) When I looked in C:/WINDOWS/SYSTEM & sorted the files by date, I saw many DLL files. I would guess 50 files over last couple of months. I don't which ones are legit & which ones are not. I couldn't figure out how to post the list in here. How should I post a log?
4) Under C:/DOWNLOADED PROGRAM FILES, I found only 3 files & I think they are legit - QuickTime, Shockwave Flash Object, & Update Class (windows update microsoft). Are these ok?
5) Under C:/PROGRAMFILES/INTERNET EXPLORER, I think all the files in there are legit. None seem to be recent & I believe they all relate to internet explorer. Again, I didn't know how to post the list in here.

Here are varios logs:
1) From DLL Compare:
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\mwacm.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mxvcrt20.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\nlcpl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dzmssocn.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ouethk32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\srrapi.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ahi_i9ae.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cnmocx.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mnwebdvd.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mivfw32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\pqcrt.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\vuame.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\nbwdev.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\lgmpg11n.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ddound.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\rzgwizc.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dtwave.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ltxlmpm.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\lilmb11n.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dlip32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mmpistub.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\narsnl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ccol.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mtasn1.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\etcapi.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mpimsg.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wgadrvud.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mixml3.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\lnnkinfo.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mq3encx.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\minsspc.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\tzolbar.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\syrrun.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mg4sdmod.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mmieftp.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\vsajet32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mwnet32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ajctres.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\lxxusbci.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\oaepro32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cr15pprt.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\airtl30.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\iw50_qcx.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mxjter35.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ixwphbk.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\anferror.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wpadrvud.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mht2fw95.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wunetmgr.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ozpdx32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cmmmctrl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cspbk32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\uibmon.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\agfsipc.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\pmnmap.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\meencode.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mjdart32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\topelib.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\msg200~1.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\sooolss.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mmxdm.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\scem0409.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dxlayx.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\lkgilang.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mqwsock.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\oaui400.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\xgilexr.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mujter35.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dld9.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cofg95.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mbnet32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\gvut.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\szem0409.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\pfspl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dfip32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\lnlmb11n.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\srimgvw.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\smndmail.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\vphelper.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\rzoc3260.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ivfg95.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\itx32d56.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dsbeng.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dhband.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ldeps11n.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\lqcal11n.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cl15pprt.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\rwaui.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mwr2cenu.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\nmopengl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cjetcfg.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wgadmod.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mtrdo20.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mbrpjt40.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ldbzlpa.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cnh.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dsstyle.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\rioc3260.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\vzame.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mjjava.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\vvregexp.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cgmmctrl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mvoeacct.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\sppdll.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dfcndi.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\iufcpy.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wjtdecod.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dgmigr.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\domstor.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wx5inf32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\sfnceng.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\monet32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\iymp.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\merdo20.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\svsdetmg.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\iq50_qc.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\cuwmdm.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mzdxmlc.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K
________________________________________________

1,061 items found: 1,061 files (118 H/S), 0 directories.
Total of file sizes: 217,266,794 bytes 207.20 M

--------------------End log---------------------

2) Latest HJT:

Logfile of HijackThis v1.98.2
Scan saved at 11:12:53 AM, on 1/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
C:\PROGRAM FILES\PHOTOWISE\QUICKLNK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSWP.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKGDCACH.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\HJT\HIJACK_THIS\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunOnce: [ClrSchUninstall] C:\WINDOWS\TEMP\CLRSCHUNINSTALL.EXE -b
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Thanks for sticking with me.

greyknight17 · 01-23-2005, 09:04 AM

Yes, that's correct. We will use those tools now. Don't worry about the system files. We got them now. See below for more information.

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so).

1. Run KillBox now.
a) Click on the 'Replace on Reboot' button and check the box that says 'Use Dummy'.
b) Check 'End Explorer Shell While Killing File.'
c) Check 'Unregister .dll Before Deleting' for each file (if it's available).

Copy and paste each of the following (one by one) into the top line and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them):

c:\recycler\desktop.ini
c:\WINDOWS\system\guard.tmp

Also delete ALL those files found in DllCompare. Just copy and paste the whole path for each filename and kill them one by one. So start putting them into KillBox starting from:

C:\WINDOWS\SYSTEM\mwacm.dll

ALL the way to:

C:\WINDOWS\SYSTEM\mzdxmlc.dll

2. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode.

3. Run HijackThis and do a scan. Check and fix the following:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\RunOnce: [ClrSchUninstall] C:\WINDOWS\TEMP\CLRSCHUNINSTALL.EXE -b

4. Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK.

Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff.

5. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system\ and sort the files by date. There will/should be two new DLLs.
-- If those O1 entries do return in HijackThis, paste those two files into KillBox (see Step 1 above) and kill them. Just follow through the same procedures (Steps 2-5) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again).

After that's done (or if you want more help), give us a new set of updated logs (DllCompare, VX2Finder, HijackThis).

01-17-2005, 08:57 PM	#1 (permalink)
TimE Registered User Join Date: Jan 2005 Posts: 7 OS: Win ME	Qoologic help! Hello, After weeks of trying to clean up my computer, I come to you for help please! I think I have been infected by a host of nasty buggers over last few weeks. The worst one appears to be Qoologic that just will not go away no matter what I try to do. Other problems include a plague of pop-ups, folders appearing in "MY Favorites", massive sloooow down of pc, daily freeze-ups, and failure to get a brand new printer to work. The most annoying pop-up is called "loadingwebsite.com". I have downloaded & run the follwing programs: * AVG free antivirus 7.0 * ZoneAlarm free firewall 5.5 * SpywareBlaster 3.2 * Spysubtract Pro 2.60 * CWShredder 2.0 * Panicware Pop-up Stopper 3.1 These programs have caught & deleted many nasty things over last few weeks, but the problems continue. I tried to download Ad-Aware SE Personal Edition 1.05 several times, but I always got an error message & failure. I am running Internet Explorer 6.0 on a Compaq pc with Windows ME. Below is my HijackThis log after using hijack analyzer. I greatly appreciate any assistance you can provide. TimE =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 11:38:55 PM, on 1/17/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE C:\WINDOWS\SYSTEM\SHPC32.EXE C:\WINDOWS\EBYJF.EXE C:\WINDOWS\WUKWVG.EXE C:\WINDOWS\SYSTEM\HLIMSG.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALEVENT.EXE C:\WINDOWS\SYSTEM\KALVYMT32.EXE C:\WINDOWS\WUAUCLT.EXE C:\PROGRAM FILES\PHOTOWISE\QUICKLNK.EXE C:\HJT\HIJACK_THIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-sea...=sbar1_srchbtn R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-sea...ook=stmpl1&fw= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/? R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-sea...=sbar1_srchbtn R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-sea...ook=stmpl1&fw= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-sea...ook=stmpl1&fw= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-sea...ook=stmpl1&fw= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw= R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file) O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE O4 - HKLM\..\Run: [SHPC32] shpc32.exe O4 - HKLM\..\Run: [C:\WINDOWS\ebyjf.exe] C:\WINDOWS\ebyjf.exe O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wukwvg.exe O4 - HKLM\..\Run: [qm7V36Q] HLIMSG.EXE O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVYMT32.EXE O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder O4 - Startup: hgnhki.exe O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/actm...karaokeCom.ocx End of HijackThis Analyzer Log. ===========================================================================================================================

01-17-2005, 09:14 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check Disable System Restore. Click OK. Click Yes when you are prompted to restart Windows. When we have confirmed that your log file is clean, you may enable System Restore again by following the same steps as above except you should uncheck Disable System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\SYSTEM\SHPC32.EXE C:\WINDOWS\EBYJF.EXE C:\WINDOWS\WUKWVG.EXE C:\WINDOWS\SYSTEM\HLIMSG.EXE C:\WINDOWS\SYSTEM\KALVYMT32.EXE Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: SVA Player Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/? R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw= R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw= R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file) O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE O4 - HKLM\..\Run: [SHPC32] shpc32.exe O4 - HKLM\..\Run: [C:\WINDOWS\ebyjf.exe] C:\WINDOWS\ebyjf.exe O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wukwvg.exe O4 - HKLM\..\Run: [qm7V36Q] HLIMSG.EXE O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVYMT32.EXE O4 - Startup: hgnhki.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/act.../karaokeCom.ocx Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\SYSTEM\SHPC32.EXE C:\WINDOWS\EBYJF.EXE C:\WINDOWS\WUKWVG.EXE C:\WINDOWS\SYSTEM\HLIMSG.EXE C:\WINDOWS\SYSTEM\KALVYMT32.EXE hgnhki.exe - most likely in startup folder C:\Program Files\SVA Player\ Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

01-21-2005, 09:10 PM	#3 (permalink)
TimE Registered User Join Date: Jan 2005 Posts: 7 OS: Win ME	I followed directions, but still seems SLOOOW I followed your directions, but my pc still seems to be running very slow. Below is my latest HJT file. Is my pc clean? Thanks! Logfile of HijackThis v1.98.2 Scan saved at 12:10:37 AM, on 1/22/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\PHOTOWISE\QUICKLNK.EXE C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\MICROSOFT WORKS\WKSWP.EXE C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\MICROSOFT WORKS\WKGDCACH.EXE C:\HJT\HIJACK_THIS\HIJACKTHIS.EXE O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [LexStart] lexstart.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE" O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

01-21-2005, 09:29 PM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to c:\windows\ and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like: 127.0.0.1 localhost If you have anything after that, please post them here. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: VBouncer Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Program Files\VBouncer\ Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

01-22-2005, 11:31 AM	#5 (permalink)
TimE Registered User Join Date: Jan 2005 Posts: 7 OS: Win ME	Still problems Well, I am still having problems. PC very slooow. I had 2 new icons plastered onto my screen (from loadingwebsite.com????). I still need help! I did the following: 1) Went into Add/Remove to remove VBouncer as you said. I could not find it. However, I found the following & removed: * Search Assistant * Search Function * Sidebar Search Now, the following programs I tried to remove, but they would not go away: # Elite Internet Explorer Toolbar # SVA Player Also, the following programs I was unfamiliar with & didn't know what to do: ? BMSE dbl ? IEC system ? SE Assistant ? SE help 2) I ran HJT & deleted what you suggested. I could not find Files/VBouncer 3) I checked the hosts files & there were two (one in all caps). Here they are: hosts: 127.0.0.1 www.igetnet.com 127.0.0.1 code.ignphrases.com 127.0.0.1 clear-search.com 127.0.0.1 r1.clrsch.com 127.0.0.1 sds.clrsch.com 127.0.0.1 status.clrsch.com 127.0.0.1 www.clrsch.com 127.0.0.1 clr-sch.com 127.0.0.1 sds-qckads.com 127.0.0.1 status.qckads.com 69.20.16.183 auto.search.msn.com 69.20.16.183 search.netscape.com 69.20.16.183 ieautosearch 69.20.16.183 ieautosearch HOSTS: # Copyright (c) 1998 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98 # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost 4) Here is my latest HJT file: Logfile of HijackThis v1.98.2 Scan saved at 2:09:55 PM, on 1/22/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE C:\PROGRAM FILES\PHOTOWISE\QUICKLNK.EXE C:\WINDOWS\WUAUCLT.EXE C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\RUNDLL32.EXE C:\HJT\HIJACK_THIS\HIJACKTHIS.EXE O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [LexStart] lexstart.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE" O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll Your help is appreciated!

01-22-2005, 01:15 PM	#6 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Please download the following programs required for the removal process: Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe VX2Finder http://www.greyknight17.com/spy/VX2Finder.exe Hoster http://www.greyknight17.com/spy/Hoster.exe CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe KillBox http://www.greyknight17.com/spy/KillBox.exe DllCompare http://www.greyknight17.com/spy/DllCompare.exe Please follow the steps below: 1. Download/run the following uninstallers: Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip 2. Run Kill2Me. 3. Run VX2Finder and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum. 4. Run DllCompare now and click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit ...), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare. 5. Go to C:\WINDOWS\SYSTEM\ and sort the files by date. Look for more recent created files and post them here. They are usually random named DLL files. We also need a list of files in the following folders: C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here. C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious. Post all of the logs in your next post. We need them all to get a fix for this infection. __________________ GO BIG BLUE!!

01-22-2005, 04:41 PM	#7 (permalink)
TimE Registered User Join Date: Jan 2005 Posts: 7 OS: Win ME	What about all the programs on my PC? Will there be any problem downloading the list of programs you suggested while I have a bunch of other programs downloaded to fight viruses, pop-ups etc...? I have AVG antivirus program, ZoneAlarm firewall, Spyware Blaster, Ad-Aware, CWShredder, Panicware Pop-up Stopper, NoAdware, and Spysubtract. I just wanted to be sure there wouldn't be a problem with conflicting programs. I have had that happen before. Thanks!

01-22-2005, 07:19 PM	#8 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	These programs should not conflict with each other. After we are finished with the fix and verified that you are clean, you may delete all of those programs we mentioned to download above. You may however, keep CleanUp if you want. It's a good cleanup program. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

01-23-2005, 08:34 AM	#9 (permalink)
TimE Registered User Join Date: Jan 2005 Posts: 7 OS: Win ME	Latest progress OK, I downloaded all the programs you suggested & ran the ones you said to do. A few questions: 1) I didn't see anywhere that you said to run these programs - Hoster, CleanUp!, & KillBox. I downloaded them but did not run. Is that correct? 2) When I ran VX2Finder it said "files found" & under that said "user agent string". When I clicked "Make Log" nothing happenned. What do I need to do? 3) When I looked in C:/WINDOWS/SYSTEM & sorted the files by date, I saw many DLL files. I would guess 50 files over last couple of months. I don't which ones are legit & which ones are not. I couldn't figure out how to post the list in here. How should I post a log? 4) Under C:/DOWNLOADED PROGRAM FILES, I found only 3 files & I think they are legit - QuickTime, Shockwave Flash Object, & Update Class (windows update microsoft). Are these ok? 5) Under C:/PROGRAMFILES/INTERNET EXPLORER, I think all the files in there are legit. None seem to be recent & I believe they all relate to internet explorer. Again, I didn't know how to post the list in here. Here are varios logs: 1) From DLL Compare: * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access Not everything listed here means you are infected! ________________________________________________ C:\WINDOWS\SYSTEM\mwacm.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mxvcrt20.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\nlcpl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dzmssocn.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ouethk32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\srrapi.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ahi_i9ae.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cnmocx.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mnwebdvd.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mivfw32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\pqcrt.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\vuame.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\nbwdev.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\lgmpg11n.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ddound.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\rzgwizc.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dtwave.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ltxlmpm.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\lilmb11n.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dlip32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mmpistub.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\narsnl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ccol.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mtasn1.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\etcapi.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mpimsg.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\wgadrvud.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mixml3.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\lnnkinfo.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mq3encx.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\minsspc.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\tzolbar.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\syrrun.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mg4sdmod.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mmieftp.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\vsajet32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mwnet32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ajctres.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\lxxusbci.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\oaepro32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cr15pprt.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\airtl30.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\iw50_qcx.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mxjter35.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ixwphbk.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\anferror.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\wpadrvud.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mht2fw95.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\wunetmgr.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ozpdx32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cmmmctrl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cspbk32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\uibmon.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\agfsipc.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\pmnmap.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\meencode.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mjdart32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\topelib.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\msg200~1.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\sooolss.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mmxdm.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\scem0409.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dxlayx.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\lkgilang.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mqwsock.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\oaui400.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\xgilexr.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mujter35.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dld9.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cofg95.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mbnet32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\gvut.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\szem0409.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\pfspl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dfip32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\lnlmb11n.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\srimgvw.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\smndmail.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\vphelper.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\rzoc3260.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ivfg95.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\itx32d56.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dsbeng.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dhband.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ldeps11n.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\lqcal11n.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cl15pprt.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\rwaui.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mwr2cenu.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\nmopengl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cjetcfg.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\wgadmod.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mtrdo20.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mbrpjt40.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\ldbzlpa.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cnh.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dsstyle.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\rioc3260.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\vzame.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mjjava.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\vvregexp.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cgmmctrl.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mvoeacct.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\sppdll.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dfcndi.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\iufcpy.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\wjtdecod.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\dgmigr.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\domstor.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\wx5inf32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\sfnceng.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\monet32.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\iymp.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\merdo20.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\svsdetmg.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\iq50_qc.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\cuwmdm.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K C:\WINDOWS\SYSTEM\mzdxmlc.dll Sun Dec 5 2004 9:11:50a ..S.R 217,088 212.00 K ________________________________________________ 1,061 items found: 1,061 files (118 H/S), 0 directories. Total of file sizes: 217,266,794 bytes 207.20 M --------------------End log--------------------- 2) Latest HJT: Logfile of HijackThis v1.98.2 Scan saved at 11:12:53 AM, on 1/23/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\WUAUCLT.EXE C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE C:\PROGRAM FILES\PHOTOWISE\QUICKLNK.EXE C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\WINDOWS\WUAUCLT.EXE C:\WINDOWS\WUAUCLT.EXE C:\PROGRAM FILES\MICROSOFT WORKS\WKSWP.EXE C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\MICROSOFT WORKS\WKGDCACH.EXE C:\WINDOWS\WUAUCLT.EXE C:\WINDOWS\WUAUCLT.EXE C:\WINDOWS\WUAUCLT.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\WUAUCLT.EXE C:\HJT\HIJACK_THIS\HIJACKTHIS.EXE O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [LexStart] lexstart.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunOnce: [ClrSchUninstall] C:\WINDOWS\TEMP\CLRSCHUNINSTALL.EXE -b O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE" O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll Thanks for sticking with me.

01-23-2005, 09:04 AM	#10 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Yes, that's correct. We will use those tools now. Don't worry about the system files. We got them now. See below for more information. Please print out the instructions here (or save it in Notepad) so that you can follow along more easily. This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so). 1. Run KillBox now. a) Click on the 'Replace on Reboot' button and check the box that says 'Use Dummy'. b) Check 'End Explorer Shell While Killing File.' c) Check 'Unregister .dll Before Deleting' for each file (if it's available). Copy and paste each of the following (one by one) into the top line and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them): c:\recycler\desktop.ini c:\WINDOWS\system\guard.tmp Also delete ALL those files found in DllCompare. Just copy and paste the whole path for each filename and kill them one by one. So start putting them into KillBox starting from: C:\WINDOWS\SYSTEM\mwacm.dll ALL the way to: C:\WINDOWS\SYSTEM\mzdxmlc.dll 2. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode. 3. Run HijackThis and do a scan. Check and fix the following: O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\RunOnce: [ClrSchUninstall] C:\WINDOWS\TEMP\CLRSCHUNINSTALL.EXE -b 4. Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK. Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff. 5. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system\ and sort the files by date. There will/should be two new DLLs. -- If those O1 entries do return in HijackThis, paste those two files into KillBox (see Step 1 above) and kill them. Just follow through the same procedures (Steps 2-5) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again). After that's done (or if you want more help), give us a new set of updated logs (DllCompare, VX2Finder, HijackThis). __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools