|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
05-19-2005, 02:28 PM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 158
OS: XP
|
Trojan Dialer
This is a friends computer but they have given it to me to fix.
I went around to there house yesterday to install broadband as they had been using serval free isp's before. They have AVG installed on there computer and it keeps popping up with a few virus's. I have done a scan with TDS-3 and hi-jack this and I will post them below. I have also just started a AVG scan of the system but i feel it is going to take a while. All help will be greatfully recieved. Cheers Lisa HIJACKTHIS LOG ---------------------- Logfile of HijackThis v1.99.1 Scan saved at 21:19:43, on 19/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Windows AdTools\WinAdTools.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Windows AdTools\WinRatchet.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\richard\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.netbreeze.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 57.dll O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\EliteSideBar version 8.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winsyl32.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\uk_nm.exe -N O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteked32.exe O4 - HKLM\..\Run: [adiras] adiras.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.netbreeze.co.uk/ O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ----------------- TDS LOG and ALERTS TDS Alerts Scan Control Dumped @ 21:17:44 19-05-05 RegVal Trace: Worm.Francette: HKEY_LOCAL_MACHINE File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft IIS=C:\WINDOWS\system32\syshost.exe] Positive identification: Riskware.Dialer.PlayGames File: c:\windows\downloaded program files\ringtone.exe Positive identification: Worm.Win32.Francette.n1 File: c:\windows\system32\syshost.exe ---------------------------------------------- TSD SCANN 20:18:25 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 20:18:25 [Init] Started 19-05-05 20:18:25 GMT Standard Time (UTC: 0), Internet Time @846.12 20:18:25 [Init] Loading TDS-3 Systems ... 20:18:25 [Init] Token successfully adjusted. 20:18:25 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 20:18:25 [Init] • Plugins : OK. Loaded 13 20:18:25 [Init] • Exec Protection : Not Installed 20:18:25 [Init] WARNING: Your Radius.TD3 database needs to be updated! 20:18:25 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 20:18:25 [Init] Licensed users can use the Update facility from the TDS menu 20:18:26 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 20:18:34 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 20:18:34 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 20:18:34 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 20:18:34 [Init] TDS-3 Ready. <Richard@127.0.0.1 - United Kingdom> 20:18:34 [Tip Of The Day] For a summary of what a button or feature of TDS-3 does, hover the mouse cursor over it to get tooltip information. 20:18:34 [TDS] Good evening Richard. 20:18:41 [Mutex Memory Scan] Started... 20:18:43 [Mutex Memory Scan] Finished (no trojan mutexes found). 20:18:43 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 20:20:34 [CRC32] Started - verifying 29 files ... 20:20:35 [CRC32] File doesn't exist: C:\autoexec.bat 20:20:41 [CRC32] Test finished. 20:23:01 [Memory Scan] Memory scan started, please wait a moment ... 20:23:02 [Memory Scan] Memory scan complete. 20:23:02 [Mutex Memory Scan] Started... 20:23:04 [Mutex Memory Scan] Finished (no trojan mutexes found). 20:23:04 [Trace Scan] Started... 20:23:15 [Trace Scan] Finished. 20:23:15 [ServiceScan] Scanning for services and drivers ... 20:23:23 [ServiceScan] Scanned 326 services and drivers. 20:23:23 [File Scan] Scanning in A:\ ... 20:23:24 [File Scan] Scanned 0 files: 1 alarms in 1.046875 seconds (Avg 1. files/sec) 20:23:24 [File Scan] Scanning in C:\ ... 20:56:01 [Locked File] Couldn't open c:\windows\sideb.exe for read access, file is locked 21:16:03 [File Scan] Scanned 59889 files: 3 alarms in 3159.328 seconds (Avg 19.96 files/sec) 21:16:03 [File Scan] Scanning in D:\ ... 21:16:03 [File Scan] Scanned 0 files: 3 alarms in 0 seconds (Avg -1.#IND files/sec) 21:16:03 [File Scan] Scanning in E:\ ... 21:16:03 [File Scan] Scanned 0 files: 3 alarms in 0 seconds (Avg -1.#IND files/sec) 21:16:03 [Scan] Finished. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
05-19-2005, 03:22 PM
|
#2 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 158
OS: XP
|
AVG found 2 virus's and deleted them
AVG found 2 virus's and deleted them they were.
torjan horse clicker.5.AQ C:\WINDOWS\sideb.exe trojan horse Colected.5.L C:\WINDOWS\system32\msdirectx.sys Does this mean my system is now clean? Lisa |
|
|
|
|
05-19-2005, 03:30 PM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2005
Location: 1.12°W 52.67°N
Posts: 18
OS: XP / FC3
 |
Nasty entries i recognise are...
C:\Program Files\Windows AdTools\WinAdTools.exe
C:\Program Files\Windows AdTools\WinRatchet.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 57.dll O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\EliteSideBar version 8.dll O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe And must be fixed.
__________________
A great revolution in just one single individual will help achieve a change in the destiny of a society and, further, will enable a change in the destiny of humankind." |
|
|
|
|
05-19-2005, 04:00 PM
|
#5 (permalink) |
|
Registered User
Join Date: Apr 2005
Location: 1.12°W 52.67°N
Posts: 18
OS: XP / FC3
|
Have you re-run an anti-virus scan since you cleared those two virii?
Also have you run the usual Ad-Aware, Spybot & Spyware Blaster programs?
__________________
A great revolution in just one single individual will help achieve a change in the destiny of a society and, further, will enable a change in the destiny of humankind." |
|
|
|
|
05-19-2005, 04:35 PM
|
#7 (permalink) |
|
Old Timer
Join Date: Sep 2003
Location: Northern Arizona
Posts: 7,958
OS: Vista Home Premium, SP 27
|
Greetings,
Here is the complete "first round" fix for you. After you have done this, please await instructions for members for our SecurityTeam. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download the Backdoor Agent cleanup utility from Symantec and follow the instructions on their page. =============== Download, unzip to your desktop CWShredder and run it, then: 1. Click "Check For Update" (If an update isn't available, skip to step #4.) 2. Click "Click here to Download the upate". 3. When the new version has been downloaded, click "Save". 4. Click "Fix ->" =============== Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's: 1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders: WinRatchet.exe* 2) Then if any are found in the 'prefetch' folder, delete them. Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it. =============== Go to Add/Remove programs and remove(uninstall) the following, if present: AdTools Service Elite Sidebar Elite Toolbar The above could appear anywhere within the entry. Be careful not to remove any personal or system software. =============== Run HiJackThis then: 1. Click "Config..." 2. Click "Misc Tools" 3. Click "Open Process manager" - Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following: C:\Program Files\Windows AdTools\WinAdTools.exe C:\Program Files\Windows AdTools\WinRatchet.exe Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain. =============== Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following: regsvr32 /u EliteToolBar version 57.dll regsvr32 /u EliteSideBar version 8.dll It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing. =============== Run HiJackThis and click "Scan", then check(tick) the following, if present: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...fo/bt_side.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 57.dll O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\EliteSideBar version 8.dll O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winsyl32.exe O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\uk_nm.exe -N O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteked32.exe Now, with all windows closed except HiJackThis, click "Fix checked". =============== Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: folders... C:\Program Files\Windows AdTools C:\WINDOWS\EliteToolBar files... C:\EliteSideBar version 8.dll C:\WINDOWS\system32\syshost.exe C:\windows\system32\winsyl32.exe C:\WINDOWS\System32\uk_nm.exe C:\windows\system32\eliteked32.exe - Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode". =============== Post back a new log, and let us know how everything goes. |
|
|
|
|
05-22-2005, 08:12 AM
|
#8 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 158
OS: XP
|
New Log
Sorry it took me a few days to post back, thank you for all your help.
If this turn's out to be ok now, will I have to check the other 4 user logins, it does seem the the user login that i have been using checks the others. Logfile of HijackThis v1.99.1 Scan saved at 15:08:42, on 22/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Documents and Settings\richard\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [adiras] adiras.exe O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteked32.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe |
|
|
|
|
05-22-2005, 08:40 AM
|
#9 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2
|
Fix these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = How are things now?
__________________
  |
|
|
|
|
05-22-2005, 09:00 AM
|
#10 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 158
OS: XP
|
Tried to fix
I keeping fixing
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = but when i do a scan again the are still there. Also when i do a spybot scan i get these and they will not fix. ------------------- Error during check!: Xuron55 (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) () Altnet: Data (File, fixing failed) C:\WINDOWS\smdat32a.sys ------------------------------- cheers Lisa |
|
|
|
|
05-23-2005, 10:17 AM
|
#11 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 27,077
OS: WinXP and Vista
|
Hi,
Go into your Add/Remove programs (from Control panel) and look for Altnet--uninstall it if it's there. If you found Altnet in Add/Remove, please delete it's folder using Windows Explorer: C:\ProgramFiles\Altnet Let's see if anything else is still lurking: Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool. Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3) 1. Save it to a folder. 2. Reboot into Safe Mode. 3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything. 4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file *Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files. Once you copy that to a Notepad file...highlight the text and copy it here. |
|
|
|
|
05-24-2005, 03:27 PM
|
#12 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 158
OS: XP
|
Heres the virus's after 3hrs of scanning
Thank you for your help here is the part that shows the virus's found there were 18 in total.
File C:\windows\system32\eliteked32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken. Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "EliteBar Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "altnet Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WinAdToolsX.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\v3.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\v3.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{00014C0D-B007-4448-B89B-4EC3E857961D}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}" refers to invalid object "C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{09E6F477-C3C3-4636-8BFD-2DDB36147FEC}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{0FE9096F-7F7A-4e40-857C-E48A53440DFE}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{10F34E64-BBB2-11D6-8A17-00E029570A3E}" refers to invalid object "C:\Program Files\AOL 9.0\sa.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1167C47F-01F9-4C08-8564-1D6C9BAAFB60}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Pathfinder.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{11BE3AE6-C9DF-11D3-8E11-00805F9E26E6}" refers to invalid object "C:\Program Files\AOL 6.0\PSFac.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{12121212-3434-5656-3333-444411112222}" refers to invalid object "vendor.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{12121212-3434-5656-3333-444411112224}" refers to invalid object "vendor.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{18477169-4752-41DC-AB0F-C50EBA75641D}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPWz.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1853e19a-4e54-4190-8deb-2e1cc947cd60}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}" refers to invalid object "C:\Program Files\AOL 9.0\sb.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1B28020D-9DE7-11D4-A2D4-001083025146}" refers to invalid object "C:\Program Files\AOL 9.0\axclntbrg.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1CB749C0-81EC-484E-B82C-ADD141FC6415}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Xanthe.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{205D2DFB-BBAD-4DC4-A0BB-CDA12A1639CE}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78d5-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78df-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78e0-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78e1-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78e2-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2B2CC8B0-2DC0-48c6-B6FD-C07820A6477E}" refers to invalid object "C:\Program Files\EA Games\Command and Conquer Generals\BrowserEngine.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2BAE89B0-68EF-4fab-AFF7-1E486D93F9EB}" refers to invalid object "C:\Program Files\AOL 9.0\ae.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{307A6C42-0000-0010-8000-00AA00389B71}" refers to invalid object "C:\DOCUME~1\george\LOCALS~1\Temp\blizzard.ax". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4B4B40F0-C9DF-11D4-AA54-00104B49C4F0}" refers to invalid object "D:\R2ctlNS.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4E97BE17-3300-4A4F-B380-5988DD771F1F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Ares.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5145942E-41DF-4658-B7C4-089F48E84A75}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5788DAE8-4B72-4BE6-89A0-1E6123E4CBC2}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Cerberus.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{57C368A7-F2E9-48C6-B0E2-C201751383C1}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{59EC0340-7506-11D2-B05F-00C04F7F89FE}" refers to invalid object "C:\PROGRA~1\AIM95\AimApi.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{61E15DE7-D229-4eb3-A460-40DCDDA60DA7}" refers to invalid object "C:\Program Files\AOL 9.0\abui.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{63435828-E10D-42d5-8859-C94796B7C22D}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{639A19DD-1D97-4A6E-A0D1-01E04FED563F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{6AD3B5BD-9A96-4ca2-9455-2034D05EB134}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}" refers to invalid object "C:\Program Files\Common Files\aolshare\Coach\coachdm3.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{7629C9DE-2E38-4963-A01C-02FFAC203D87}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{7730E78F-A89A-11D3-9982-0060B088BBCA}" refers to invalid object "C:\Program Files\AOL 6.0\Amp\AmpX.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{7C9688C3-7279-474D-ABA5-A632373D2CDB}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{80373D03-D993-11D3-A2CE-00108335731F}" refers to invalid object "C:\Program Files\AOL 6.0\MIMEHook.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicInfo.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8AB5F344-B600-11D6-8A15-00E029570A3E}" refers to invalid object "C:\Program Files\AOL 9.0\sa.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8BBDA254-CE76-11D3-A2CE-00108335731F}" refers to invalid object "C:\Program Files\AOL 6.0\MIMEHook.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8F05DED0-B413-11D3-BA1D-00108334265F}" refers to invalid object "C:\Program Files\AOL 6.0\PShopper.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{943742F6-3A40-43FF-97F4-A1750D97B200}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicInfo.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPUPF.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{9F62797E-1249-4596-9FF7-AC6D851A542A}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{9F637568-E5F7-4cb2-BD01-818CF6C561F9}" refers to invalid object "C:\Program Files\Yahoo!\common\YPhotouk.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A105BD70-BF56-4D10-BC91-41C88321F47C}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6}" refers to invalid object "C:\PROGRA~1\COMMON~1\AOL\SCREEN~1\YGPSCR~1.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A8ABE123-FAC4-41c1-ABA3-051B6F112B83}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A98ABF1C-107C-44E7-9254-2C3FF435D0C2}" refers to invalid object "C:\Program Files\AOL 9.0\sb.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{AD41621C-A2DD-487D-A24B-8BE40116A5A3}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicInfo.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{AED456C4-4866-4420-863F-35767EBED514}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B3E7BCF9-05C8-4233-BA88-37FDA4AD3147}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B4F80028-5714-4B7B-B9B1-5748B204799A}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B6069E5C-B409-11D3-BA1D-00108334265F}" refers to invalid object "C:\Program Files\AOL 6.0\SABridge.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B6F041A2-48B9-4d3f-A91D-90E17C505FD3}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B9F3009B-976B-41C4-A992-229DCCF3367C}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c4-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c5-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c6-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c7-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c8-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C0E02720-C9D7-11D3-8E10-00805F9E26E6}" refers to invalid object "C:\Program Files\AOL 6.0\PSFac.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C28BC286-884C-4a63-8A9C-6F7F5711034F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\NmpX\nmpx.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D465B936-C361-4417-9AC5-35167066F84B}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D60F93E6-8A7B-11D0-8B13-008048808AB0}" refers to invalid object "C:\Program Files\MouseWare\System\lffmouse.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D670D0B3-05AB-4115-9F87-D983EF1AC747}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicDownload.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D98E820F-6ACD-4dc0-921E-9841E3D8B4A7}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D9F99C6B-A3A6-11D4-AF64-444553546170}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{DA3C177A-D1DA-47f2-BBF0-E9710CA7253F}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicEdit.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E3852604-B619-11d6-94EC-00047521F020}" refers to invalid object "C:\Program Files\AOL 9.0\Media\NmpXChat\nmpxchat.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E981D791-F499-4837-A483-5AB22F1C548F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E9DD2392-EF9B-4963-BEDF-F86C0A2B762A}" refers to invalid object "C:\Program Files\AOL 9.0\AMH.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{EB511AE4-87FE-4EFB-91A3-428B2F2601F7}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" refers to invalid object "C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F4C6D6E0-A8FB-4281-BE24-1662D646FE2B}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F4F30C01-A7B4-492e-943E-58A7CF2D9DD6}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{FBE840E5-13A5-4cff-B2A9-4D1E64A17FF2}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken. Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken. Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken. Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken. Entry "HKCR\AOLCoach.TrainerOCXCtrl.10" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\CDDBControlApple.CddbFullName.1" refers to invalid object "{63338267-37c4-44cf-8e46-756fbe9c8fdc}". Action Taken: No Action Taken. Entry "HKCR\CDDBControlApple.FullName" refers to invalid object "{63338267-37c4-44cf-8e46-756fbe9c8fdc}". Action Taken: No Action Taken. Entry "HKCR\CoachDM.WebCoachDownload" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\CoachDM.WebCoachDownload.1" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken. Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken. Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken. Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken. Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken. File C:\WINDOWS\RESTORE.INS tagged as not-a-virus:NetTool.Win32.PsKill. No Action Taken. File C:\WINDOWS\system32\doolsav.dat tagged as "not-a-virus:AdWare.ToolBar.EliteBar.q". Action Taken: No Action Taken. File C:\WINDOWS\system32\temperror32.dat infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken. File C:\WINDOWS\system32\y infected by "Trojan-Downloader.BAT.Ftp.ab" Virus! Action Taken: No Action Taken. File C:\OEMCUST\TOOLS\WIN32\PSKILL.EXE tagged as not-a-virus:NetTool.Win32.PsKill. No Action Taken. File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.WinCap.Reboot. No Action Taken. File C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll tagged as not-a-virus:RiskWare.Dialer.BT.f. No Action Taken. File C:\WINDOWS\Downloaded Program Files\ringtone.exe tagged as not-a-virus:RiskWare.Dialer.PlayGames. No Action Taken. File C:\WINDOWS\RESTORE.INS tagged as not-a-virus:NetTool.Win32.PsKill. No Action Taken. File C:\WINDOWS\system\RESTORE.INS tagged as not-a-virus:NetTool.Win32.PsKill. No Action Taken. File C:\WINDOWS\system32\doolsav.dat tagged as "not-a-virus:AdWare.ToolBar.EliteBar.q". Action Taken: No Action Taken. File C:\WINDOWS\system32\temperror32.dat infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken. File C:\WINDOWS\system32\y infected by "Trojan-Downloader.BAT.Ftp.ab" Virus! Action Taken: No Action Taken. |
|
|
|
|
05-25-2005, 03:28 AM
|
#13 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2
|
Download KillBox http://www.greyknight17.com/spy/KillBox.exe.
Reboot into Safe Mode Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\RESTORE.INS C:\WINDOWS\system32\doolsav.dat C:\WINDOWS\system32\temperror32.dat C:\WINDOWS\system32\y C:\OEMCUST\TOOLS\WIN32\PSKILL.EXE C:\WINDOWS\Downloaded Program Files\ringtone.exe C:\WINDOWS\system\RESTORE.INS Reboot, rescan and report back.
__________________
|
|
|
|
|
05-25-2005, 03:05 PM
|
#14 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 158
OS: XP
|
Latest MWAV scan
Here is my second mwav scan after using KillBox.
Cheers once again Lisa File C:\windows\system32\eliteked32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken. Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "EliteBar Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "altnet Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WinAdToolsX.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\v3.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\v3.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{00014C0D-B007-4448-B89B-4EC3E857961D}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}" refers to invalid object "C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{09E6F477-C3C3-4636-8BFD-2DDB36147FEC}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{0FE9096F-7F7A-4e40-857C-E48A53440DFE}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{10F34E64-BBB2-11D6-8A17-00E029570A3E}" refers to invalid object "C:\Program Files\AOL 9.0\sa.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1167C47F-01F9-4C08-8564-1D6C9BAAFB60}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Pathfinder.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{11BE3AE6-C9DF-11D3-8E11-00805F9E26E6}" refers to invalid object "C:\Program Files\AOL 6.0\PSFac.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{12121212-3434-5656-3333-444411112222}" refers to invalid object "vendor.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{12121212-3434-5656-3333-444411112224}" refers to invalid object "vendor.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{18477169-4752-41DC-AB0F-C50EBA75641D}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPWz.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1853e19a-4e54-4190-8deb-2e1cc947cd60}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}" refers to invalid object "C:\Program Files\AOL 9.0\sb.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1B28020D-9DE7-11D4-A2D4-001083025146}" refers to invalid object "C:\Program Files\AOL 9.0\axclntbrg.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1CB749C0-81EC-484E-B82C-ADD141FC6415}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Xanthe.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{205D2DFB-BBAD-4DC4-A0BB-CDA12A1639CE}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78d5-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78df-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78e0-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78e1-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78e2-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2B2CC8B0-2DC0-48c6-B6FD-C07820A6477E}" refers to invalid object "C:\Program Files\EA Games\Command and Conquer Generals\BrowserEngine.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2BAE89B0-68EF-4fab-AFF7-1E486D93F9EB}" refers to invalid object "C:\Program Files\AOL 9.0\ae.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{307A6C42-0000-0010-8000-00AA00389B71}" refers to invalid object "C:\DOCUME~1\george\LOCALS~1\Temp\blizzard.ax". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4B4B40F0-C9DF-11D4-AA54-00104B49C4F0}" refers to invalid object "D:\R2ctlNS.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4E97BE17-3300-4A4F-B380-5988DD771F1F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Ares.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5145942E-41DF-4658-B7C4-089F48E84A75}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5788DAE8-4B72-4BE6-89A0-1E6123E4CBC2}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Cerberus.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{57C368A7-F2E9-48C6-B0E2-C201751383C1}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{59EC0340-7506-11D2-B05F-00C04F7F89FE}" refers to invalid object "C:\PROGRA~1\AIM95\AimApi.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{61E15DE7-D229-4eb3-A460-40DCDDA60DA7}" refers to invalid object "C:\Program Files\AOL 9.0\abui.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{63435828-E10D-42d5-8859-C94796B7C22D}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{639A19DD-1D97-4A6E-A0D1-01E04FED563F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{6AD3B5BD-9A96-4ca2-9455-2034D05EB134}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}" refers to invalid object "C:\Program Files\Common Files\aolshare\Coach\coachdm3.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{7629C9DE-2E38-4963-A01C-02FFAC203D87}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{7730E78F-A89A-11D3-9982-0060B088BBCA}" refers to invalid object "C:\Program Files\AOL 6.0\Amp\AmpX.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{7C9688C3-7279-474D-ABA5-A632373D2CDB}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{80373D03-D993-11D3-A2CE-00108335731F}" refers to invalid object "C:\Program Files\AOL 6.0\MIMEHook.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicInfo.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8AB5F344-B600-11D6-8A15-00E029570A3E}" refers to invalid object "C:\Program Files\AOL 9.0\sa.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8BBDA254-CE76-11D3-A2CE-00108335731F}" refers to invalid object "C:\Program Files\AOL 6.0\MIMEHook.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8F05DED0-B413-11D3-BA1D-00108334265F}" refers to invalid object "C:\Program Files\AOL 6.0\PShopper.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{943742F6-3A40-43FF-97F4-A1750D97B200}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicInfo.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPUPF.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{9F62797E-1249-4596-9FF7-AC6D851A542A}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{9F637568-E5F7-4cb2-BD01-818CF6C561F9}" refers to invalid object "C:\Program Files\Yahoo!\common\YPhotouk.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A105BD70-BF56-4D10-BC91-41C88321F47C}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6}" refers to invalid object "C:\PROGRA~1\COMMON~1\AOL\SCREEN~1\YGPSCR~1.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A8ABE123-FAC4-41c1-ABA3-051B6F112B83}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A98ABF1C-107C-44E7-9254-2C3FF435D0C2}" refers to invalid object "C:\Program Files\AOL 9.0\sb.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{AD41621C-A2DD-487D-A24B-8BE40116A5A3}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicInfo.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{AED456C4-4866-4420-863F-35767EBED514}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B3E7BCF9-05C8-4233-BA88-37FDA4AD3147}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B4F80028-5714-4B7B-B9B1-5748B204799A}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B6069E5C-B409-11D3-BA1D-00108334265F}" refers to invalid object "C:\Program Files\AOL 6.0\SABridge.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B6F041A2-48B9-4d3f-A91D-90E17C505FD3}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B9F3009B-976B-41C4-A992-229DCCF3367C}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c4-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c5-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c6-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c7-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c8-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C0E02720-C9D7-11D3-8E10-00805F9E26E6}" refers to invalid object "C:\Program Files\AOL 6.0\PSFac.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C28BC286-884C-4a63-8A9C-6F7F5711034F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\NmpX\nmpx.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D465B936-C361-4417-9AC5-35167066F84B}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D60F93E6-8A7B-11D0-8B13-008048808AB0}" refers to invalid object "C:\Program Files\MouseWare\System\lffmouse.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D670D0B3-05AB-4115-9F87-D983EF1AC747}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicDownload.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D98E820F-6ACD-4dc0-921E-9841E3D8B4A7}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D9F99C6B-A3A6-11D4-AF64-444553546170}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{DA3C177A-D1DA-47f2-BBF0-E9710CA7253F}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicEdit.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E3852604-B619-11d6-94EC-00047521F020}" refers to invalid object "C:\Program Files\AOL 9.0\Media\NmpXChat\nmpxchat.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E981D791-F499-4837-A483-5AB22F1C548F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E9DD2392-EF9B-4963-BEDF-F86C0A2B762A}" refers to invalid object "C:\Program Files\AOL 9.0\AMH.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{EB511AE4-87FE-4EFB-91A3-428B2F2601F7}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" refers to invalid object "C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F4C6D6E0-A8FB-4281-BE24-1662D646FE2B}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F4F30C01-A7B4-492e-943E-58A7CF2D9DD6}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{FBE840E5-13A5-4cff-B2A9-4D1E64A17FF2}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken. Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken. Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken. Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken. Entry "HKCR\AOLCoach.TrainerOCXCtrl.10" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\CDDBControlApple.CddbFullName.1" refers to invalid object "{63338267-37c4-44cf-8e46-756fbe9c8fdc}". Action Taken: No Action Taken. Entry "HKCR\CDDBControlApple.FullName" refers to invalid object "{63338267-37c4-44cf-8e46-756fbe9c8fdc}". Action Taken: No Action Taken. Entry "HKCR\CoachDM.WebCoachDownload" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\CoachDM.WebCoachDownload.1" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken. Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken. Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken. Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken. Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken. File C:\WINDOWS\system32\temperror32.dat infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken. File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.WinCap.Reboot. No Action Taken. File C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll tagged as not-a-virus:RiskWare.Dialer.BT.f. No Action Taken. File C:\WINDOWS\system32\temperror32.dat infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken. |
|
|
|
|
05-25-2005, 04:15 PM
|
#15 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 27,077
OS: WinXP and Vista
|
Hi Lisa,
Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this.. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. Click here to download ETRemover. Unzip it, but don't run it yet. Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\windows\system32\eliteked32.exe C:\WINDOWS\system32\temperror32.dat Run ETRemover.exe now. When it's done, follow the prompts, but don't restart yet. Do the below fixes first. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: EliteBar Altnet Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\windows\system32\eliteked32.exe C:\WINDOWS\system32\temperror32.dat Altnet--Do a search and delete anything found EliteBar Do a search and delete anything found Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode. Run another HijackThis scan and post that log here. Also run Mwav again and post that also Last edited by Ried; 05-25-2005 at 04:16 PM. |
|
|
|
|
05-26-2005, 07:59 AM
|
#16 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 158
OS: XP
|
Hijackthis and Mwav scan logs now only 4 virus's found
Hello, once again thank you for your help, I feel we are almost there now here are the Hijackthis log and the Mwav scan.
---------------------- Logfile of HijackThis v1.99.1 Scan saved at 12:05:41, on 26/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\System32\msiexec.exe C:\Documents and Settings\richard\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteked32.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ------------------- Object "altnet Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WinAdToolsX.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\v3.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\v3.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{00014C0D-B007-4448-B89B-4EC3E857961D}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}" refers to invalid object "C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{09E6F477-C3C3-4636-8BFD-2DDB36147FEC}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{0FE9096F-7F7A-4e40-857C-E48A53440DFE}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{10F34E64-BBB2-11D6-8A17-00E029570A3E}" refers to invalid object "C:\Program Files\AOL 9.0\sa.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1167C47F-01F9-4C08-8564-1D6C9BAAFB60}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Pathfinder.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{11BE3AE6-C9DF-11D3-8E11-00805F9E26E6}" refers to invalid object "C:\Program Files\AOL 6.0\PSFac.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{12121212-3434-5656-3333-444411112222}" refers to invalid object "vendor.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{12121212-3434-5656-3333-444411112224}" refers to invalid object "vendor.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{18477169-4752-41DC-AB0F-C50EBA75641D}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPWz.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1853e19a-4e54-4190-8deb-2e1cc947cd60}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}" refers to invalid object "C:\Program Files\AOL 9.0\sb.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1B28020D-9DE7-11D4-A2D4-001083025146}" refers to invalid object "C:\Program Files\AOL 9.0\axclntbrg.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1CB749C0-81EC-484E-B82C-ADD141FC6415}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Xanthe.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{205D2DFB-BBAD-4DC4-A0BB-CDA12A1639CE}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78d5-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78df-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78e0-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78e1-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{229b78e2-38f5-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2B2CC8B0-2DC0-48c6-B6FD-C07820A6477E}" refers to invalid object "C:\Program Files\EA Games\Command and Conquer Generals\BrowserEngine.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2BAE89B0-68EF-4fab-AFF7-1E486D93F9EB}" refers to invalid object "C:\Program Files\AOL 9.0\ae.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{307A6C42-0000-0010-8000-00AA00389B71}" refers to invalid object "C:\DOCUME~1\george\LOCALS~1\Temp\blizzard.ax". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4B4B40F0-C9DF-11D4-AA54-00104B49C4F0}" refers to invalid object "D:\R2ctlNS.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4E97BE17-3300-4A4F-B380-5988DD771F1F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Ares.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5145942E-41DF-4658-B7C4-089F48E84A75}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5788DAE8-4B72-4BE6-89A0-1E6123E4CBC2}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Cerberus.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{57C368A7-F2E9-48C6-B0E2-C201751383C1}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{59EC0340-7506-11D2-B05F-00C04F7F89FE}" refers to invalid object "C:\PROGRA~1\AIM95\AimApi.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{61E15DE7-D229-4eb3-A460-40DCDDA60DA7}" refers to invalid object "C:\Program Files\AOL 9.0\abui.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{63435828-E10D-42d5-8859-C94796B7C22D}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{639A19DD-1D97-4A6E-A0D1-01E04FED563F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{6AD3B5BD-9A96-4ca2-9455-2034D05EB134}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{756A2CB8-EC02-4DC8-8588-296C611A5365}" refers to invalid object "C:\Program Files\Common Files\aolshare\Coach\coachdm3.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{7629C9DE-2E38-4963-A01C-02FFAC203D87}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{7730E78F-A89A-11D3-9982-0060B088BBCA}" refers to invalid object "C:\Program Files\AOL 6.0\Amp\AmpX.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{7C9688C3-7279-474D-ABA5-A632373D2CDB}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{80373D03-D993-11D3-A2CE-00108335731F}" refers to invalid object "C:\Program Files\AOL 6.0\MIMEHook.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicInfo.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8AB5F344-B600-11D6-8A15-00E029570A3E}" refers to invalid object "C:\Program Files\AOL 9.0\sa.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8BBDA254-CE76-11D3-A2CE-00108335731F}" refers to invalid object "C:\Program Files\AOL 6.0\MIMEHook.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8F05DED0-B413-11D3-BA1D-00108334265F}" refers to invalid object "C:\Program Files\AOL 6.0\PShopper.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{943742F6-3A40-43FF-97F4-A1750D97B200}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicInfo.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{98BFD494-F6AD-4794-9038-832C0654CC43}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPUPF.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{9F62797E-1249-4596-9FF7-AC6D851A542A}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{9F637568-E5F7-4cb2-BD01-818CF6C561F9}" refers to invalid object "C:\Program Files\Yahoo!\common\YPhotouk.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A105BD70-BF56-4D10-BC91-41C88321F47C}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6}" refers to invalid object "C:\PROGRA~1\COMMON~1\AOL\SCREEN~1\YGPSCR~1.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A8ABE123-FAC4-41c1-ABA3-051B6F112B83}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{A98ABF1C-107C-44E7-9254-2C3FF435D0C2}" refers to invalid object "C:\Program Files\AOL 9.0\sb.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{AD41621C-A2DD-487D-A24B-8BE40116A5A3}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicInfo.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{AED456C4-4866-4420-863F-35767EBED514}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B3E7BCF9-05C8-4233-BA88-37FDA4AD3147}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B4F80028-5714-4B7B-B9B1-5748B204799A}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B6069E5C-B409-11D3-BA1D-00108334265F}" refers to invalid object "C:\Program Files\AOL 6.0\SABridge.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B6F041A2-48B9-4d3f-A91D-90E17C505FD3}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{B9F3009B-976B-41C4-A992-229DCCF3367C}" refers to invalid object "C:\Program Files\AOL 9.0\axtrack.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c4-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c5-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c6-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c7-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{bc8a96c8-3909-11d5-9001-00c04f4c3b9f}" refers to invalid object "C:\Program Files\AOL 9.0\Media\CDDBControl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C0E02720-C9D7-11D3-8E10-00805F9E26E6}" refers to invalid object "C:\Program Files\AOL 6.0\PSFac.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C28BC286-884C-4a63-8A9C-6F7F5711034F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\NmpX\nmpx.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D465B936-C361-4417-9AC5-35167066F84B}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D60F93E6-8A7B-11D0-8B13-008048808AB0}" refers to invalid object "C:\Program Files\MouseWare\System\lffmouse.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D670D0B3-05AB-4115-9F87-D983EF1AC747}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicDownload.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D98E820F-6ACD-4dc0-921E-9841E3D8B4A7}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D9F99C6B-A3A6-11D4-AF64-444553546170}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{DA3C177A-D1DA-47f2-BBF0-E9710CA7253F}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}" refers to invalid object "C:\Program Files\Common Files\aolshare\pictures\YGPPicEdit.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E3852604-B619-11d6-94EC-00047521F020}" refers to invalid object "C:\Program Files\AOL 9.0\Media\NmpXChat\nmpxchat.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E981D791-F499-4837-A483-5AB22F1C548F}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E9DD2392-EF9B-4963-BEDF-F86C0A2B762A}" refers to invalid object "C:\Program Files\AOL 9.0\AMH.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{EB511AE4-87FE-4EFB-91A3-428B2F2601F7}" refers to invalid object "C:\Program Files\AOL 9.0\Media\Phobos.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}" refers to invalid object "C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F4C6D6E0-A8FB-4281-BE24-1662D646FE2B}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F4F30C01-A7B4-492e-943E-58A7CF2D9DD6}" refers to invalid object "C:\Program Files\AOL 9.0\MyCalendar.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{FBE840E5-13A5-4cff-B2A9-4D1E64A17FF2}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken. Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken. Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken. Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken. Entry "HKCR\AOLCoach.TrainerOCXCtrl.10" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\CDDBControlApple.CddbFullName.1" refers to invalid object "{63338267-37c4-44cf-8e46-756fbe9c8fdc}". Action Taken: No Action Taken. Entry "HKCR\CDDBControlApple.FullName" refers to invalid object "{63338267-37c4-44cf-8e46-756fbe9c8fdc}". Action Taken: No Action Taken. Entry "HKCR\CoachDM.WebCoachDownload" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\CoachDM.WebCoachDownload.1" refers to invalid object "{E04EAE82-14AD-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken. Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken. Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken. Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken. Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken. File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.WinCap.Reboot. No Action Taken. File C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll tagged as not-a-virus:RiskWare.Dialer.BT.f. No Action Taken. |
|
|
|
|
05-26-2005, 11:16 AM
|
#17 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 27,077
OS: WinXP and Vista
|
Your logs are clean.
Are you still getting that error with Spybot when it tries to 'fix' Altnet? Turn off System Restore Click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. Now reenable system restore. This will prevent any reinfection from any previous restore points. Download Ccleaner www.ccleaner.com to clean out those orphaned registry entries. Click on the 'Issues' tab and make sure the box is checked in 'Options' to prompt for backup of registry. |
|
|
|
|
05-27-2005, 06:40 PM
|
#19 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 27,077
OS: WinXP and Vista
|
Hi Lisa,
If Spybot is still giving this message: Altnet: Data (File, fixing failed) C:\WINDOWS\smdat32a.sys Please Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Also, to clean out those orphaned registry entries showing in Mwav, please download Ccleaner www.ccleaner.com Do not run it yet. Reboot into Safe Mode (tapping F8 or F5) Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\smdat32a.sys Run Ccleaner. After choosing which sections you would like to clean, click on the 'Issues' tab to clean registry. Be sure that box is checked to 'prompt to backup registry' in the Options>Advanced section. Reboot into Normal Mode. How is it now? |
|
|
|
|
05-28-2005, 09:42 AM
|
#20 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 158
OS: XP
|
Spybot Error
After doing the Killbox and ccleaner and after the sybot - Search & Destroy scan the results in Spybot show.
Error during check! Xuron55 (Datei C:\WINDOWS\win.ini kann nicht geoffnet werden. The process cannot access the file beacause it is being used by another process) I am about to restart in safe mode and do any spybot scan, i will report back in about 30mins. Cheers again Lisa |
|
|
|
| Thread Tools | |
|
|
