Help with a Trojan horse

stir4u · 11-23-2004, 08:57 AM

I am in need of some help with my computer. I have picked up a trojan horse and have tried deleting it with HJT and my anti-virus software and it have help some but not totally. I am posting a new HijackThis file for you to examine and would appreciate your help. Thank you

Logfile of HijackThis v1.97.7
Scan saved at 11:40:26 AM, on 11/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\Documents and Settings\Mark Tumiski\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://rlcrwz.t.muxa.cc/h.php?aid=420 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Internat Conf] C:\WINDOWS\System32\bootconf.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKLM\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
O4 - HKCU\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe
O4 - HKCU\..\Run: [rxhjhkyc7n] C:\WINDOWS\nk7pvgorhz.exe
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\SYSTEM32\cihost.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: winlogon.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0285ff3cebcdb45...p/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...063.7937037037
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O19 - User stylesheet: C:\WINDOWS\color.css

CTSNKY · 11-23-2004, 09:44 AM

There are few other suspicious items, but we will wait to see how this round turns out first.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Download CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download Index.dat Suite to clean out all the temp folders. Do not run it yet.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Kazaa Lite (This is how/why you got into this mess.)

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://rlcrwz.t.muxa.cc/h.php?aid=420 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
O4 - HKLM\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
O4 - HKCU\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe
O4 - HKCU\..\Run: [rxhjhkyc7n] C:\WINDOWS\nk7pvgorhz.exe
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\SYSTEM32\cihost.exe
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0285ff3cebcdb4...ip/RdxIE601.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\dpe.dll
C:\WINDOWS\cihost.exe
C:\Program Files\WildTangent\
C:\Program Files\KaZaA Lite\
c:\WINDOWS\iedll.exe
c:\WINDOWS\loader.exe
C:\WINDOWS\System32\olehelp.exe
C:\WINDOWS\nk7pvgorhz.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\WINDOWS\ex.htm

Run Index.dat Suite now and go to Tools->Settings. Then make sure to check the following: Cookies, History, Recent Documents, Swap File (if you have Windows 95/98), Temporary Internet Files and Temp Files. Click Save at the bottom. Then click on the Find button. Let it search. Then click on the second button on the top. This will generate a batch file. Click Next->Next->Next and it will tell you that after the next reboot/restart the file should run by itself and clean out the temp folders. To make sure it's cleaned out, go into My Computer->C: Drive and double click on the run.bat file. After that you may delete that file if you want.

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

stir4u · 11-24-2004, 07:56 AM

First off, Thank you for assisting me with my computer problem.
Ok, I am back with a new HijackThis log file.
3 more issues have occured since I followed your directions.
First I am getting a pop up box from Norton Antivirus about a Virus Alert high risk for the following 3 viruses: Trojan Startpage, Trojan.Linst, and Trojan.Bookmarker.G. It stated that it has deleted the file, however, when I push the OK button it just goes to the next file that it deleted. The only way I can get rid of the box is to go into the Window Task Master and hit End Process button. Any ideas on how to correct this?
Second, I seemed to have lost my ability to use my search key. It takes forever for the page to show up when I look for it.
Third, after I ran the Index.dat Suite and cleaned out the the files, I looked in the run.bat file in My Computer and the files are still in there. Am I doing something wrong? It stated I can delete the file if I want afterwards. Should I ?
Enclosed is my lasted hijackThis log file for your review. Are there any other things that I should be doing to this file?

Logfile of HijackThis v1.98.2
Scan saved at 11:28:49 PM, on 11/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\hijackthis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\SYSTEM32\cihost.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O18 - Filter: text/plain - {4969E3C3-B0A6-47E3-B71F-05B61EA5DC2E} - C:\WINDOWS\System32\aeolp.dll
O19 - User stylesheet: C:\WINDOWS\color.css

Thank you for your assistance in helping me fix my computer.

CTSNKY · 11-24-2004, 08:04 AM

Hi again,

Quote:

First I am getting a pop up box from Norton Antivirus about a Virus Alert high risk for the following 3 viruses: Trojan Startpage, Trojan.Linst, and Trojan.Bookmarker.G. It stated that it has deleted the file, however, when I push the OK button it just goes to the next file that it deleted. The only way I can get rid of the box is to go into the Window Task Master and hit End Process button. Any ideas on how to correct this?

If you can get the specific file name/location of each, boot to Safe mode and delete them.

