newbie Malware problems: ABetterInternet.Nail

pjsteel · 05-19-2006, 11:45 AM

HI, this is my first post on this forum.

I have gone thru the 5 steps prior to this post.

Adaware cannot clean 2 files from my registry they are:

1) ABetterInternet.Nail Object Recognized!
Type : RegData
Data : explorer.exe, c:\windows\system32\axids.exe
TAC Rating : 5
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe, c:\windows\system32\axids.exe

2) Windows Object Recognized!
Type : RegData
Data : explorer.exe, c:\windows\system32\axids.exe
TAC Rating : 3
Category : Vulnerability
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows nt\currentversion\winlogon
Value : Shell
Data : explorer.exe, c:\windows\system32\axids.exe

Also, the free virus software scans cleaned off numerous infections. Now computer does not recoginize my DVD-ROM drives. Drivers are loaded and recognized but it cant find the drives(code 41)

Here is my HiJackThis.log:

C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {42C0418C-A61E-F1C5-372A-FE6A64D5DCCB} - C:\WINDOWS\system32\owbd.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\axids.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ksohdjb.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdcco...ad/tgctlsr.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...bridge-c18.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144281187578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://202.139.104.2/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: bw+0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\dnl6013se.dll (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\orbcp32r.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

best regards,
Phil

tetonbob · 05-19-2006, 09:15 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download the file attached -
Within it, double-click on combofix.exe & follow the prompts given, and be patient.
Depending on the severity of your infection, it may reboot your machine 1-2 times.
When it's done, it shall produce a report which you should post back here.

Also post a new HJT log. Make sure it is from normal mode, please.

pjsteel · 05-20-2006, 07:18 AM

Thanks for your reply!
Here is the information you requested.

If I posted this incorrectly please let me know.
Thanks again,
Phil

Start Time= Sat 05/20/2006 9:02:56.39

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
= = = = = = = = = = = = = = = Qoologic = = = = = = = = = = = = = = =
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Sat 05/20/2006 9:04:11.57

*********** PRE-RUN - Filepaths extracted from the Registry ***************

C:\WINDOWS\system32\jnqyse.exe
C:\WINDOWS\system32\jnqyse.exe
C:\WINDOWS\system32\axids.exe
ksohdjb.exe

*********** PRE-RUN - Filepaths from Locate ****************************

2006-05-10 09:59:08 1,376,256 "C:\WINDOWS\SYSTEM32\cfg32a.exe"
2006-05-10 09:56:00 127,488 "C:\WINDOWS\SYSTEM32\jnqyse.exe"
2006-05-10 09:56:00 28,672 "C:\WINDOWS\SYSTEM32\axids.exe"
2006-05-10 09:58:58 110,592 "C:\WINDOWS\SYSTEM32\cfg32o.dll"
2006-05-10 09:55:46 389,120 "C:\WINDOWS\SYSTEM32\cfg32p.dll"
2006-05-10 09:59:04 102,400 "C:\WINDOWS\SYSTEM32\cfg32r.dll"
2006-05-10 09:55:58 45,056 "C:\WINDOWS\SYSTEM32\cfg32s.dll"
2006-03-03 23:33:42 55,808 "C:\WINDOWS\SYSTEM32\extmgr.dll"
2006-03-03 23:33:42 96,256 "C:\WINDOWS\SYSTEM32\inseng.dll"
2006-03-23 16:32:42 3,053,568 "C:\WINDOWS\SYSTEM32\mshtml.dll"
2006-03-03 23:33:44 532,480 "C:\WINDOWS\SYSTEM32\mstime.dll"
2006-03-01 15:42:42 66,560 "C:\WINDOWS\SYSTEM32\mtxclu.dll"
2006-03-01 15:42:42 91,136 "C:\WINDOWS\SYSTEM32\mtxoci.dll"
2006-03-18 07:09:38 613,376 "C:\WINDOWS\SYSTEM32\urlmon.dll"
2006-05-10 09:56:00 23,552 "C:\WINDOWS\SYSTEM32\ksohdjb.exe"
2006-03-03 23:33:40 151,040 "C:\WINDOWS\SYSTEM32\cdfview.dll"
2006-03-03 23:33:42 205,312 "C:\WINDOWS\SYSTEM32\dxtrans.dll"
2006-03-03 23:33:42 251,392 "C:\WINDOWS\SYSTEM32\iepeers.dll"
2006-03-01 15:42:42 956,416 "C:\WINDOWS\SYSTEM32\msdtctm.dll"
2006-03-03 23:33:44 39,424 "C:\WINDOWS\SYSTEM32\pngfilt.dll"
2006-05-10 09:56:00 51,712 "C:\WINDOWS\SYSTEM32\puqyjml.dll"
2006-03-30 05:16:04 1,492,480 "C:\WINDOWS\SYSTEM32\shdocvw.dll"
2006-03-17 00:03:54 8,452,096 "C:\WINDOWS\SYSTEM32\shell32.dll"
2006-03-03 23:33:44 474,112 "C:\WINDOWS\SYSTEM32\shlwapi.dll"
2006-04-04 09:13:22 8,464 "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-03-03 23:33:46 658,432 "C:\WINDOWS\SYSTEM32\wininet.dll"
2006-05-11 09:40:14 303,104 "C:\WINDOWS\SYSTEM32\WinNB57.dll"
2006-03-01 15:42:42 11,776 "C:\WINDOWS\SYSTEM32\xolehlp.dll"
2006-03-03 23:33:42 1,054,208 "C:\WINDOWS\SYSTEM32\danim.dll"
2006-05-19 12:40:26 127,488 "C:\WINDOWS\SYSTEM32\olgce.dat"
2006-05-20 08:57:08 495 "C:\WINDOWS\hjxfj.dll"
2006-05-10 09:56:00 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\bvday.exe"

*********** POST-RUN - Files in the Quarantine folder *********************

05/19/2006 12:40 PM 127,488 olgce.dat.vir
05/10/2006 09:55 AM 127,488 bvday.exe.vir
05/10/2006 09:55 AM 127,488 jnqyse.exe.vir
05/10/2006 09:55 AM 51,712 puqyjml.dll.vir
05/10/2006 09:55 AM 28,672 axids.exe.vir
05/10/2006 09:55 AM 23,552 ksohdjb.exe.vir

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

*********** POST-RUN - Filepaths from Locate ***************************

2006-05-10 09:59:08 1,376,256 "C:\WINDOWS\SYSTEM32\cfg32a.exe"
2006-03-30 05:16:04 1,492,480 "C:\WINDOWS\SYSTEM32\shdocvw.dll"
2006-04-04 09:13:22 8,464 "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-05-11 09:40:14 303,104 "C:\WINDOWS\SYSTEM32\WinNB57.dll"
2006-05-10 09:58:58 110,592 "C:\WINDOWS\SYSTEM32\cfg32o.dll"
2006-05-10 09:55:46 389,120 "C:\WINDOWS\SYSTEM32\cfg32p.dll"
2006-05-10 09:59:04 102,400 "C:\WINDOWS\SYSTEM32\cfg32r.dll"
2006-05-10 09:55:58 45,056 "C:\WINDOWS\SYSTEM32\cfg32s.dll"
2006-05-20 08:57:08 495 "C:\WINDOWS\hjxfj.dll"

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
= = = = = = = = = = = = = = Find3M Report = = = = = = = = = = = = = =
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

2006-05-20 08:57:08 495 ( A.... ) "C:\WINDOWS\hjxfj.dll"
2006-05-18 05:44:10 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-05-15 16:34:34 ( .D... ) "C:\Program Files\Lavasoft"
2006-05-15 09:03:50 ( .D... ) "C:\Program Files\SpywareBot"
2006-05-11 09:46:40 740 ( A.... ) "C:\WINDOWS\SYSTEM32\nt68rrtc12.sys"
2006-05-11 09:40:30 ( .D... ) "C:\Documents and Settings\Philip Johnson\Application Data\??mbols"
2006-05-11 09:40:20 175,362 ( A.... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"
2006-05-11 09:40:20 ( .D... ) "C:\Program Files\rdso"
2006-05-11 09:40:14 303,104 ( A.... ) "C:\WINDOWS\SYSTEM32\WinNB57.dll"
2006-05-10 09:59:08 1,376,256 ( A.... ) "C:\WINDOWS\SYSTEM32\cfg32a.exe"
2006-05-10 09:59:04 102,400 ( A.... ) "C:\WINDOWS\SYSTEM32\cfg32r.dll"
2006-05-10 09:58:58 110,592 ( A.... ) "C:\WINDOWS\SYSTEM32\cfg32o.dll"
2006-05-10 09:55:58 45,056 ( A.... ) "C:\WINDOWS\SYSTEM32\cfg32s.dll"
2006-05-10 09:55:46 389,120 ( A.... ) "C:\WINDOWS\SYSTEM32\cfg32p.dll"
2006-05-10 09:55:10 ( .D... ) "C:\Program Files\Common Files\?icrosoft"
2006-05-10 07:34:08 92,112 ( A.... ) "C:\Documents and Settings\Philip Johnson\Application Data\GDIPFONTCACHEV1.DAT"
2006-05-05 07:55:30 ( .D... ) "C:\Program Files\No-IP"
2006-05-04 00:26:22 5,818,784 ( A.... ) "C:\WINDOWS\SYSTEM32\MRT.exe"
2006-04-29 17:41:52 ( .D... ) "C:\Program Files\RealVNC"
2006-04-27 15:27:48 135,168 ( A.... ) "C:\Program Files\Common Files\icro.exe"
2006-04-06 10:54:38 73,728 ( A.... ) "C:\WINDOWS\SYSTEM32\asuninst.exe"
2006-04-04 14:08:32 ( .D... ) "C:\Program Files\exPressit S.E. 2.1"
2006-04-04 09:16:30 183,296 ( A.S.. ) "C:\WINDOWS\NDNuninstall7_22.exe"
2006-04-04 09:13:22 8,464 ( A.... ) "C:\WINDOWS\SYSTEM32\sporder.dll"
2006-03-31 00:51:28 78,336 ( A.... ) "C:\WINDOWS\SYSTEM32\nsg7.dll"
2006-03-30 05:16:04 1,492,480 ( A.... ) "C:\WINDOWS\SYSTEM32\shdocvw.dll"
2006-03-29 21:00:14 16,384 ( A.... ) "C:\WINDOWS\SYSTEM32\xpsp3res.dll"
2006-03-23 16:32:42 3,053,568 ( A.... ) "C:\WINDOWS\SYSTEM32\mshtml.dll"
2006-03-18 07:09:38 613,376 ( A.... ) "C:\WINDOWS\SYSTEM32\urlmon.dll"
2006-03-17 05:07:18 679,424 ( A.... ) "C:\WINDOWS\SYSTEM32\inetcomm.dll"
2006-03-17 00:03:54 8,452,096 ( A.... ) "C:\WINDOWS\SYSTEM32\shell32.dll"
2006-03-16 20:38:02 28,672 ( ..... ) "C:\WINDOWS\SYSTEM32\verclsid.exe"
2006-03-10 06:09:14 5,533,696 ( A.... ) "C:\WINDOWS\SYSTEM32\wmp.dll"
2006-03-03 23:33:46 658,432 ( A.... ) "C:\WINDOWS\SYSTEM32\wininet.dll"
2006-03-03 23:33:44 532,480 ( A.... ) "C:\WINDOWS\SYSTEM32\mstime.dll"
2006-03-03 23:33:44 474,112 ( A.... ) "C:\WINDOWS\SYSTEM32\shlwapi.dll"
2006-03-03 23:33:44 448,512 ( A.... ) "C:\WINDOWS\SYSTEM32\mshtmled.dll"
2006-03-03 23:33:44 146,432 ( A.... ) "C:\WINDOWS\SYSTEM32\msrating.dll"
2006-03-03 23:33:44 39,424 ( A.... ) "C:\WINDOWS\SYSTEM32\pngfilt.dll"
2006-03-03 23:33:42 1,054,208 ( A.... ) "C:\WINDOWS\SYSTEM32\danim.dll"
2006-03-03 23:33:42 251,392 ( A.... ) "C:\WINDOWS\SYSTEM32\iepeers.dll"
2006-03-03 23:33:42 205,312 ( A.... ) "C:\WINDOWS\SYSTEM32\dxtrans.dll"
2006-03-03 23:33:42 96,256 ( A.... ) "C:\WINDOWS\SYSTEM32\inseng.dll"
2006-03-03 23:33:42 55,808 ( ..... ) "C:\WINDOWS\SYSTEM32\extmgr.dll"
2006-03-03 23:33:40 1,022,976 ( A.... ) "C:\WINDOWS\SYSTEM32\browseui.dll"
2006-03-03 23:33:40 151,040 ( A.... ) "C:\WINDOWS\SYSTEM32\cdfview.dll"
2006-03-01 15:42:42 956,416 ( A.... ) "C:\WINDOWS\SYSTEM32\msdtctm.dll"
2006-03-01 15:42:42 426,496 ( A.... ) "C:\WINDOWS\SYSTEM32\msdtcprx.dll"
2006-03-01 15:42:42 161,280 ( A.... ) "C:\WINDOWS\SYSTEM32\msdtcuiu.dll"
2006-03-01 15:42:42 91,136 ( A.... ) "C:\WINDOWS\SYSTEM32\mtxoci.dll"
2006-03-01 15:42:42 66,560 ( A.... ) "C:\WINDOWS\SYSTEM32\mtxclu.dll"
2006-03-01 15:42:42 11,776 ( A.... ) "C:\WINDOWS\SYSTEM32\xolehlp.dll"

ComboFix ver 06.05.16
Completion time: Sat 05/20/2006 9:07:48.78
This logfile is located at C:\COMBOFIX.txt

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:16 AM, on 5/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {42C0418C-A61E-F1C5-372A-FE6A64D5DCCB} - C:\WINDOWS\system32\owbd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdcco...ad/tgctlsr.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...bridge-c18.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144281187578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://202.139.104.2/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: bw+0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\dnl6013se.dll (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\orbcp32r.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

tetonbob · 05-20-2006, 08:08 AM

Before we continue, I'd like a bit more information, please:

Create an uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

pjsteel · 05-20-2006, 08:50 AM

Here is the uninstall_list.txt:

ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat 5.0
Advanced System Optimizer 2
Autodesk MapGuide(R) Viewer ActiveX Control Release 6.3
BellSouth FastAccess DSL Help Center
BroadJump Client Foundation
Classic PhoneTools
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Dell | Support
Dell Digital Jukebox Driver
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DVD Shrink 3.2
Easy CD Creator 5 Basic
Easy Chef's Million Recipes
Event Planner
exPressit S.E. 2.1
Google Earth
Google Toolbar for Internet Explorer
Hallmark Card Studio 2005 Deluxe
HiDownload 5.2
HijackThis 1.99.1
InterActual Player
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.0
Java 2 SDK, SE v1.4.0
Java Web Start
Lavasoft VX2 Cleaner
Lexmark X5100 Series
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam
Logitech® Camera Driver
Macromedia Flash Player 8
Macromedia Shockwave Player
MediaTickets by OIN
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Picture It! Photo 2002
Microsoft PowerPoint Viewer 97
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MSN Messenger 7.0
MSN Music Assistant
MSN Toolbar
msxml4SP2
Musicmatch® Jukebox
Nero 6 Ultra Edition
Nero Digital
NeroMIX
Network Play System (Patching)
No-IP.com DUC (remove only)
NTI Backup NOW! 4
NTI DriveBackup! 3 Trial
NTI DVD-Maker
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
Paint Shop Pro 7
Panda ActiveScan
PhotoParade Player
PowerDVD
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Shockwave
Sony USB Driver
Sound Blaster Live! Value
Spybot - Search & Destroy 1.4
SpywareBot 3.6.0.3
The Sims
TurboTax Deluxe 2003
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax ItsDeductible 2005
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Viewpoint Media Player (Remove Only)
VNC Personal Edition P4.2.1
WexTech AnswerWorks
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPcap 3.1 beta

tetonbob · 05-20-2006, 10:02 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. This is going to take a good while, but to completely clean and protect your system for the future, all steps must be completed.

---------------------------------------------------------------------------------------------

Please submit the following file to Jotti File Scan

C:\WINDOWS\SYSTEM32\sporder.dll

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

---------------------------------------------------------------------------------------------

Download Ewido Anti-Malware

Install Ewido Anti-Malware
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

Download Pocket Killbox and unzip the exe file to your desktop.

Launch KillBox.exe & select the following options:

delete on Reboot

All files (if available)

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\SYSTEM32\cfg32a.exe
C:\WINDOWS\SYSTEM32\WinNB57.dll
C:\WINDOWS\SYSTEM32\cfg32o.dll
C:\WINDOWS\SYSTEM32\cfg32p.dll
C:\WINDOWS\SYSTEM32\cfg32r.dll
C:\WINDOWS\SYSTEM32\cfg32s.dll
C:\WINDOWS\hjxfj.dll
C:\WINDOWS\SYSTEM32\nsg7.dll
C:\WINDOWS\SYSTEM32\nt68rrtc12.sys

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SpywareBot 3.6.0.3
MediaTickets by OIN
Viewpoint Media Player

---------------------------------------------------------------------------------------------

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - {42C0418C-A61E-F1C5-372A-FE6A64D5DCCB} - C:\WINDOWS\system32\owbd.dll (file missing)
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...bridge-c18.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab

All O18 entries like next item, EXCEPT the first one

O18 - Protocol: bw+0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\dnl6013se.dll (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\orbcp32r.dll (file missing)

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------------------------------------

Delete the following Files/Folders if they exist:

C:\Program Files\Viewpoint
C:\Program Files\SpywareBot
C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe
C:\Documents and Settings\Philip Johnson\Application Data\??mbols<<<The ?? can be any character, may appear as Symbols
C:\Program Files\Common Files\?icrosoft<<<The ? can be any character, may appear as Microsoft. This is NOT the legit 'Microsoft Shared' folder
C:\Program Files\rdso

---------------------------------------------------------------------------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

---------------------------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------------------------

We need to update your Java as it is out of date. The older version is a security risk, as malware writers exploit the weaknesses in it's code.

Updating Java:

Go to Start > Control Panel double-click on the Software icon > add/remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

---------------------------------------------------------------------------------------------

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available:

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

Jotti scan
Ewido
Rapport.txt
Panda
HJT

pjsteel · 05-20-2006, 08:07 PM

Here are the reports you asked for.

I deleted a file in C:\Program Files\Common Files\Microsoft Shared

I assumed this is what you were asking me to do. Was this correct?
The reason I ask is when I run Internet Explorer it tries to load or update Windows XP Professional.
I use the Home Edition of XP. It will not complete the load and asks me for the Windows XP Professional disk which I do not have. This happens everytime a new Windows Explorer Window loads.

Jotti File Scan

Service load: 0% 100%

File: sporder.dll
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f12e514aea35cd28ba6c080e707550f9
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:33:51 PM, 5/20/2006
+ Report-Checksum: E34F30DA

+ Scan result:

C:\Documents and Settings\Philip Johnson\Local Settings\Test A\!update.exe -> Downloader.PurityScan.cl : Cleaned with backup
C:\Documents and Settings\Philip Johnson\Local Settings\Test A\i6F.tmp -> Adware.SurfSide : Cleaned with backup
C:\HiJackThis\backups\backup-20060520-184613-544.dll -> Adware.MediaMotor : Cleaned with backup
C:\Program Files\Common Files\icro.exe -> Adware.Agent : Cleaned with backup
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup
C:\Program Files\DVD Shrink\License.exe -> Adware.Agent : Cleaned with backup
C:\Program Files\Support.com\backup\Ne\newdotnet7_22.dll\614400_50b7ee307_/newdotnet7_22.dll -> Adware.NewDotNet : Cleaned with backup
C:\QooBox\axids.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup
C:\QooBox\bvday.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup
C:\QooBox\jnqyse.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup
C:\QooBox\ksohdjb.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup
C:\QooBox\olgce.dat.vir -> Downloader.Qoologic.bj : Cleaned with backup
C:\QooBox\puqyjml.dll.vir -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146851.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146866.dll -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146868.exe -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146871.dll -> Adware.Surfside : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146879.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146889.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP943\A0146896.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP943\A0147121.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP943\A0147124.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP943\A0147139.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP943\A0147153.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147163.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147185.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147195.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147204.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147207.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147234.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP945\A0147243.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP946\A0147273.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP946\A0147276.exe -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP946\A0147311.ocx -> Adware.MediaMotor : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0148691.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148821.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148822.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148823.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148824.exe -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148825.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148839.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148841.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148842.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148843.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148845.exe -> Hijacker.Small : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148846.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148851.exe -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148855.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148880.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0149342.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0149343.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0149344.exe -> Adware.NewDotNet : Cleaned with backup
C:\test\ipwins\ipwins.exe -> Adware.Agent : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\SYSTEM32\cfg32o.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\SYSTEM32\cfg32p.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\SYSTEM32\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\SYSTEM32\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsg7.dll -> Adware.SideFind : Cleaned with backup
C:\WINDOWS\SYSTEM32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\SYSTEM32\?ystem32\lsass.exe -> Downloader.PurityScan.cl : Cleaned with backup
C:\WINDOWS\Tempa\cfg32.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\Tempa\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\Tempa\cfg32o.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\Tempa\cfg32p.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\Tempa\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\Tempa\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\Tempa\enueaqjp.exe -> Adware.BookedSpace : Cleaned with backup

::Report End

SmitFraudFix v2.45

Scan done at 21:48:35.01, Sat 05/20/2006
Run from C:\Documents and Settings\Philip Johnson\Desktop\ADWARE Fixes\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Philip Johnson\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PHILIP~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

************************************
There was No Panda report generated
************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:01:59 PM, on 5/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\msiexec.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdcco...ad/tgctlsr.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144281187578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://202.139.104.2/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: bw+0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing)
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

tetonbob · 05-20-2006, 09:04 PM

Quote:

I deleted a file in C:\Program Files\Common Files\Microsoft Shared

I assumed this is what you were asking me to do. Was this correct?

No, I said:

Quote:

Delete:

C:\Program Files\Common Files\?icrosoft<<<The ? can be any character, may appear as Microsoft. This is NOT the legit 'Microsoft Shared' folder

Meaning exactly that....Microsoft Shared is legit and required, and you were to leave that alone.

Do you recall what file did you deleted?

I imagine since you otherwise so faithfully followed all the rest of the instructions, that you ran CleanUp, and your Recycle Bin is now empy....if it isn't, for some reason, let me know what's in it so we can possibly restore it.

pjsteel · 05-21-2006, 06:09 AM

No there is nothing there.

That was definitly my fault.

tetonbob · 05-21-2006, 08:34 AM

Phil, if you recall what file it was, we can likely replace it from elsewhere.

Try running the System File Checker.

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

Failing that....

Can you please tell me the exact error message?

You use Internet Explorer and Windows Explorer in your earlier explanation of the new issue....is it both, or only IE?

If possible, capture a screen shot of the message.

In Windows a screenshot of the entire monitor, complete with taskbar, can be copied to the system clipboard by pressing the Print screen key (normally located in the top row on the right-hand side of the keyboard)..

You can then paste the clipboard into a program like MS Paint to save it as an image file or paste it directly into a document.

Press the Print screen key
Click the "Start" button (normally located in the bottom left of your screen).
Click "Run" & type "mspaint" (without quotes) & click the "OK" button.
Wait while the application "Paint" opens. Once it is open, proceed to the next step.
Click the "Edit" menu and select "Paste".
Click the "File" menu and select "Save As...". A dialog box will appear.
In the "File name" field, enter a name of your choice.
Click the "Save as type" drop-down and select "JPEG (*.JPG;*.JPEG;*.JPE*;.JFIF)".
Click the "Save" button.

Attach it to your next reply.

Other than this new issue, how is your system behaving? I believe we got all the malware.

pjsteel · 05-21-2006, 04:40 PM

Other than my blunder my system seems to be in good shape. I greatlty appreciate your help with this!
As for as remembering the file I deleted, it was the folder entitled Microsoft Shared.
I think I really, really messed up. I will try and locate my original CDROMS fo XP and Office Professional
None of my Office Stuff is working either.

But I will need to get my ROM Drive up and running first( this has not been my weekend at all)

The message was indeed in IE Explorer not Windows Explorer.
The message was also concerning Windows Office XP Professional and and not Windows Professional.
(My mind is wore out now.)

It randomly comes up when I am in IE and the screen change in any way. The message looks like this.

(See Attachments)

When I run sfc /scannow I get this error.

Files that are required for Windows to run properly have been replaced
by unrecognized version. To maintain system stability, Windows must restore
the original versions of these files. Insert your Windows Home Edition CDROM now.

I could not do a screen print on this one.
Thanks Again
Phil

tetonbob · 05-21-2006, 06:19 PM

Hi Phil -

I apologize if my instructions caused any confusion....they were intended to clarify, for the very reason you've now experienced.

Yeah, you're going to need both the Office XP CD and the Windows XP Home CD to get back to full functionality. And, as you say, you need your CD ROM Drive back first.

Please consult with the folks over in Windows XP forum for this issue first.

Typical solution is to update/reinstall the drivers, reboot and see if Windows Picks it back up on reboot.

Go to Start>Run type devmgmt.msc and press Enter. Look for your CD device. Any Yellow Exclamatin points? Right click on the CD device, select Update Driver

OR....remove the device from Device Manager, reboot and see if Windows Picks it back up on reboot.

Let me know how you get along. Eventually, I'd like to offer you some future protection advice, but you should try to solve out these issues first.

Again, I'm sorry for your misfortune, as we were very close to being done with malware removal.

pjsteel · 05-22-2006, 07:16 AM

tetonbob,

Thanks for all your help. Your advice was definitley topnotch. I was the one that blew that one.

FYI -I got my CD/DVDROM drives back up this morning thanks to another forum on this site.

I have posted my issues on the Windows XP forum as you suggested.

We have recently moved so, I am still trying to find my CDROMs for XP and Office.

Anyway, I will definetly send a donation as soon as I sort all this out.
I'll be back!

Thanks again,
Phil

tetonbob · 05-22-2006, 08:33 AM

OK, Phil, that's two issues resolved (malware and CD/DVD drives)....now as soon as you find your install disks, you should be able to restore what was lost.

It may take a repair install to fully recover the MS Shared folder, but I'll let the folks over in XP advise you on that.

Let me know when you're up and running again so we can protect your system for the future.

pjsteel · 05-23-2006, 08:51 AM

tetonbob,

I am back up and running again with no hiccups so far.

Both Widows XP and Office Pro are back in order.

You said that you had more advice for me. I look forward to receiving it.

Thanks once again for all your help.
Phil

tetonbob · 05-23-2006, 01:35 PM

OK, Phil, that's great news!

Before I give you those final instructions, I'd like to see one last HJT log, please.

pjsteel · 05-24-2006, 07:13 AM

Ok here is my latest HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 9:11:18 AM, on 5/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdcco...ad/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144281187578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://202.139.104.2/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O18 - Protocol: bw+0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pure Networks Router Manager (pnrouter) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

tetonbob · 05-24-2006, 07:57 AM

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Please ensure that you have already patched your system against the recent WMF exploit.
Go to this page to get the KB912919 patch.

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software
IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Download IE-SpyAD - Extract the contents to a new folder
  From within the folder, double-click install.bat
  Select Option #2 - Install the new IE-SPYAD list.
  Then return to the main menu.
  Select option #4 - Add the old porn sites domain
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online antivirus scanners:

Anti-Spyware Tutorial

Here are two very good free Antivirus products which are available:
Avast!
AVG

If you do not have a firewall, here are 4 free ones available for personal use:

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

pjsteel · 05-25-2006, 11:09 AM

tetonbob,

I have followed your list of to-do items from your previous post.

Everything seems to be running fine but when I run Spybot Search and destroy it gets 1 item that it can't remove (see attachment for details). It is called Command Service.

I ran Adaware, EWIDO, Avast antivirus, CA online Anivirus, Housecall online Anivirus and CW Shredder. None of these picked it up. Spybot S&D recognized it but could not get rid of it.

Just thought I would let you know this.
Again, I haven't noticed any problems but this kind of bugs me.

Here is my latest HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 12:52:44 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Pure Networks\Router Service\pnroutsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun
O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdcco...ad/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab

Thanks Again,
Phil

tetonbob · 05-25-2006, 12:13 PM

Hi Phil -

Your recent HJT log appears incomplete...note the lack of O23 section in this log.

For the Spybot finds, please do this:

Please download delcmdservice (by Marckie), and save it to your Desktop.

Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.

Run Spybot again, and see if the problem is resolved.

05-19-2006, 11:45 AM	#1 (permalink)
pjsteel Registered User Join Date: May 2006 Posts: 26 OS: Windows XP	newbie Malware problems: ABetterInternet.Nail HI, this is my first post on this forum. I have gone thru the 5 steps prior to this post. Adaware cannot clean 2 files from my registry they are: 1) ABetterInternet.Nail Object Recognized! Type : RegData Data : explorer.exe, c:\windows\system32\axids.exe TAC Rating : 5 Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows nt\currentversion\winlogon Value : Shell Data : explorer.exe, c:\windows\system32\axids.exe 2) Windows Object Recognized! Type : RegData Data : explorer.exe, c:\windows\system32\axids.exe TAC Rating : 3 Category : Vulnerability Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows nt\currentversion\winlogon Value : Shell Data : explorer.exe, c:\windows\system32\axids.exe Also, the free virus software scans cleaned off numerous infections. Now computer does not recoginize my DVD-ROM drives. Drivers are loaded and recognized but it cant find the drives(code 41) Here is my HiJackThis.log: C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SpywareBot\SpywareBot.exe C:\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local R3 - URLSearchHook: (no name) - {42C0418C-A61E-F1C5-372A-FE6A64D5DCCB} - C:\WINDOWS\system32\owbd.dll (file missing) F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\axids.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ksohdjb.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing) O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: .elitemediagroup.net O15 - Trusted Zone: .mmohsix.com O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdcco...ad/tgctlsr.cab O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...bridge-c18.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144281187578 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://202.139.104.2/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O18 - Protocol: bw+0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: offline-8876480 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\dnl6013se.dll (file missing) O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\orbcp32r.dll (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) best regards, Phil

05-19-2006, 09:15 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download the file attached - Within it, double-click on combofix.exe & follow the prompts given, and be patient. Depending on the severity of your infection, it may reboot your machine 1-2 times. When it's done, it shall produce a report which you should post back here. Also post a new HJT log. Make sure it is from normal mode, please. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 05-20-2006 at 08:06 AM.

05-20-2006, 08:08 AM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Before we continue, I'd like a bit more information, please: Create an uninstall list: Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-20-2006, 10:02 AM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. This is going to take a good while, but to completely clean and protect your system for the future, all steps must be completed. --------------------------------------------------------------------------------------------- Please submit the following file to Jotti File Scan C:\WINDOWS\SYSTEM32\sporder.dll At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here. --------------------------------------------------------------------------------------------- Download Ewido Anti-Malware Install Ewido Anti-Malware When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Download and install CleanUp! NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe Download Pocket Killbox and unzip the exe file to your desktop. Launch KillBox.exe & select the following options: delete on Reboot All files (if available) Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy C:\WINDOWS\NDNuninstall7_22.exe C:\WINDOWS\SYSTEM32\cfg32a.exe C:\WINDOWS\SYSTEM32\WinNB57.dll C:\WINDOWS\SYSTEM32\cfg32o.dll C:\WINDOWS\SYSTEM32\cfg32p.dll C:\WINDOWS\SYSTEM32\cfg32r.dll C:\WINDOWS\SYSTEM32\cfg32s.dll C:\WINDOWS\hjxfj.dll C:\WINDOWS\SYSTEM32\nsg7.dll C:\WINDOWS\SYSTEM32\nt68rrtc12.sys * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. --------------------------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: SpywareBot 3.6.0.3 MediaTickets by OIN Viewpoint Media Player --------------------------------------------------------------------------------------------- Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any): R3 - URLSearchHook: (no name) - {42C0418C-A61E-F1C5-372A-FE6A64D5DCCB} - C:\WINDOWS\system32\owbd.dll (file missing) O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O15 - Trusted Zone: .elitemediagroup.net O15 - Trusted Zone: .mmohsix.com O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...bridge-c18.cab O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab All O18 entries like next item, EXCEPT the first one O18 - Protocol: bw+0s - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\dnl6013se.dll (file missing) O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\orbcp32r.dll (file missing) --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. --------------------------------------------------------------------------------------------- Delete the following Files/Folders if they exist: C:\Program Files\Viewpoint C:\Program Files\SpywareBot C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe C:\Documents and Settings\Philip Johnson\Application Data\??mbols<<<The ?? can be any character, may appear as Symbols C:\Program Files\Common Files\?icrosoft<<<The ? can be any character, may appear as Microsoft. This is NOT the legit 'Microsoft Shared' folder C:\Program Files\rdso --------------------------------------------------------------------------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted. * CleanUp! will not create any backups!! --------------------------------------------------------------------------------------------- Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. --------------------------------------------------------------------------------------------- Restart in normal mode. --------------------------------------------------------------------------------------------- We need to update your Java as it is out of date. The older version is a security risk, as malware writers exploit the weaknesses in it's code. Updating Java: Go to Start > Control Panel double-click on the Software icon > add/remove programs. Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) Select it and click Remove. Then Download and install the newest version from here: http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------- I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available: Avast! AVG Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan. --------------------------------------------------------------------------------------------- Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now** and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Run a new HijackThis scan. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with logs from: Jotti scan Ewido Rapport.txt Panda HJT __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-21-2006, 08:34 AM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Phil, if you recall what file it was, we can likely replace it from elsewhere. Try running the System File Checker. Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD. Failing that.... Can you please tell me the exact error message? You use Internet Explorer and Windows Explorer in your earlier explanation of the new issue....is it both, or only IE? If possible, capture a screen shot of the message. In Windows a screenshot of the entire monitor, complete with taskbar, can be copied to the system clipboard by pressing the Print screen key (normally located in the top row on the right-hand side of the keyboard).. You can then paste the clipboard into a program like MS Paint to save it as an image file or paste it directly into a document. Press the Print screen key Click the "Start" button (normally located in the bottom left of your screen). Click "Run" & type "mspaint" (without quotes) & click the "OK" button. Wait while the application "Paint" opens. Once it is open, proceed to the next step. Click the "Edit" menu and select "Paste". Click the "File" menu and select "Save As...". A dialog box will appear. In the "File name" field, enter a name of your choice. Click the "Save as type" drop-down and select "JPEG (.JPG;.JPEG;.JPE;.JFIF)". Click the "Save" button. Attach it to your next reply. Other than this new issue, how is your system behaving? I believe we got all the malware. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-20-2006, 08:50 AM	#5 (permalink)
pjsteel Registered User Join Date: May 2006 Posts: 26 OS: Windows XP	Here is the uninstall_list.txt: ABBYY FineReader 5.0 Sprint Ad-Aware SE Personal Adobe Acrobat 5.0 Advanced System Optimizer 2 Autodesk MapGuide(R) Viewer ActiveX Control Release 6.3 BellSouth FastAccess DSL Help Center BroadJump Client Foundation Classic PhoneTools Conexant HSF V92 56K RTAD Speakerphone PCI Modem Dell \| Support Dell Digital Jukebox Driver Dell Modem-On-Hold Dell Picture Studio - Dell Image Expert Dell Solution Center DVD Shrink 3.2 Easy CD Creator 5 Basic Easy Chef's Million Recipes Event Planner exPressit S.E. 2.1 Google Earth Google Toolbar for Internet Explorer Hallmark Card Studio 2005 Deluxe HiDownload 5.2 HijackThis 1.99.1 InterActual Player J2SE Runtime Environment 5.0 Update 3 Java 2 Runtime Environment, SE v1.4.0 Java 2 SDK, SE v1.4.0 Java Web Start Lavasoft VX2 Cleaner Lexmark X5100 Series Logitech Desktop Messenger Logitech Print Service Logitech QuickCam Logitech® Camera Driver Macromedia Flash Player 8 Macromedia Shockwave Player MediaTickets by OIN Microsoft Data Access Components KB870669 Microsoft Encarta Encyclopedia Standard 2002 Microsoft Money 2002 Microsoft Money 2002 System Pack Microsoft Office XP Media Content Microsoft Office XP Professional Microsoft Picture It! Photo 2002 Microsoft PowerPoint Viewer 97 Microsoft Streets and Trips 2002 Microsoft Word 2002 Microsoft Works 2002 Setup Launcher Microsoft Works 6.0 Microsoft Works Suite Add-in for Microsoft Word Modem Helper MSN Messenger 7.0 MSN Music Assistant MSN Toolbar msxml4SP2 Musicmatch® Jukebox Nero 6 Ultra Edition Nero Digital NeroMIX Network Play System (Patching) No-IP.com DUC (remove only) NTI Backup NOW! 4 NTI DriveBackup! 3 Trial NTI DVD-Maker NVIDIA Display Driver NVIDIA Windows 2000/XP Display Drivers Paint Shop Pro 7 Panda ActiveScan PhotoParade Player PowerDVD QuickTime RealPlayer Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Shockwave Sony USB Driver Sound Blaster Live! Value Spybot - Search & Destroy 1.4 SpywareBot 3.6.0.3 The Sims TurboTax Deluxe 2003 TurboTax Deluxe 2004 TurboTax Deluxe 2005 TurboTax ItsDeductible 2005 Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB910437) Viewpoint Media Player (Remove Only) VNC Personal Edition P4.2.1 WexTech AnswerWorks Winamp (remove only) Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 WinPcap 3.1 beta

05-20-2006, 08:07 PM	#7 (permalink)
pjsteel Registered User Join Date: May 2006 Posts: 26 OS: Windows XP	Here are the reports you asked for. I deleted a file in C:\Program Files\Common Files\Microsoft Shared I assumed this is what you were asking me to do. Was this correct? The reason I ask is when I run Internet Explorer it tries to load or update Windows XP Professional. I use the Home Edition of XP. It will not complete the load and asks me for the Windows XP Professional disk which I do not have. This happens everytime a new Windows Explorer Window loads. Jotti File Scan Service load: 0% 100% File: sporder.dll Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 f12e514aea35cd28ba6c080e707550f9 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 8:33:51 PM, 5/20/2006 + Report-Checksum: E34F30DA + Scan result: C:\Documents and Settings\Philip Johnson\Local Settings\Test A\!update.exe -> Downloader.PurityScan.cl : Cleaned with backup C:\Documents and Settings\Philip Johnson\Local Settings\Test A\i6F.tmp -> Adware.SurfSide : Cleaned with backup C:\HiJackThis\backups\backup-20060520-184613-544.dll -> Adware.MediaMotor : Cleaned with backup C:\Program Files\Common Files\icro.exe -> Adware.Agent : Cleaned with backup C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup C:\Program Files\DVD Shrink\License.exe -> Adware.Agent : Cleaned with backup C:\Program Files\Support.com\backup\Ne\newdotnet7_22.dll\614400_50b7ee307_/newdotnet7_22.dll -> Adware.NewDotNet : Cleaned with backup C:\QooBox\axids.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup C:\QooBox\bvday.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup C:\QooBox\jnqyse.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup C:\QooBox\ksohdjb.exe.vir -> Downloader.Qoologic.bj : Cleaned with backup C:\QooBox\olgce.dat.vir -> Downloader.Qoologic.bj : Cleaned with backup C:\QooBox\puqyjml.dll.vir -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146851.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146866.dll -> Adware.Surfside : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146868.exe -> Adware.Surfside : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146871.dll -> Adware.Surfside : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146879.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0146889.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP943\A0146896.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP943\A0147121.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP943\A0147124.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP943\A0147139.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP943\A0147153.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147163.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147185.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147195.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147204.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147207.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP944\A0147234.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP945\A0147243.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP946\A0147273.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP946\A0147276.exe -> Adware.Agent : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP946\A0147311.ocx -> Adware.MediaMotor : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP957\A0148691.exe -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148821.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148822.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148823.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148824.exe -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148825.dll -> Downloader.Qoologic.bj : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148839.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148841.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148842.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148843.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148845.exe -> Hijacker.Small : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148846.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148851.exe -> Adware.Mirar : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148855.exe -> Adware.ZenoSearch : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0148880.exe -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0149342.dll -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0149343.exe -> Adware.NewDotNet : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP958\A0149344.exe -> Adware.NewDotNet : Cleaned with backup C:\test\ipwins\ipwins.exe -> Adware.Agent : Cleaned with backup C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup C:\WINDOWS\SYSTEM32\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\SYSTEM32\cfg32o.dll -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\SYSTEM32\cfg32p.dll -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\SYSTEM32\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\SYSTEM32\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\SYSTEM32\nsg7.dll -> Adware.SideFind : Cleaned with backup C:\WINDOWS\SYSTEM32\WinNB57.dll -> Adware.Mirar : Cleaned with backup C:\WINDOWS\SYSTEM32\?ystem32\lsass.exe -> Downloader.PurityScan.cl : Cleaned with backup C:\WINDOWS\Tempa\cfg32.exe -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\Tempa\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\Tempa\cfg32o.dll -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\Tempa\cfg32p.dll -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\Tempa\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\Tempa\cfg32s.dll -> Adware.BookedSpace : Cleaned with backup C:\WINDOWS\Tempa\enueaqjp.exe -> Adware.BookedSpace : Cleaned with backup ::Report End SmitFraudFix v2.45 Scan done at 21:48:35.01, Sat 05/20/2006 Run from C:\Documents and Settings\Philip Johnson\Desktop\ADWARE Fixes\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Philip Johnson\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PHILIP~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End ********************************** There was No Panda report generated ********************************** Logfile of HijackThis v1.99.1 Scan saved at 10:01:59 PM, on 5/20/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\No-IP\DUC20.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\msiexec.exe C:\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdcco...ad/tgctlsr.cab O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144281187578 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://202.139.104.2/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O18 - Protocol: bw+0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (file missing) O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

05-21-2006, 06:09 AM	#9 (permalink)
pjsteel Registered User Join Date: May 2006 Posts: 26 OS: Windows XP	No there is nothing there. That was definitly my fault.

05-21-2006, 06:19 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Hi Phil - I apologize if my instructions caused any confusion....they were intended to clarify, for the very reason you've now experienced. Yeah, you're going to need both the Office XP CD and the Windows XP Home CD to get back to full functionality. And, as you say, you need your CD ROM Drive back first. Please consult with the folks over in Windows XP forum for this issue first. Typical solution is to update/reinstall the drivers, reboot and see if Windows Picks it back up on reboot. Go to Start>Run type devmgmt.msc and press Enter. Look for your CD device. Any Yellow Exclamatin points? Right click on the CD device, select Update Driver OR....remove the device from Device Manager, reboot and see if Windows Picks it back up on reboot. Let me know how you get along. Eventually, I'd like to offer you some future protection advice, but you should try to solve out these issues first. Again, I'm sorry for your misfortune, as we were very close to being done with malware removal. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-22-2006, 07:16 AM	#13 (permalink)
pjsteel Registered User Join Date: May 2006 Posts: 26 OS: Windows XP	tetonbob, Thanks for all your help. Your advice was definitley topnotch. I was the one that blew that one. FYI -I got my CD/DVDROM drives back up this morning thanks to another forum on this site. I have posted my issues on the Windows XP forum as you suggested. We have recently moved so, I am still trying to find my CDROMs for XP and Office. Anyway, I will definetly send a donation as soon as I sort all this out. I'll be back! Thanks again, Phil

05-22-2006, 08:33 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	OK, Phil, that's two issues resolved (malware and CD/DVD drives)....now as soon as you find your install disks, you should be able to restore what was lost. It may take a repair install to fully recover the MS Shared folder, but I'll let the folks over in XP advise you on that. Let me know when you're up and running again so we can protect your system for the future. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-23-2006, 08:51 AM	#15 (permalink)
pjsteel Registered User Join Date: May 2006 Posts: 26 OS: Windows XP	tetonbob, I am back up and running again with no hiccups so far. Both Widows XP and Office Pro are back in order. You said that you had more advice for me. I look forward to receiving it. Thanks once again for all your help. Phil

05-23-2006, 01:35 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	OK, Phil, that's great news! Before I give you those final instructions, I'd like to see one last HJT log, please. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-24-2006, 07:13 AM	#17 (permalink)
pjsteel Registered User Join Date: May 2006 Posts: 26 OS: Windows XP	Ok here is my latest HJT log. Logfile of HijackThis v1.99.1 Scan saved at 9:11:18 AM, on 5/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\No-IP\DUC20.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Pure Networks\Router Service\pnroutsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Pure Networks\Network Magic\nmapp.exe C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun O4 - HKLM\..\Run: [PVR Agent] C:\Program Files\KWorld Multimedia\PVR Plus\TVR\Scheduled.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdcco...ad/tgctlsr.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144281187578 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://202.139.104.2/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O18 - Protocol: bw+0 - {876E20E8-0ABF-4054-AC65-CA7E11480D1D} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pure Networks Router Manager (pnrouter) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Router Service\pnroutsv.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

05-24-2006, 07:57 AM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Please ensure that you have already patched your system against the recent WMF exploit. Go to this page to get the KB912919 patch. Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Download IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are two very good free Antivirus products which are available: Avast! AVG If you do not have a firewall, here are 4 free ones available for personal use: ZoneAlarm Avast Antivirus/Firewall Tiny Personal Firewall OutPost Firewall In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-25-2006, 12:13 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Hi Phil - Your recent HJT log appears incomplete...note the lack of O23 section in this log. For the Spybot finds, please do this: Please download delcmdservice (by Marckie), and save it to your Desktop. Unzip the content to your Desktop (a folder named delcmdservice) Double-click on the delcmdservice folder Double-click on delreg.bat to launch the tool When the tool has finished, please reboot your computer. Run Spybot again, and see if the problem is resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009