Quote:

Second, I seemed to have lost my ability to use my search key. It takes forever for the page to show up when I look for it.

What search key are you talking about? You may be talking about some of the spyware we removed.

Quote:

Third, after I ran the Index.dat Suite and cleaned out the the files, I looked in the run.bat file in My Computer and the files are still in there. Am I doing something wrong? It stated I can delete the file if I want afterwards. Should I ?

You can if you wish or just leave it there and let it run or manually run it any time you want. Keep the boogers from propogating from temp directories.

Just a bit more to do on your log.....

Reboot into Safe Mode (hit F8 key until menu shows up).

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O18 - Filter: text/plain - {4969E3C3-B0A6-47E3-B71F-05B61EA5DC2E} - C:\WINDOWS\System32\aeolp.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\aeolp.dll

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

stir4u · 11-24-2004, 09:59 AM

Regarding the Norton Antivirus issue, I must have pushed the OK button a 100 times and each time it shows a new file it has deleted. Is there a simplier way to proceed?

CTSNKY · 11-24-2004, 10:02 AM

Yes....have patience. We'll get to it. And don't use Norton to delete the files, get in there and manually do it, as instructed.

Download: StartDreck (http://www.greyknight17.com/spy/StartDreck.zip).

Unzip to its own folder and start the program:
Press 'Config'
Press 'Mark All'

UN-Check the 'NT-Services & NT-Kernel...' boxes only:
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

stir4u · 11-24-2004, 11:16 AM

Here is the new HijackThis log flie and the StartDreck log file as requested.

Logfile of HijackThis v1.98.2
Scan saved at 2:11:28 PM, on 11/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\SYSTEM32\cihost.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O19 - User stylesheet: C:\WINDOWS\color.css

And the StartDreck log file:

StartDreck (build 2.1.5 public BETA) - 2004-11-24 @ 13:50:40
Platform: Windows XP (Win NT 5.1.2600 )

»Registry
»Run Keys
»Current User
»Run
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
*Host=
»RunOnce
»Default User
»Run
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
»RunOnce
»Local Machine
»Run
*Microsoft Works Update Detection=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
*NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
*UpdReg=C:\WINDOWS\Updreg.exe
*AHQInit=C:\Program Files\Creative\SBLive\Program\AHQInit.exe
*MMTray=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
*AdaptecDirectCD="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
*DellTouch=C:\WINDOWS\MMKeybd.exe
*IMJPMIG8.1=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
*IMEKRMIG6.1=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
*MSPY2002=C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
*PHIME2002ASync=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
*PHIME2002A=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
*Lexmark X83 Button Monitor=C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
*Lexmark X83 Button Manager=C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
*PrinTray=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
*Dell|Alert=C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
*DeadAIM=rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*NAV CfgWiz=C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe
*DIGStream=C:\Program Files\DIGStream\digstream.exe
*Host=
*SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
*Installed=1
*Installed=1
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" %1
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
*.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
*.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
*Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
*Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
*Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
*NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
*Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
*Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
*Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
*Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
*Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
*Internet Explorer Access/{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
*StubPath=rundll32 iesetup.dll,IEAccessUserInst
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Start Page=about:blank
»Default User
*Search Bar=http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C
*Start Page=http://www.dellnet.com
»Local Machine
*Local Page=%SystemRoot%\system32\blank.htm
*Start Page=about:blank
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Mark Tumiski\Start Menu\Programs\Startup\DESKTOP.INI
*C:\Documents and Settings\Mark Tumiski\Start Menu\Programs\Startup\Microsoft Data Helper.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Camio Viewer.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless PCI Card Configuration Utility.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`REM Windows MS-DOS Startup File
`REM
`REM CONFIG.SYS vs CONFIG.NT
`REM CONFIG.SYS is not used to initialize the MS-DOS environment.
`REM CONFIG.NT is used to initialize the MS-DOS environment unless a
`REM different startup file is specified in an application's PIF.
`REM
`REM ECHOCONFIG
`REM By default, no information is displayed when the MS-DOS environment
`REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add
`REM the command echoconfig to CONFIG.NT or other startup file.
`REM
`REM NTCMDPROMPT
`REM When you return to the command prompt from a TSR or while running an
`REM MS-DOS-based application, Windows runs COMMAND.COM. This allows the
`REM TSR to remain active. To run CMD.EXE, the Windows command prompt,
`REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or
`REM other startup file.
`REM
`REM DOSONLY
`REM By default, you can start any type of application when running
`REM COMMAND.COM. If you start an application other than an MS-DOS-based
`REM application, any running TSR may be disrupted. To ensure that only
`REM MS-DOS-based applications can be started, add the command dosonly to
`REM CONFIG.NT or other startup file.
`REM
`REM EMM
`REM You can use EMM command line to configure EMM(Expanded Memory Manager).
`REM The syntax is:
`REM
`REM EMM = [A=AltRegSets] [B=BaseSegment] [RAM]
`REM
`REM AltRegSets
`REM specifies the total Alternative Mapping Register Sets you
`REM want the system to support. 1 <= AltRegSets <= 255. The
`REM default value is 8.
`REM BaseSegment
`REM specifies the starting segment address in the Dos conventional
`REM memory you want the system to allocate for EMM page frames.
`REM The value must be given in Hexdecimal.
`REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to
`REM 16KB boundary. The default value is 0x4000
`REM RAM
`REM specifies that the system should only allocate 64Kb address
`REM space from the Upper Memory Block(UMB) area for EMM page frames
`REM and leave the rests(if available) to be used by DOS to support
`REM loadhigh and devicehigh commands. The system, by default, would
`REM allocate all possible and available UMB for page frames.
`REM
`REM The EMM size is determined by pif file(either the one associated
`REM with your application or _default.pif). If the size from PIF file
`REM is zero, EMM will be disabled and the EMM line will be ignored.
`REM
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
`REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
`REM different startup file is specified in an application's PIF.
`REM Install CD ROM extensions
`lh %SystemRoot%\system32\mscdexnt.exe
`REM Install network redirector (load before dosx.exe)
`lh %SystemRoot%\system32\redir
`REM Install DPMI support
`lh %SystemRoot%\system32\dosx
`REM The following line enables Sound Blaster 2.0 support on NTVDM.
`REM The command for setting the BLASTER environment is as follows:
`REM SET BLASTER=A220 I5 D1 P330
`REM where:
`REM A specifies the sound blaster's base I/O port
`REM I specifies the interrupt request line
`REM D specifies the 8-bit DMA channel
`REM P specifies the MPU-401 base I/O port
`REM T specifies the type of sound blaster card
`REM 1 - Sound Blaster 1.5
`REM 2 - Sound Blaster Pro I
`REM 3 - Sound Blaster 2.0
`REM 4 - Sound Blaster Pro II
`REM 6 - SOund Blaster 16/AWE 32/32/64
`REM
`REM The default value is A220 I5 D1 T3 and P330. If any of the switches is
`REM left unspecified, the default value will be used. (NOTE, since all the
`REM ports are virtualized, the information provided here does not have to
`REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only.
`REM The T switch must be set to 3, if specified.
`SET BLASTER=A220 I5 D1 P330 T3
`REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid
`REM SB base I/O port address. For example:
`REM SET BLASTER=A0
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
*C:\WINDOWS\wininit.ini
»%PATH% Companion Files
*C:\WINDOWS\System32\notepad.com
*C:\WINDOWS\System32\NOTEPAD.EXE
*C:\WINDOWS\NOTEPAD.EXE
*C:\WINDOWS\System32\TASKMAN.EXE
*C:\WINDOWS\TASKMAN.EXE
*C:\WINDOWS\System32\WINHLP32.EXE
*C:\WINDOWS\WINHLP32.EXE
»System/Drivers
»Running Processes
*00000004=<unkown>
*000001E0=\SystemRoot\System32\smss.exe
*00000214=<unkown>
*0000022C=\??\C:\WINDOWS\system32\winlogon.exe
*00000258=C:\WINDOWS\system32\services.exe
*00000264=C:\WINDOWS\system32\lsass.exe
*00000308=C:\WINDOWS\system32\svchost.exe
*00000320=C:\WINDOWS\System32\svchost.exe
*0000036C=<unkown>
*0000037C=<unkown>
*0000041C=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
*00000490=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
*00000498=C:\WINDOWS\Explorer.EXE
*00000550=C:\WINDOWS\system32\spoolsv.exe
*000005AC=C:\Program Files\AVPersonal\AVGUARD.EXE
*000005B8=C:\Program Files\AVPersonal\AVWUPSRV.EXE
*000005C4=C:\WINDOWS\System32\CTsvcCDA.EXE
*00000600=C:\Program Files\Norton AntiVirus\navapsvc.exe
*00000644=C:\WINDOWS\System32\nvsvc32.exe
*000006D8=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
*00000730=C:\WINDOWS\System32\MsPMSPSv.exe
*00000150=C:\Program Files\Norton AntiVirus\SAVScan.exe
*00000198=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
*000001FC=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
*0000020C=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
*00000218=C:\WINDOWS\System32\devldr32.exe
*00000300=C:\WINDOWS\MMKeybd.exe
*00000458=C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
*00000478=C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
*000004C8=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
*00000610=C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
*0000069C=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
*00000728=C:\Program Files\QuickTime\qttask.exe
*000007CC=C:\Program Files\iTunes\iTunesHelper.exe
*00000390=C:\Program Files\DIGStream\digstream.exe
*00000098=C:\Program Files\iPod\bin\iPodService.exe
*000000B0=C:\Program Files\Messenger\msmsgs.exe
*000000A4=C:\WINDOWS\System32\ctfmon.exe
*0000060C=C:\Program Files\Netropa\Traymon.exe
*00000128=C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
*0000016C=C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
*000006C8=C:\Program Files\Netropa\OSD.exe
*000001D8=C:\Program Files\interMute\SpySubtract\SpySub.exe
*00000354=C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
*00000C6C=C:\WINDOWS\System32\wuauclt.exe
*00000980=C:\Program Files\Internet Explorer\iexplore.exe
*00000E0C=C:\Program Files\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine

CTSNKY · 11-24-2004, 01:40 PM

So, how is it running now?

MicroBell · 11-24-2004, 02:10 PM

Hi and Welcome to TSF

Please consider installing SP1/SP2 service packs for both IE6 and XP!!

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\SYSTEM32\cihost.exe
O19 - User stylesheet: C:\WINDOWS\color.css

Delete the following Files/Folders in RED (delete folders if no filename is specified or they are RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

C:\WINDOWS\SYSTEM32\cihost.exe
C:\WINDOWS\color.css
C:\WINDOWS\System32\notepad.com <---careful with this file and make sure you get the .COM one!!

Once done reboot into Normal Mode and post a new HijackThis and Startdreck log file to confirm what was removed and if it's clean or not

stir4u · 12-02-2004, 11:11 AM

Hi I am back
the computer is running better, however, I still get the Norton Antivirus Virus Alert box when I reboot. It states that it has detected the following: Trojan Startpage, Trojan.linst, and trojan.Bookmarker.G. Everytime I push the OK button it states that it has deleted another file for example: The file it has deleted C:\Windows\Temp\tmp10.tmp. When I hit OK button it states that it has deleted C:\Windows Temp\tmp11.tmp, etc.... I went into Norton and reviewed my Quarentine file and noticed that there were 6000 files that were backed up, all with one of the Trojan viruses attached to it. Should I go and delete them all?

Also, going forward Should I always run HijackThis in Safe Mode? Or can I run it in normal mode?

Thank you for your help.

I forgot to mention, I did run HijackThis file and did not come across any of the items you requested me to delete. And, I did a search for the other files and they were not in the system.

Thank you again for your assistance.

greyknight17 · 12-02-2004, 01:54 PM

No, you don't have to do the fixes in Safe Mode, but we usually recommend it since less programs/processes will be running.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download Index.dat Suite (http://www.it-mate.co.uk/support/idsuite.asp) to clean out all the temp folders. Run Index.dat Suite now and go to Tools->Settings. Then make sure to check the following: Cookies, History, Recent Documents, Swap File (if you have Windows 95/98), Temporary Internet Files and Temp Files. Click Save at the bottom. Then click on the Find button. Let it search. Then click on the second button on the top. This will generate a batch file. Click Next->Next->Next and it will tell you that after the next reboot/restart the file should run by itself and clean out the temp folders. To make sure it's cleaned out, go into My Computer->C: Drive and double click on the run.bat file. After that you may delete that file if you want.

I would suggest deleting all those files in the Temp folders where those trojans were located just to make sure they're deleted.

Please give us a new log.

11-23-2004, 08:57 AM	#1 (permalink)
stir4u Registered User Join Date: Nov 2004 Posts: 7 OS: Win XP	Help with a Trojan horse I am in need of some help with my computer. I have picked up a trojan horse and have tried deleting it with HJT and my anti-virus software and it have help some but not totally. I am posting a new HijackThis file for you to examine and would appreciate your help. Thank you Logfile of HijackThis v1.97.7 Scan saved at 11:40:26 AM, on 11/23/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\MMKeybd.exe C:\WINDOWS\System32\devldr32.exe C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\RUNDLL32.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Netropa\Traymon.exe C:\Program Files\Netropa\OSD.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System\MSMSGSVC.exe C:\Documents and Settings\Mark Tumiski\My Documents\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://rlcrwz.t.muxa.cc/h.php?aid=420 (obfuscated) R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [Dell\|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Internat Conf] C:\WINDOWS\System32\bootconf.exe O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set O4 - HKLM\..\Run: [sys] regedit -s sys.reg O4 - HKLM\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe O4 - HKCU\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe O4 - HKCU\..\Run: [rxhjhkyc7n] C:\WINDOWS\nk7pvgorhz.exe O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\SYSTEM32\cihost.exe O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O4 - Global Startup: winlogon.exe O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0285ff3cebcdb45...p/RdxIE601.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...063.7937037037 O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab O19 - User stylesheet: C:\WINDOWS\color.css

11-23-2004, 09:44 AM	#2 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,753 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	There are few other suspicious items, but we will wait to see how this round turns out first. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. You have an outdated version of HijackThis. Click here to get the latest version of HijackThis. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Download CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download Index.dat Suite to clean out all the temp folders. Do not run it yet. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Kazaa Lite (This is how/why you got into this mess.) WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://rlcrwz.t.muxa.cc/h.php?aid=420 (obfuscated) R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll O4 - HKLM\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe O4 - HKCU\..\Run: [cihost.exe] C:\WINDOWS\cihost.exe O4 - HKCU\..\Run: [rxhjhkyc7n] C:\WINDOWS\nk7pvgorhz.exe O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\SYSTEM32\cihost.exe O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0285ff3cebcdb4...ip/RdxIE601.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\dpe.dll C:\WINDOWS\cihost.exe C:\Program Files\WildTangent\ C:\Program Files\KaZaA Lite\ c:\WINDOWS\iedll.exe c:\WINDOWS\loader.exe C:\WINDOWS\System32\olehelp.exe C:\WINDOWS\nk7pvgorhz.exe C:\WINDOWS\System\MSMSGSVC.exe C:\WINDOWS\ex.htm Run Index.dat Suite now and go to Tools->Settings. Then make sure to check the following: Cookies, History, Recent Documents, Swap File (if you have Windows 95/98), Temporary Internet Files and Temp Files. Click Save at the bottom. Then click on the Find button. Let it search. Then click on the second button on the top. This will generate a batch file. Click Next->Next->Next and it will tell you that after the next reboot/restart the file should run by itself and clean out the temp folders. To make sure it's cleaned out, go into My Computer->C: Drive and double click on the run.bat file. After that you may delete that file if you want. Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. __________________ GO BIG BLUE!!

11-24-2004, 10:02 AM	#6 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,753 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Yes....have patience. We'll get to it. And don't use Norton to delete the files, get in there and manually do it, as instructed. Download: StartDreck (http://www.greyknight17.com/spy/StartDreck.zip). Unzip to its own folder and start the program: Press 'Config' Press 'Mark All' UN-Check the 'NT-Services & NT-Kernel...' boxes only: Press 'Ok' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. __________________ GO BIG BLUE!!

11-24-2004, 01:40 PM	#8 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,753 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	So, how is it running now? __________________ GO BIG BLUE!!

11-24-2004, 02:10 PM	#9 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Hi and Welcome to TSF Please consider installing SP1/SP2 service packs for both IE6 and XP!! Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\SYSTEM32\cihost.exe O19 - User stylesheet: C:\WINDOWS\color.css Delete the following Files/Folders in RED (delete folders if no filename is specified or they are RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) C:\WINDOWS\SYSTEM32\cihost.exe C:\WINDOWS\color.css C:\WINDOWS\System32\notepad.com <---careful with this file and make sure you get the .COM one!! Once done reboot into Normal Mode and post a new HijackThis and Startdreck log file to confirm what was removed and if it's clean or not __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

11-24-2004, 07:56 AM	#3 (permalink)
stir4u Registered User Join Date: Nov 2004 Posts: 7 OS: Win XP	First off, Thank you for assisting me with my computer problem. Ok, I am back with a new HijackThis log file. 3 more issues have occured since I followed your directions. First I am getting a pop up box from Norton Antivirus about a Virus Alert high risk for the following 3 viruses: Trojan Startpage, Trojan.Linst, and Trojan.Bookmarker.G. It stated that it has deleted the file, however, when I push the OK button it just goes to the next file that it deleted. The only way I can get rid of the box is to go into the Window Task Master and hit End Process button. Any ideas on how to correct this? Second, I seemed to have lost my ability to use my search key. It takes forever for the page to show up when I look for it. Third, after I ran the Index.dat Suite and cleaned out the the files, I looked in the run.bat file in My Computer and the files are still in there. Am I doing something wrong? It stated I can delete the file if I want afterwards. Should I ? Enclosed is my lasted hijackThis log file for your review. Are there any other things that I should be doing to this file? Logfile of HijackThis v1.98.2 Scan saved at 11:28:49 PM, on 11/23/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\MMKeybd.exe C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Netropa\Traymon.exe C:\Program Files\Netropa\OSD.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\hijackthis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [Dell\|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\SYSTEM32\cihost.exe O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab O18 - Filter: text/plain - {4969E3C3-B0A6-47E3-B71F-05B61EA5DC2E} - C:\WINDOWS\System32\aeolp.dll O19 - User stylesheet: C:\WINDOWS\color.css Thank you for your assistance in helping me fix my computer.

11-24-2004, 09:59 AM	#5 (permalink)
stir4u Registered User Join Date: Nov 2004 Posts: 7 OS: Win XP	Regarding the Norton Antivirus issue, I must have pushed the OK button a 100 times and each time it shows a new file it has deleted. Is there a simplier way to proceed?

11-24-2004, 11:16 AM	#7 (permalink)
stir4u Registered User Join Date: Nov 2004 Posts: 7 OS: Win XP	Here is the new HijackThis log flie and the StartDreck log file as requested. Logfile of HijackThis v1.98.2 Scan saved at 2:11:28 PM, on 11/24/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\MMKeybd.exe C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\interMute\SpySubtract\SpySub.exe C:\Program Files\Netropa\Traymon.exe C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe C:\Program Files\Netropa\OSD.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [Dell\|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Microsoft Data Helper.lnk = C:\WINDOWS\SYSTEM32\cihost.exe O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_3us.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab O19 - User stylesheet: C:\WINDOWS\color.css And the StartDreck log file: StartDreck (build 2.1.5 public BETA) - 2004-11-24 @ 13:50:40 Platform: Windows XP (Win NT 5.1.2600 ) »Registry »Run Keys »Current User »Run MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe Host= »RunOnce »Default User »Run ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe »RunOnce »Local Machine »Run Microsoft Works Update Detection=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize UpdReg=C:\WINDOWS\Updreg.exe AHQInit=C:\Program Files\Creative\SBLive\Program\AHQInit.exe MMTray=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe AdaptecDirectCD="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" DellTouch=C:\WINDOWS\MMKeybd.exe IMJPMIG8.1=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 IMEKRMIG6.1=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE MSPY2002=C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC PHIME2002ASync=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC PHIME2002A=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName Lexmark X83 Button Monitor=C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe Lexmark X83 Button Manager=C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe PrinTray=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe Dell\|Alert=C:\Program Files\Dell\Support\Alert\bin\DAMon.exe DeadAIM=rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" NAV CfgWiz=C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe DIGStream=C:\Program Files\DIGStream\digstream.exe Host= SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe Installed=1 Installed=1 NoChange=1 Installed=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) .bat batfile="%1" % .com comfile="%1" %* .disabled SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" %1 .exe exefile="%1" %* .hta htafile=C:\WINDOWS\System32\mshta.exe "%1" %* .htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome .html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome .js JSFile=%SystemRoot%\System32\WScript.exe "%1" %* .jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* .pif piffile="%1" %* .scr scrfile="%1" /S .txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 .vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* .vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* .wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* .wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* .lnk `lnkfile= [key or value does not exist] »Active Setup (LM) Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe Internet Explorer Access/{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} StubPath=rundll32 iesetup.dll,IEAccessUserInst »Browser Helper Objects (LM) »Internet Explorer »Current User Local Page=C:\WINDOWS\System32\blank.htm Start Page=about:blank »Default User Search Bar=http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C Start Page=http://www.dellnet.com »Local Machine Local Page=%SystemRoot%\system32\blank.htm Start Page=about:blank »ShellServiceObjectDelayLoad (LM) PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Files »Autostart Folders »Current User C:\Documents and Settings\Mark Tumiski\Start Menu\Programs\Startup\DESKTOP.INI C:\Documents and Settings\Mark Tumiski\Start Menu\Programs\Startup\Microsoft Data Helper.lnk »Default User C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Camio Viewer.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless PCI Card Configuration Utility.lnk »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\msdos.sys C:\config.sys C:\WINDOWS\System32\config.nt `REM Windows MS-DOS Startup File `REM `REM CONFIG.SYS vs CONFIG.NT `REM CONFIG.SYS is not used to initialize the MS-DOS environment. `REM CONFIG.NT is used to initialize the MS-DOS environment unless a `REM different startup file is specified in an application's PIF. `REM `REM ECHOCONFIG `REM By default, no information is displayed when the MS-DOS environment `REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add `REM the command echoconfig to CONFIG.NT or other startup file. `REM `REM NTCMDPROMPT `REM When you return to the command prompt from a TSR or while running an `REM MS-DOS-based application, Windows runs COMMAND.COM. This allows the `REM TSR to remain active. To run CMD.EXE, the Windows command prompt, `REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or `REM other startup file. `REM `REM DOSONLY `REM By default, you can start any type of application when running `REM COMMAND.COM. If you start an application other than an MS-DOS-based `REM application, any running TSR may be disrupted. To ensure that only `REM MS-DOS-based applications can be started, add the command dosonly to `REM CONFIG.NT or other startup file. `REM `REM EMM `REM You can use EMM command line to configure EMM(Expanded Memory Manager). `REM The syntax is: `REM `REM EMM = [A=AltRegSets] [B=BaseSegment] [RAM] `REM `REM AltRegSets `REM specifies the total Alternative Mapping Register Sets you `REM want the system to support. 1 <= AltRegSets <= 255. The `REM default value is 8. `REM BaseSegment `REM specifies the starting segment address in the Dos conventional `REM memory you want the system to allocate for EMM page frames. `REM The value must be given in Hexdecimal. `REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to `REM 16KB boundary. The default value is 0x4000 `REM RAM `REM specifies that the system should only allocate 64Kb address `REM space from the Upper Memory Block(UMB) area for EMM page frames `REM and leave the rests(if available) to be used by DOS to support `REM loadhigh and devicehigh commands. The system, by default, would `REM allocate all possible and available UMB for page frames. `REM `REM The EMM size is determined by pif file(either the one associated `REM with your application or _default.pif). If the size from PIF file `REM is zero, EMM will be disabled and the EMM line will be ignored. `REM `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\autoexec.bat C:\WINDOWS\System32\autoexec.nt `@echo off `REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment. `REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a `REM different startup file is specified in an application's PIF. `REM Install CD ROM extensions `lh %SystemRoot%\system32\mscdexnt.exe `REM Install network redirector (load before dosx.exe) `lh %SystemRoot%\system32\redir `REM Install DPMI support `lh %SystemRoot%\system32\dosx `REM The following line enables Sound Blaster 2.0 support on NTVDM. `REM The command for setting the BLASTER environment is as follows: `REM SET BLASTER=A220 I5 D1 P330 `REM where: `REM A specifies the sound blaster's base I/O port `REM I specifies the interrupt request line `REM D specifies the 8-bit DMA channel `REM P specifies the MPU-401 base I/O port `REM T specifies the type of sound blaster card `REM 1 - Sound Blaster 1.5 `REM 2 - Sound Blaster Pro I `REM 3 - Sound Blaster 2.0 `REM 4 - Sound Blaster Pro II `REM 6 - SOund Blaster 16/AWE 32/32/64 `REM `REM The default value is A220 I5 D1 T3 and P330. If any of the switches is `REM left unspecified, the default value will be used. (NOTE, since all the `REM ports are virtualized, the information provided here does not have to `REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only. `REM The T switch must be set to 3, if specified. `SET BLASTER=A220 I5 D1 P330 T3 `REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid `REM SB base I/O port address. For example: `REM SET BLASTER=A0 C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect C:\WINDOWS\wininit.ini »%PATH% Companion Files C:\WINDOWS\System32\notepad.com C:\WINDOWS\System32\NOTEPAD.EXE C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\System32\TASKMAN.EXE C:\WINDOWS\TASKMAN.EXE C:\WINDOWS\System32\WINHLP32.EXE C:\WINDOWS\WINHLP32.EXE »System/Drivers »Running Processes 00000004=<unkown> 000001E0=\SystemRoot\System32\smss.exe 00000214=<unkown> 0000022C=\??\C:\WINDOWS\system32\winlogon.exe 00000258=C:\WINDOWS\system32\services.exe 00000264=C:\WINDOWS\system32\lsass.exe 00000308=C:\WINDOWS\system32\svchost.exe 00000320=C:\WINDOWS\System32\svchost.exe 0000036C=<unkown> 0000037C=<unkown> 0000041C=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe 00000490=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 00000498=C:\WINDOWS\Explorer.EXE 00000550=C:\WINDOWS\system32\spoolsv.exe 000005AC=C:\Program Files\AVPersonal\AVGUARD.EXE 000005B8=C:\Program Files\AVPersonal\AVWUPSRV.EXE 000005C4=C:\WINDOWS\System32\CTsvcCDA.EXE 00000600=C:\Program Files\Norton AntiVirus\navapsvc.exe 00000644=C:\WINDOWS\System32\nvsvc32.exe 000006D8=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe 00000730=C:\WINDOWS\System32\MsPMSPSv.exe 00000150=C:\Program Files\Norton AntiVirus\SAVScan.exe 00000198=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe 000001FC=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe 0000020C=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe 00000218=C:\WINDOWS\System32\devldr32.exe 00000300=C:\WINDOWS\MMKeybd.exe 00000458=C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe 00000478=C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe 000004C8=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe 00000610=C:\Program Files\Dell\Support\Alert\bin\DAMon.exe 0000069C=C:\Program Files\Common Files\Real\Update_OB\realsched.exe 00000728=C:\Program Files\QuickTime\qttask.exe 000007CC=C:\Program Files\iTunes\iTunesHelper.exe 00000390=C:\Program Files\DIGStream\digstream.exe 00000098=C:\Program Files\iPod\bin\iPodService.exe 000000B0=C:\Program Files\Messenger\msmsgs.exe 000000A4=C:\WINDOWS\System32\ctfmon.exe 0000060C=C:\Program Files\Netropa\Traymon.exe 00000128=C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe 0000016C=C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe 000006C8=C:\Program Files\Netropa\OSD.exe 000001D8=C:\Program Files\interMute\SpySubtract\SpySub.exe 00000354=C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe 00000C6C=C:\WINDOWS\System32\wuauclt.exe 00000980=C:\Program Files\Internet Explorer\iexplore.exe *00000E0C=C:\Program Files\StartDreck\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine

12-02-2004, 11:11 AM	#10 (permalink)
stir4u Registered User Join Date: Nov 2004 Posts: 7 OS: Win XP	Hi I am back the computer is running better, however, I still get the Norton Antivirus Virus Alert box when I reboot. It states that it has detected the following: Trojan Startpage, Trojan.linst, and trojan.Bookmarker.G. Everytime I push the OK button it states that it has deleted another file for example: The file it has deleted C:\Windows\Temp\tmp10.tmp. When I hit OK button it states that it has deleted C:\Windows Temp\tmp11.tmp, etc.... I went into Norton and reviewed my Quarentine file and noticed that there were 6000 files that were backed up, all with one of the Trojan viruses attached to it. Should I go and delete them all? Also, going forward Should I always run HijackThis in Safe Mode? Or can I run it in normal mode? Thank you for your help. I forgot to mention, I did run HijackThis file and did not come across any of the items you requested me to delete. And, I did a search for the other files and they were not in the system. Thank you again for your assistance.

12-02-2004, 01:54 PM	#11 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,326 OS: Windows 98 & Windows XP Home/Pro My System	No, you don't have to do the fixes in Safe Mode, but we usually recommend it since less programs/processes will be running. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download Index.dat Suite (http://www.it-mate.co.uk/support/idsuite.asp) to clean out all the temp folders. Run Index.dat Suite now and go to Tools->Settings. Then make sure to check the following: Cookies, History, Recent Documents, Swap File (if you have Windows 95/98), Temporary Internet Files and Temp Files. Click Save at the bottom. Then click on the Find button. Let it search. Then click on the second button on the top. This will generate a batch file. Click Next->Next->Next and it will tell you that after the next reboot/restart the file should run by itself and clean out the temp folders. To make sure it's cleaned out, go into My Computer->C: Drive and double click on the run.bat file. After that you may delete that file if you want. I would suggest deleting all those files in the Temp folders where those trojans were located just to make sure they're deleted. Please give us a new log. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools