CWS.Homesearch / About:Blank / Iefeats

dctuhy · 10-07-2005, 01:13 AM

I am hoping you might be able to help. I have tried as much as I could on my own. It sounds as though this site is setup for what I need. I have tried to follow the instructions so as to get prepared prior to posting this. I have followed, best as I could, the "5 Step Process" posted by MicroBell.

In addition to the recommended scanners, I am running NIS as well as Spyware Xterminator 2005. Neither have been able to clean everthing.
The last NIS scan showed: Adware.Iefeats
The last SpywareX scan showed: TrojanDownloader.Win32.Agent.bq and CWS.HomeSearch.
The most obvious symptom I seem to be experiencing is the hijacking of IE to About:Blank. When I first started experiencing problems, I had installed FireFox, but IE still starts up at boot up, and the default homepage is always About:Blank.

Below is the most recent HJT log:
Thank you in advance for any assistance you may be able to offer. Please let me know if I missed anything.

Logfile of HijackThis v1.99.1
Scan saved at 11:59:52 PM, on 10/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Intuit\QAgent\QAGENT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\winui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE
C:\Program Files\MSCAN\Msoffice\panel.exe
C:\WINDOWS\system32\apiry.exe
C:\WINDOWS\system32\iedh32.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\drgel.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {1A0C07B1-8A80-8824-E4C8-9BF68E8BD009} - C:\WINDOWS\system32\sdktw32.dll
O2 - BHO: Class - {6A2CB77E-27C0-8A46-BB24-86C81C3684B5} - C:\WINDOWS\system32\sdktw32.dll
O2 - BHO: Class - {94FF99D7-2E37-11BC-607E-4634938059E0} - C:\WINDOWS\mfcih32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\STOMPS~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\STOMPS~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\STOMPS~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [netbj.exe] C:\WINDOWS\netbj.exe
O4 - HKLM\..\Run: [ipig32.exe] C:\WINDOWS\system32\ipig32.exe
O4 - HKLM\..\Run: [sysgo32.exe] C:\WINDOWS\sysgo32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [Spyware X-terminator] "C:\Program Files\StompSoft\SpywareXterminatorV5\SpywareX.exe" -w -b
O4 - HKLM\..\Run: [apinn.exe] C:\WINDOWS\apinn.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winui.exe] C:\WINDOWS\winui.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/c29211c6/enter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04512246c97b20b...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120354391703
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/en/wowbeta/Si.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiry.exe" /s (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

tetonbob · 10-07-2005, 09:19 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CWShredder.exe
1. Open CWShredder and click - I AGREE
2. Click - Check For Update
3. Close CWShredder after updating

Download AboutBuster and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Download and save to your C: drive HSfix.zip
Unzip the contents of HSFix.zip and an HSFix directory will be created
We'll need this later.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

Please configure CleanUp with the following settings:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Click Start->Run - type SERVICES.MSC & then click on the OK button

1. Locate the service - Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)
2. Double-click on it to open the Properties dialog.
* Under the General tab, note down the name of "Service name". We shall need it later.
* Stop the service by using the Stop button.
* Change the Startup type to Disabled & then click on the OK button
3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
4. In the popup box that appears, type in "Service name" & then click on the OK button

Navigate to the HSFix directory you created. Doubleclick on HSFix.reg Click on Yes when it asks for permission to merge with the registry.

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

1. Checkmark/tick - "Ignore Safe System Info Streams"
2. Click the "Scan" button
3. When it has finished scanning, checkmark/tick all that it found
4. Click the "remove selected" button

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\winui.exe
C:\WINDOWS\system32\apiry.exe
C:\WINDOWS\system32\iedh32.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SpyFighter<<<<it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\drgel.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1A0C07B1-8A80-8824-E4C8-9BF68E8BD009} - C:\WINDOWS\system32\sdktw32.dll
O2 - BHO: Class - {6A2CB77E-27C0-8A46-BB24-86C81C3684B5} - C:\WINDOWS\system32\sdktw32.dll
O2 - BHO: Class - {94FF99D7-2E37-11BC-607E-4634938059E0} - C:\WINDOWS\mfcih32.dll
O4 - HKLM\..\Run: [netbj.exe] C:\WINDOWS\netbj.exe
O4 - HKLM\..\Run: [ipig32.exe] C:\WINDOWS\system32\ipig32.exe
O4 - HKLM\..\Run: [sysgo32.exe] C:\WINDOWS\sysgo32.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [apinn.exe] C:\WINDOWS\apinn.exe
O4 - HKLM\..\Run: [winui.exe] C:\WINDOWS\winui.exe
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/c29211c6/enter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04512246c97b20...ip/RdxIE601.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiry.exe" /s (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\wnhwi.dll
C:\WINDOWS\system32\drgel.dll
C:\WINDOWS\system32\sdktw32.dll
C:\WINDOWS\mfcih32.dll
C:\WINDOWS\netbj.exe
C:\WINDOWS\system32\ipig32.exe
C:\WINDOWS\sysgo32.exe
C:\Program Files\SpyFighter
C:\WINDOWS\apinn.exe
C:\WINDOWS\winui.exe
C:\WINDOWS\system32\apiry.exe

Run CWShredder & click on Fix.

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

Restart in normal mode now and run a new HijackThis scan. Save the log file and post it here.

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Standard
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please return with logs from:

AboutBuster
Ewdio
HJT
Kaspersky Online Scan

dctuhy · 10-14-2005, 11:10 PM

First of all, I thank you for your forum, and your technical experience and asistance with all of this.
I have copied the previous message from TetonBob in order **to comment upon my progress. Those instructions that were carried out without issue have been deleted or reduced in size for purposes of keeping the size of this post to a minimum. I hope I did not make a mess out of this with the formatting...If so, please let me know, we can then just delete this post and I will re-post another one without trying to highlight my comments.

Download AboutBuster and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.
**After AboutBuster was downloaded & unzipped, when I tried to Check for Updates or try to run the program, I received the following: "Run-Time Error, Invalid Procedure Call"

Click Start->Run - type SERVICES.MSC & then click on the OK button

1. Locate the service - Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)
** There were 2 different Services listed: "Workstation" and "NetLogon", but there was not a "Workstation NetLogon Service( )" listed
2. Double-click on it to open the Properties dialog.
* Under the General tab, note down the name of "Service name". We shall need it later.
** In following instructions using "NetLogon" service, the "Service name" listed was "lanmanworkstation"
* Stop the service by using the Stop button.
** Neither Service ("NetLogon" nor "Workstation") was shown are currently running.
* Change the Startup type to Disabled & then click on the OK button
3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
4. In the popup box that appears, type in "Service name" & then click on the OK button
**When following instr. using "NetLogon" and then entering "lanmanworkstation" as ServiceName, received msg: "The service you entered is system critical! It can't be deleted"

Navigate to the HSFix directory you created. Doubleclick on HSFix.reg Click on Yes when it asks for permission to merge with the registry.

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

1. Checkmark/tick - "Ignore Safe System Info Streams"
2. Click the "Scan" button
3. When it has finished scanning, checkmark/tick all that it found
4. Click the "remove selected" button
**Many found and removed...it took about an hour just to select all those that were found.
Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\winui.exe
C:\WINDOWS\system32\apiry.exe
C:\WINDOWS\system32\iedh32.exe
**None of the above processes listed.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SpyFighter<<<<it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.
** Spyfigter not listed

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
** Red entries were located and fixed. Others were not listed.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\drgel.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)
** There were 8 entries that fir this criteria....all fixed

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1A0C07B1-8A80-8824-E4C8-9BF68E8BD009} - C:\WINDOWS\system32\sdktw32.dll
O2 - BHO: Class - {6A2CB77E-27C0-8A46-BB24-86C81C3684B5} - C:\WINDOWS\system32\sdktw32.dll
O2 - BHO: Class - {94FF99D7-2E37-11BC-607E-4634938059E0} - C:\WINDOWS\mfcih32.dll
O4 - HKLM\..\Run: [netbj.exe] C:\WINDOWS\netbj.exe
O4 - HKLM\..\Run: [ipig32.exe] C:\WINDOWS\system32\ipig32.exe
O4 - HKLM\..\Run: [sysgo32.exe] C:\WINDOWS\sysgo32.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [apinn.exe] C:\WINDOWS\apinn.exe
O4 - HKLM\..\Run: [winui.exe] C:\WINDOWS\winui.exe
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/c29211c6/enter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04512246c97b20...ip/RdxIE601.cab
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiry.exe" /s (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\wnhwi.dll
C:\WINDOWS\system32\drgel.dll
C:\WINDOWS\system32\sdktw32.dll
C:\WINDOWS\mfcih32.dll: There was not a .dll extention listed, but I "fixed" it anyway
C:\WINDOWS\netbj.exe
C:\WINDOWS\system32\ipig32.exe
C:\WINDOWS\sysgo32.exe: There was not a .exe extention listed, but it was listed as an application - I "fixed" it anyway
C:\Program Files\SpyFighter
C:\WINDOWS\apinn.exe
C:\WINDOWS\winui.exe: There was not a .exe extention listed, but it was listed as an application - I "fixed" it anyway[/color]
C:\WINDOWS\system32\apiry.exe: There was not a .exe extention listed, but it was listed as an application - I "fixed" it anyway[/color]

Run CWShredder & click on Fix.
** "0 Restored, None Infected"

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.
**As mentioned above, could not run AboutBuster: "Run-Time Error, Invalid Procedure Call"

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.
**The Ewido scan actually located 10,805 infections. All of them removed, as instructed, individually. These were all "Spyware", "Trojan Downloader", or "Trojan Agent" infections. After considerable time, these were were all removed. BUT...unfortunately, in the process of removing the infections, while trying to keep my 2 little girls away from the computer long enough to finish, the process was completed, but then Ewido closed before I could save the log file. I tried to go back into the program afterwards to retreive the log, but I was not able to open it back up again???

Restart in normal mode now and run a new HijackThis scan. Save the log file and post it here.
** See below

Perform an online scan with Internet Explorer with
Kaspersky WebScanner
Next Click on Launch Kaspersky Anti-Virus Web Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
o Scan using the following Anti-Virus database:
o Standard
o Scan Options:
o Scan Archives
Scan Mail Bases
* Click OK
* Now under select a target to scan:
o Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
* Save the file to your desktop.
* Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
**Kaspersky scan could not be run because it seems that after completing the proceeding instuctions, I am unable to launch IE (After being infected to begin with, I stated using Firefox, but I was still able to lauch IE, until now???)
Please return with logs from:

AboutBuster
**As noted, I downloded and unzipped AboutBuster, but could not update nor Run because of a RunTimeError
Ewdio
**As noted, although I ran the scan, and removed many infections, Ewido was closed before the log file was saved. I believe one of my kids had something to do with this premature closure.....ooops!
HJT
Logfile of HijackThis v1.99.1
Scan saved at 8:39:25 PM, on 10/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE
C:\Program Files\MSCAN\Msoffice\panel.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {94FF99D7-2E37-11BC-607E-4634938059E0} - C:\WINDOWS\mfcih32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\STOMPS~1\PPControl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [netbj.exe] C:\WINDOWS\netbj.exe
O4 - HKLM\..\Run: [sysgo32.exe] C:\WINDOWS\sysgo32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [Spyware X-terminator] "C:\Program Files\StompSoft\SpywareXterminatorV5\SpywareX.exe" -w -b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/c29211c6/enter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04512246c97b20b...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120354391703
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/en/wowbeta/Si.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Kaspersky Online Scan
** As noted, I was not able to run this scan, because I could not launch IE

tetonbob · 10-15-2005, 08:08 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

I know you're trying to help by presenting it in such a way, but it does make thing more difficult for me to wade through. Hopefully you did nothing to those other 2 legit services. My directions are fairly clear, I think. Part of them say to ask questions before performing any actions if you are unsure. The steps are lined out in the order they need to be followed. May I suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". A week between replies may allow things to get worse.

Before we begin the fix, we need to unload Spybot's Teatimer. To do this, right-click on the icon in the quick launch toolbar at the bottom on the screen, then select "Exit".

We've noticed an issue recently with AboutBuster and Updates. Please delete the entire folder you have. Then Download AboutBuster and unzip the files to a folder on your Desktop. Do NOT update as before. Do not run it yet.

Update Ewido's definitions. I would like you to run it again in safe mode where indicated. It should take much less time, this time. Try to save the report.

Nothing we've done should have buggered IE, but it appears you were severely infected.

Let's try registering Internet Explorer's DLL files. Go to Start->Run and copy and paste the following into the Run box and hit OK (go to Start->Run again for each one):

regsvr32 Shdocvw.dll
regsvr32 Shell32.dll
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 Mshtml.dll
regsvr32 Urlmon.dll

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {94FF99D7-2E37-11BC-607E-4634938059E0} - C:\WINDOWS\mfcih32.dll (file missing)
O4 - HKLM\..\Run: [netbj.exe] C:\WINDOWS\netbj.exe
O4 - HKLM\..\Run: [sysgo32.exe] C:\WINDOWS\sysgo32.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent

Locate the following Files/Folders and delete them if they exist:

C:\WINDOWS\netbj.exe
C:\WINDOWS\sysgo32.exe
C:\Program Files\SpyFighter

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Restart in normal mode now.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

Choose Save, NOT run, and save to your desktop
Double-click the tmas-web-scan.exe icon
It will say "Loading TrendMicro definitions".
Click "Start Scan"

After it's done scanning, click "Scan Results"

Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

Run an online scan with Trend's Housecall This version supports all browsers. Follow the prompts, and Choose any Auto-Clean feature, if available.

Restart and run a new HijackThis scan. Save the log file and post it here.

Please return with results from:

Ewido
Ab LogFile.txt
Antispyware.log
Trend's Housecall
HJT

How is IE now?

dctuhy · 10-15-2005, 11:47 AM

Thank you for the quick response. As requested, I will ask questions that come up as I proceed. My intent was to reduce the number of posts that anyone would need to go through.....The infections do seem to affecting more as time goes by. I no longer have access to my e-mail (using Roadrunner Webmail, the browser states that the connection to the Webmail site (and some other, but not all sites) has been refused. This may be something that is resolved when everything gets cleaned....It just means that although I did subscribe to the thread, I will need to check preogress directly through the site, and not by any notifications.
**Spybot Teatimer: The first step can not be completed as instructed. The Spybot Icon in the quick lanch toolbar initially appears but then disappears as soon as I move the cursor over it. It seems that I may be able to stop Teatimer through Task Manager --> Processes --> TeaTimer.exe --> End Process.
Should I proceed in this manner??

tetonbob · 10-15-2005, 12:02 PM

I won't mind the number of posts....this way is better. Try this:

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

If that fails, then proceed to use the TaskManager.

dctuhy · 10-15-2005, 01:42 PM

OK...whatever works best for you...I am at your mercy.
The link you provided for AboutBuster does not seem to work. I was able to get to www.malwarebytes.org, and have downloaded and unzipped AboutBuster5.1 to my Desktop as directed. Would the broken link, or anything else at this point have anything to do with the infections I have?

dctuhy · 10-15-2005, 02:01 PM

Additionally, the Ewido Security Suite does not appear to be functioning any longer. When I double-click on the icon, nothing happens. My first thought would be to un-install it and then download it and install it again, but as my intuition seems to be getting me in more trouble than anything else these days, I thought I would check before proceeding. I am getting a little paranoid with all of this now......Are all the things I am experiencing because of the infections that someone dreamed up seemingly for the purpose af wreaking havok??
Thank you, sincerely, for your help.....

tetonbob · 10-15-2005, 03:34 PM

I apologize for the dead link. No, that's not the cause of your troubles. You've been severely infected, as indicated by your report of the number of objects found by Ewido.

Ignore the Ewido portion of my last instructions for now. Also ignore the AboutBuster portion. Try to carry out the rest of the fix.

Quote:

Are all the things I am experiencing because of the infections that someone dreamed up seemingly for the purpose af wreaking havok??

Perhaps not all the things, but certainly most of them are due to this. Let's take this one step at a time.

dctuhy · 10-15-2005, 11:02 PM

Hopefully, this went as expected......

Please return with results from:
Ewido
Skipped Ewido at this point
Ab LogFile.txt
Skipped AboutBuster at this point
Antispyware.log
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\PrecisionTime'
Found '' in 'SOFTWARE\Classes\AppID\urlcli.DLL'
Found '' in 'SOFTWARE\MyWay'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.SettingsPlugin.1'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.SettingsPlugin'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeStartup.1'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeStartup'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown.1'
Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown'
Found '' in 'SOFTWARE\Classes\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10}'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Found '' in 'CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Found '' in 'SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games'
Found '' in 'C:\WINDOWS\SYSTEM32\FLEOK'
Found 'mseggo.gif' in 'C:\WINDOWS\SYSTEM32'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games' in shortcut areas.
Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games' in startup areas.
Cleaning 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games'
Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\Big Fish Games.url' in shortcut areas.
Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\Big Fish Games.url' in startup areas.
Cleaning 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\Big Fish Games.url'
Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\FlyorDie Games.url' in shortcut areas.
Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\FlyorDie Games.url' in startup areas.
Cleaning 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\FlyorDie Games.url'
Checking for 'C:\WINDOWS\SYSTEM32\FLEOK' in shortcut areas.
Checking for 'C:\WINDOWS\SYSTEM32\FLEOK' in startup areas.
Cleaning 'C:\WINDOWS\SYSTEM32\FLEOK'
Checking for 'C:\WINDOWS\SYSTEM32\mseggo.gif' in shortcut areas.
Checking for 'C:\WINDOWS\SYSTEM32\mseggo.gif' in startup areas.
Cleaning 'C:\WINDOWS\SYSTEM32\mseggo.gif'
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning

Trend's Housecall
Housecall: Auto-clean feature not available
8 detections
(2) TROJ_STARTPAG.RE
(5) TROJ_AGENT.ABJ
(1) TROJ_AGENT.ACN
I tried to clean, but did not have a "ticket number". I attempted to get a ticket number, but it said it was not able to connect to the "ticket server". Looks like I may need to purchase the program, which i am willing to do, f beneficial, in the future. There was additional information available through Trend regarding how to remove the 1st 2 infections, I printed these out, but did not do anything other than the scan.

HJT
Logfile of HijackThis v1.99.1
Scan saved at 9:42:11 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE
C:\Program Files\MSCAN\Msoffice\panel.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\STOMPS~1\PPControl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Spyware X-terminator] "C:\Program Files\StompSoft\SpywareXterminatorV5\SpywareX.exe" -w -b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/c29211c6/enter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04512246c97b20b...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120354391703
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/en/wowbeta/Si.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

tetonbob · 10-16-2005, 08:17 AM

The results from that Housecall scan are not what I expected. Hmmmm....there should have been a way for Housecall to delete any file it couldn't cure. I can't help you remove infections without seeing the files that are responsible. If it gave you more precise information, (file name and location) I'm sure you would have included it.

Your HJT log is clean. Unfortunately, HJT does not see everything out there these days.

Does your IE work? If so, perform a Panda Online Scan. If not....

Will Ewido work? IF so, run it and post results.....if not....

We can try another scanner tool which will help me ID the associated files if the answers to my 2 questions are no. No need to purchase any tools yet.

If the answers to my 2 questions are no, do this:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

dctuhy · 10-16-2005, 11:07 PM

I'm sorry....I did not include the additional information from the previous Houecall scan. After the scan finished, I saw no way of saving a log file, so I took some screen shots with as much info as I could, in case I needed to refer back to anything. I knew the Infection names would be the first part of it, and the way the window appear, I could not scroll over to view the entire filname, and I could not copy the entrie line either...so I left it off my last post.....
InfectionName: Filename:
TROJ_STARTPAG.RE(1) C:System Volume Information\_restore(21D7DD692-4662-
TROJ_AGENT.ABJ(1) C:System Volume Information\_restore(21D7DD692-4662-
TROJ_STARTPAG.RE(2) C:System Volume Information\_restore(21D7DD692-4662-
TROJ_AGENT.ACN(1) C:\WINDOWS\SYSTEM32\ntvo32.exe
TROJ_AGENT.ABJ(2) C:\WINDOWS\SYSTEM32\sdkhs.exe
TROJ_AGENT.ABJ(3) C:\WINDOWS\atlzk.exe
TROJ_AGENT.ABJ(4) C:\WINDOWS\d3yu.exe
TROJ_AGENT.ABJ(5) C:\WINDOWS\syscs32.exe
The answers to your 2 initial questions from the last post:
** No, I can not launch either IE nor Ewido at this point. I had registered the IE .dll files as instructed, and according to my system, everything registered OK.
I wanted to get you the missing info from the Houscall scan, before working through the last instructions from your post; 10-16-05_07:17, but I expect that this is where I will begin. I was away from the house / computer most of the day Sunday, so I lost yet another day in this process. Thank you for your help, and your patience.
Regards.....

tetonbob · 10-16-2005, 11:47 PM

Hi dctuhy -

You're doing fine. This will take some time.

Uninstall Ewido.

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. After installing and updating, close Adaware.

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip You will use this later.

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175) You'll use this later.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames below & then right-click & select Copy

C:\WINDOWS\SYSTEM32\ntvo32.exe
C:\WINDOWS\SYSTEM32\sdkhs.exe
C:\WINDOWS\atlzk.exe
C:\WINDOWS\d3yu.exe
C:\WINDOWS\syscs32.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Open Adaware now. Go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware.

Now run mwav per my previous instructions. This scan will take some time.

Reboot into normal mode now.

Next, do this:

Unzip StartDreck to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

I'm trying to gather as much data as I can in lieu of automated scannners.

Do you have a Windows XP installation disk? Or just a manufacturer's Recovery Disk?

dctuhy · 10-18-2005, 07:32 AM

Tetonbob:
This post contains the logs for MWav and StartDreck. (Actually only StartDreck....see below)
I followed the instructions for the MWav scan which stated to Copy everything from the Lower Pan to a Notepad file, and then I noticed that the file seemed to contain no line breaks (in the text file the line breaks are actually there...there just do not appear as break in the txt file. Then I noticed the program created its own log file, so I saved it that way as well, and saw that this file did contain line breaks, and I first thought it might be easier for you to go through it if it contained these breaks, so I initially pasted this file into this post, but then noticed that it took considerable time to paste into this post, and considerable time to go preview it because of the number of lines it contained (?).....So I deleted that part of it and will now try and paste it in, as per you instructions, which seem to be very specifc for reasons I may not see on my side. I hope this comes through the way you wanted to see it.

It looks like I need to give you these logs in 2 separate posts:
With both logs: "The text that you have entered is too long (1546183 characters). Please shorten it to 100000 characters long."

OK...that will not work either: The MWav log, as was, contained 1,535,427 characters.....The forum limits the posts to 100,000 char (justifiably so!)

I noticed some repeition, so I replaced the text "Action Taken: No Action Taken" with "AT:NAT", hoping that this will reduce the size enough to get this through. I am afraid now that it might make this thread, all together, possibly too large to be working with? Please advise...

Well that only reduced it to 1,287,289 char. you mentioned that the MWav scan will take some time...you weren't kidding, were you!
I could keep trying to replace text with shorter strings, but I am thinking now it may not be enough....As such, I will post only the StartDreck log in this post, please let me know what to do with the MWav log (be nice!)

Thankyou, once again, for your help.

StartDreck Log File
StartDreck (build 2.1.7 public stable) - 2005-10-18 @ 05:07:44 (GMT -07:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Donald Tuhy at DB939P11

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*Microsoft Works Update Detection=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
*IgfxTray=C:\WINDOWS\System32\igfxtray.exe
*HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe
*AdaptecDirectCD="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
*HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
*Spyware X-terminator Control Center=C:\PROGRA~1\STOMPS~1\STOMPS~1\PPControl.exe
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*Spyware X-terminator="C:\Program Files\StompSoft\SpywareXterminatorV5\SpywareX.exe" -w -b
*KernelFaultCheck=%systemroot%\system32\dumprep 0 -k
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
»Browser Helper Objects (LM)
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
»Internet Explorer
»Current User
*Default_Page_URL=http://www.dellnet.com
*Local Page=C:\WINDOWS\system32\blank.htm
*Search Bar=
*Search Page=
*Start Page=about:blank
*SearchAssistant=
+SearchUrl
*provider=
»Default User
*Default_Page_URL=http://www.dellnet.com
*First Home Page=http://www.dellnet.com
*Start Page=http://www.dellnet.com
»Local Machine
*Default_Search_URL=
*Local Page=%SystemRoot%\system32\blank.htm
*Search Bar=
*Search Page=
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
*UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1}
`InprocServer32=C:\WINDOWS\system32\upnpui.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Donald Tuhy\Start Menu\Programs\Startup\DESKTOP.INI
*C:\Documents and Settings\Donald Tuhy\Start Menu\Programs\Startup\TextBridge Instant Access OCR.lnk
*C:\Documents and Settings\Donald Tuhy\Start Menu\Programs\Startup\Watch.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\system32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\system32\TASKMGR.COM
*C:\WINDOWS\system32\taskmgr.exe
+C:\WINDOWS\system32\notepad.exe
*C:\WINDOWS\notepad.exe
+C:\WINDOWS\system32\slrundll.exe
*C:\WINDOWS\slrundll.exe
+C:\WINDOWS\system32\sysad32.exe
*C:\WINDOWS\sysad32.exe
+C:\WINDOWS\system32\TASKMAN.EXE
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\system32\WINHLP32.EXE
*C:\WINDOWS\winhlp32.exe
+C:\WINDOWS\REGEDIT.COM
*C:\WINDOWS\regedit.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+592=\SystemRoot\System32\smss.exe
+660=\??\C:\WINDOWS\system32\csrss.exe
+684=\??\C:\WINDOWS\system32\winlogon.exe
+728=C:\WINDOWS\system32\services.exe
+740=C:\WINDOWS\system32\lsass.exe
+892=C:\WINDOWS\system32\svchost.exe
+936=C:\WINDOWS\system32\svchost.exe
+1032=C:\WINDOWS\System32\svchost.exe
+1100=C:\WINDOWS\System32\svchost.exe
+1156=C:\WINDOWS\System32\svchost.exe
+1320=C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
+1336=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
+1356=C:\Program Files\Norton Internet Security\ISSVC.exe
+1396=C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
+1444=C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
+1460=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
+1960=C:\WINDOWS\system32\spoolsv.exe
+160=C:\WINDOWS\System32\drivers\CDAC11BA.EXE
+440=C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
+524=C:\WINDOWS\System32\tcpsvcs.exe
+616=C:\WINDOWS\System32\svchost.exe
+980=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
+2132=C:\WINDOWS\System32\alg.exe
+3112=C:\WINDOWS\Explorer.EXE
+3220=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
+3256=C:\WINDOWS\System32\hkcmd.exe
+3264=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
+3276=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
+3368=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+3400=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
+3428=C:\Program Files\QuickTime\qttask.exe
+3544=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
+3572=C:\WINDOWS\system32\ctfmon.exe
+3780=C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe
+3808=C:\QUICKENW\QWDLLS.EXE
+3860=C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
+3868=C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE
+3908=C:\Program Files\Real\RealPlayer\RealPlay.exe
+3924=C:\Program Files\MSCAN\Msoffice\panel.exe
+3612=C:\WINDOWS\system32\wuauclt.exe
+2576=C:\Documents and Settings\Donald Tuhy\My Documents\Don's Documents\Computer Info\SecurityIssues\StartDrek\StartDreck.exe
+1868=C:\Program Files\Messenger\msmsgs.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

dctuhy · 10-18-2005, 07:35 AM

Tetonbob:
I almost forgot to answer your last question. WindowsXP was installed in my computer when i received it.....I believe I have the original recovery disks if needed.....

tetonbob · 10-18-2005, 09:47 AM

Launch KillBox.exe & select the following options:

delete on Reboot

Select all the filenames below & then right-click & select Copy

C:\WINDOWS\system32\sysad32.exe
C:\WINDOWS\sysad32.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

Run StartDreck with the same options checked like before. Click on each of the following and hit the Delete button in the program:

*Start Page=about:blank

To make it easier, I suggest doing a search for the above line (in the forum here) so that you have a rough idea of where it's located in the StartDreck program.

I've highlighted it in green here, so you can see the surrounding entries:

»Internet Explorer
»Current User
*Default_Page_URL=http://www.dellnet.com
*Local Page=C:\WINDOWS\system32\blank.htm
*Search Bar=
*Search Page=
*Start Page=about:blank
*SearchAssistant=
+SearchUrl
*provider=
»Default User
*Default_Page_URL=http://www.dellnet.com
*First Home Page=http://www.dellnet.com
*Start Page=http://www.dellnet.com

Next, attach your mwav results to this post, using the Manage Attachments feature on the reply page. I need the results from the Lower Pane, as I believe this is different from the log mwav saves on it's own. Don't worry about line breaks. I can read the log.

dctuhy · 10-19-2005, 08:14 PM

Tetonbob:
I have followed the KillBox deletions as well as the instructions regarding deleting the references to About:blank.
Attached will be the txt file containing the pasted contents from the MWav scan. I was hoping the scan would have been finished this morning when i left for work (I had started it about 5:00 PST when i was up feeding my month-old) but it was still plugging away.....so here it is now......Thank you for your help.....

tetonbob · 10-20-2005, 09:18 AM

Wow -That is some mess you got going on......let's see how we do.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Please use Symantec's guide to remove the Norton Quarantine files.

Please clear your System Restore Points by doing the following:

To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Now create a new Restore Point:

To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

Let's make a backup of your registry. Please download and install ERUNT This will create daily complete backups of your computer's Registry. While System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore disabled. With ERUNT, you're able to restore the damaged Registry. This is a fairly simple program to use. Read the Readme, follow the prompts. If you have questions, post them before proceeding.

Download the file I attached to this post - delbat.zip

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

From within delbat.zip, double click on delbat.bat after it has finished running, run it one more time

Restart in normal mode.

Await further instructions, and report any problems you may have encountered.

tetonbob · 10-20-2005, 10:21 AM

Donald -

In addition to the instructions in my previous post, please confirm that this file is present on your computer:

C:\Program Files\Internet Explorer\iexplore.exe

tetonbob · 10-20-2005, 09:10 PM

Be sure to read my previous two posts, and complete those instructions first.

Next, I have attached another file to this post. Download it to your desktop - regdel.zip

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

From within regdel.zip, double click on regdel & answer YES when prompted to merge into the Registry.

Reboot your system now.

Await further instructions, and post any problems you may have encountered.

10-07-2005, 01:13 AM	#1 (permalink)
dctuhy Registered User Join Date: Oct 2005 Posts: 15 OS: WinXP	CWS.Homesearch / About:Blank / Iefeats I am hoping you might be able to help. I have tried as much as I could on my own. It sounds as though this site is setup for what I need. I have tried to follow the instructions so as to get prepared prior to posting this. I have followed, best as I could, the "5 Step Process" posted by MicroBell. In addition to the recommended scanners, I am running NIS as well as Spyware Xterminator 2005. Neither have been able to clean everthing. The last NIS scan showed: Adware.Iefeats The last SpywareX scan showed: TrojanDownloader.Win32.Agent.bq and CWS.HomeSearch. The most obvious symptom I seem to be experiencing is the hijacking of IE to About:Blank. When I first started experiencing problems, I had installed FireFox, but IE still starts up at boot up, and the default homepage is always About:Blank. Below is the most recent HJT log: Thank you in advance for any assistance you may be able to offer. Please let me know if I missed anything. Logfile of HijackThis v1.99.1 Scan saved at 11:59:52 PM, on 10/6/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Intuit\QAgent\QAGENT.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\mrtMngr.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\winui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe C:\QUICKENW\QWDLLS.EXE C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE C:\Program Files\MSCAN\Msoffice\panel.exe C:\WINDOWS\system32\apiry.exe C:\WINDOWS\system32\iedh32.exe C:\HJT\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\drgel.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Class - {1A0C07B1-8A80-8824-E4C8-9BF68E8BD009} - C:\WINDOWS\system32\sdktw32.dll O2 - BHO: Class - {6A2CB77E-27C0-8A46-BB24-86C81C3684B5} - C:\WINDOWS\system32\sdktw32.dll O2 - BHO: Class - {94FF99D7-2E37-11BC-607E-4634938059E0} - C:\WINDOWS\mfcih32.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\STOMPS~1\PPMemCheck.exe O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\STOMPS~1\PPControl.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\STOMPS~1\CookiePatrol.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe O4 - HKLM\..\Run: [netbj.exe] C:\WINDOWS\netbj.exe O4 - HKLM\..\Run: [ipig32.exe] C:\WINDOWS\system32\ipig32.exe O4 - HKLM\..\Run: [sysgo32.exe] C:\WINDOWS\sysgo32.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent O4 - HKLM\..\Run: [Spyware X-terminator] "C:\Program Files\StompSoft\SpywareXterminatorV5\SpywareX.exe" -w -b O4 - HKLM\..\Run: [apinn.exe] C:\WINDOWS\apinn.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [winui.exe] C:\WINDOWS\winui.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/c29211c6/enter.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04512246c97b20b...p/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120354391703 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/en/wowbeta/Si.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiry.exe" /s (file missing) O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

10-07-2005, 09:19 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,601 OS: 2000 Pro; XP Pro; XP Home	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download CWShredder.exe 1. Open CWShredder and click - I AGREE 2. Click - Check For Update 3. Close CWShredder after updating Download AboutBuster and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now. Download and save to your C: drive HSfix.zip Unzip the contents of HSFix.zip and an HSFix directory will be created We'll need this later. Please download Ewido Security Suite at http://www.ewido.net/en/download/. 1. Install Ewido Security Suite. 2. When installing, under 'Additional Options' uncheck: * Install background guard * Install scan via context menu 3. Launch Ewido, there should be an icon on your desktop, double click it. 4. The program will now open to the main screen. 5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment. 6. You will need to update Ewido to the latest definition files. * On the left hand side of the main screen click update. * Then click on Start Update. 7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'. 8. Exit Ewido. DO NOT scan yet. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING Please configure CleanUp with the following settings: Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck* this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Click Start->Run - type SERVICES.MSC & then click on the OK button 1. Locate the service - Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) 2. Double-click on it to open the Properties dialog. * Under the General tab, note down the name of "Service name". We shall need it later. * Stop the service by using the Stop button. * Change the Startup type to Disabled & then click on the OK button 3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... 4. In the popup box that appears, type in "Service name" & then click on the OK button Navigate to the HSFix directory you created. Doubleclick on HSFix.reg Click on Yes when it asks for permission to merge with the registry. Start HijackThis & Go to Config> Misc Tools > Open ADS Spy 1. Checkmark/tick - "Ignore Safe System Info Streams" 2. Click the "Scan" button 3. When it has finished scanning, checkmark/tick all that it found 4. Click the "remove selected" button Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check): C:\WINDOWS\winui.exe C:\WINDOWS\system32\apiry.exe C:\WINDOWS\system32\iedh32.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: SpyFighter<<<<it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\drgel.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049 (FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\**.dll/sp.htm) R3 - Default URLSearchHook is missing O2 - BHO: Class - {1A0C07B1-8A80-8824-E4C8-9BF68E8BD009} - C:\WINDOWS\system32\sdktw32.dll O2 - BHO: Class - {6A2CB77E-27C0-8A46-BB24-86C81C3684B5} - C:\WINDOWS\system32\sdktw32.dll O2 - BHO: Class - {94FF99D7-2E37-11BC-607E-4634938059E0} - C:\WINDOWS\mfcih32.dll O4 - HKLM\..\Run: [netbj.exe] C:\WINDOWS\netbj.exe O4 - HKLM\..\Run: [ipig32.exe] C:\WINDOWS\system32\ipig32.exe O4 - HKLM\..\Run: [sysgo32.exe] C:\WINDOWS\sysgo32.exe O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent O4 - HKLM\..\Run: [apinn.exe] C:\WINDOWS\apinn.exe O4 - HKLM\..\Run: [winui.exe] C:\WINDOWS\winui.exe O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/c29211c6/enter.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04512246c97b20...ip/RdxIE601.cab O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiry.exe" /s (file missing) Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\wnhwi.dll C:\WINDOWS\system32\drgel.dll C:\WINDOWS\system32\sdktw32.dll C:\WINDOWS\mfcih32.dll C:\WINDOWS\netbj.exe C:\WINDOWS\system32\ipig32.exe C:\WINDOWS\sysgo32.exe C:\Program Files\SpyFighter C:\WINDOWS\apinn.exe C:\WINDOWS\winui.exe C:\WINDOWS\system32\apiry.exe** Run CWShredder & click on Fix. Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here. Now open Ewido and do a scan on your system. * Click on scanner * Click on Complete System Scan and the scan will begin. * NOTE: During some scans with Ewido it is finding cases of false positives. o You will need to step through the process of cleaning files one-by-one. o If Ewido detects a file you KNOW to be legitimate, select none as the action. o Do NOT select 'Perform action on all infections' o If you are unsure of any entry found, select none for now as the action. * Once the scan has completed, there will be a button located on the bottom of the screen named Save report * Click Save report. * Save the report .txt file to your desktop or a location where you can find it easily. Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective. Restart in normal mode now and run a new HijackThis scan. Save the log file and post it here. Perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Please return with logs from: AboutBuster Ewdio HJT Kaspersky Online Scan __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-15-2005, 08:08 AM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,601 OS: 2000 Pro; XP Pro; XP Home	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. I know you're trying to help by presenting it in such a way, but it does make thing more difficult for me to wade through. Hopefully you did nothing to those other 2 legit services. My directions are fairly clear, I think. Part of them say to ask questions before performing any actions if you are unsure. The steps are lined out in the order they need to be followed. May I suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". A week between replies may allow things to get worse. Before we begin the fix, we need to unload Spybot's Teatimer. To do this, right-click on the icon in the quick launch toolbar at the bottom on the screen, then select "Exit". We've noticed an issue recently with AboutBuster and Updates. Please delete the entire folder you have. Then Download AboutBuster and unzip the files to a folder on your Desktop. Do NOT update as before. Do not run it yet. Update Ewido's definitions. I would like you to run it again in safe mode where indicated. It should take much less time, this time. Try to save the report. Nothing we've done should have buggered IE, but it appears you were severely infected. Let's try registering Internet Explorer's DLL files. Go to Start->Run and copy and paste the following into the Run box and hit OK (go to Start->Run again for each one): regsvr32 Shdocvw.dll regsvr32 Shell32.dll regsvr32 Oleaut32.dll regsvr32 Actxprxy.dll regsvr32 Mshtml.dll regsvr32 Urlmon.dll Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Now open Ewido and do a scan on your system. * Click on scanner * Click on Complete System Scan and the scan will begin. * NOTE: During some scans with Ewido it is finding cases of false positives. o You will need to step through the process of cleaning files one-by-one. o If Ewido detects a file you KNOW to be legitimate, select none as the action. o Do NOT select 'Perform action on all infections' o If you are unsure of any entry found, select none for now as the action. * Once the scan has completed, there will be a button located on the bottom of the screen named Save report * Click Save report. * Save the report .txt file to your desktop or a location where you can find it easily. Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R3 - Default URLSearchHook is missing O2 - BHO: Class - {94FF99D7-2E37-11BC-607E-4634938059E0} - C:\WINDOWS\mfcih32.dll (file missing) O4 - HKLM\..\Run: [netbj.exe] C:\WINDOWS\netbj.exe O4 - HKLM\..\Run: [sysgo32.exe] C:\WINDOWS\sysgo32.exe O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent Locate the following Files/Folders and delete them if they exist: C:\WINDOWS\netbj.exe C:\WINDOWS\sysgo32.exe C:\Program Files\SpyFighter Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here. Restart in normal mode now. Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button). Choose Save, NOT run, and save to your desktop Double-click the tmas-web-scan.exe icon It will say "Loading TrendMicro definitions". Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. Run an online scan with Trend's Housecall This version supports all browsers. Follow the prompts, and Choose any Auto-Clean feature, if available. Restart and run a new HijackThis scan. Save the log file and post it here. Please return with results from: Ewido Ab LogFile.txt Antispyware.log Trend's Housecall HJT How is IE now? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-15-2005, 12:02 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,601 OS: 2000 Pro; XP Pro; XP Home	I won't mind the number of posts....this way is better. Try this: Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. If that fails, then proceed to use the TaskManager. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 10-15-2005 at 12:04 PM.

10-15-2005, 02:01 PM	#8 (permalink)
dctuhy Registered User Join Date: Oct 2005 Posts: 15 OS: WinXP	Ewido Additionally, the Ewido Security Suite does not appear to be functioning any longer. When I double-click on the icon, nothing happens. My first thought would be to un-install it and then download it and install it again, but as my intuition seems to be getting me in more trouble than anything else these days, I thought I would check before proceeding. I am getting a little paranoid with all of this now......Are all the things I am experiencing because of the infections that someone dreamed up seemingly for the purpose af wreaking havok?? Thank you, sincerely, for your help.....

10-14-2005, 11:10 PM	#3 (permalink)
dctuhy Registered User Join Date: Oct 2005 Posts: 15 OS: WinXP	First of all, I thank you for your forum, and your technical experience and asistance with all of this. I have copied the previous message from TetonBob in order to comment upon my progress. Those instructions that were carried out without issue have been deleted or reduced in size for purposes of keeping the size of this post to a minimum. I hope I did not make a mess out of this with the formatting...If so, please let me know, we can then just delete this post and I will re-post another one without trying to highlight my comments. Download AboutBuster and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now. After AboutBuster was downloaded & unzipped, when I tried to Check for Updates or try to run the program, I received the following: "Run-Time Error, Invalid Procedure Call" Click Start->Run - type SERVICES.MSC & then click on the OK button 1. Locate the service - Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) ** There were 2 different Services listed: "Workstation" and "NetLogon", but there was not a "Workstation NetLogon Service( )" listed 2. Double-click on it to open the Properties dialog. * Under the General tab, note down the name of "Service name". We shall need it later. ** In following instructions using "NetLogon" service, the "Service name" listed was "lanmanworkstation" * Stop the service by using the Stop button. ** Neither Service ("NetLogon" nor "Workstation") was shown are currently running. * Change the Startup type to Disabled & then click on the OK button 3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... 4. In the popup box that appears, type in "Service name" & then click on the OK button When following instr. using "NetLogon" and then entering "lanmanworkstation" as ServiceName, received msg: "The service you entered is system critical! It can't be deleted" Navigate to the HSFix directory you created. Doubleclick on HSFix.reg Click on Yes when it asks for permission to merge with the registry. Start HijackThis & Go to Config> Misc Tools > Open ADS Spy 1. Checkmark/tick - "Ignore Safe System Info Streams" 2. Click the "Scan" button 3. When it has finished scanning, checkmark/tick all that it found 4. Click the "remove selected" button Many found and removed...it took about an hour just to select all those that were found. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check): C:\WINDOWS\winui.exe C:\WINDOWS\system32\apiry.exe C:\WINDOWS\system32\iedh32.exe None of the above processes listed. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: SpyFighter<<<<it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection. Spyfigter not listed Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): Red entries were located and fixed. Others were not listed. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#44768 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\drgel.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wnhwi.dll/sp.html#37049 (FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\.dll/sp.htm) There were 8 entries that fir this criteria....all fixed R3 - Default URLSearchHook is missing O2 - BHO: Class - {1A0C07B1-8A80-8824-E4C8-9BF68E8BD009} - C:\WINDOWS\system32\sdktw32.dll O2 - BHO: Class - {6A2CB77E-27C0-8A46-BB24-86C81C3684B5} - C:\WINDOWS\system32\sdktw32.dll O2 - BHO: Class - {94FF99D7-2E37-11BC-607E-4634938059E0} - C:\WINDOWS\mfcih32.dll O4 - HKLM\..\Run: [netbj.exe] C:\WINDOWS\netbj.exe O4 - HKLM\..\Run: [ipig32.exe] C:\WINDOWS\system32\ipig32.exe O4 - HKLM\..\Run: [sysgo32.exe] C:\WINDOWS\sysgo32.exe O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent O4 - HKLM\..\Run: [apinn.exe] C:\WINDOWS\apinn.exe O4 - HKLM\..\Run: [winui.exe] C:\WINDOWS\winui.exe O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/c29211c6/enter.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04512246c97b20...ip/RdxIE601.cab O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiry.exe" /s (file missing) Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\wnhwi.dll C:\WINDOWS\system32\drgel.dll C:\WINDOWS\system32\sdktw32.dll C:\WINDOWS\mfcih32.dll: There was not a .dll extention listed, but I "fixed" it anyway C:\WINDOWS\netbj.exe C:\WINDOWS\system32\ipig32.exe C:\WINDOWS\sysgo32.exe: There was not a .exe extention listed, but it was listed as an application - I "fixed" it anyway C:\Program Files\SpyFighter C:\WINDOWS\apinn.exe C:\WINDOWS\winui.exe: There was not a .exe extention listed, but it was listed as an application - I "fixed" it anyway[/color] C:\WINDOWS\system32\apiry.exe: There was not a .exe extention listed, but it was listed as an application - I "fixed" it anyway[/color] Run CWShredder & click on Fix. "0 Restored, None Infected" Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here. As mentioned above, could not run AboutBuster: "Run-Time Error, Invalid Procedure Call" Now open Ewido and do a scan on your system. * Click on scanner * Click on Complete System Scan and the scan will begin. * NOTE: During some scans with Ewido it is finding cases of false positives. o You will need to step through the process of cleaning files one-by-one. o If Ewido detects a file you KNOW to be legitimate, select none as the action. o Do NOT select 'Perform action on all infections' o If you are unsure of any entry found, select none for now as the action. * Once the scan has completed, there will be a button located on the bottom of the screen named Save report * Click Save report. * Save the report .txt file to your desktop or a location where you can find it easily. Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective. The Ewido scan actually located 10,805 infections. All of them removed, as instructed, individually. These were all "Spyware", "Trojan Downloader", or "Trojan Agent" infections. After considerable time, these were were all removed. BUT...unfortunately, in the process of removing the infections, while trying to keep my 2 little girls away from the computer long enough to finish, the process was completed, but then Ewido closed before I could save the log file. I tried to go back into the program afterwards to retreive the log, but I was not able to open it back up again??? Restart in normal mode now and run a new HijackThis scan. Save the log file and post it here. See below Perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. * The program will launch and then begin downloading the latest definition files: * Once the files have been downloaded click on NEXT * Now click on Scan Settings * In the scan settings make that the following are selected: o Scan using the following Anti-Virus database: o Standard o Scan Options: o Scan Archives Scan Mail Bases * Click OK * Now under select a target to scan: o Select My Computer * This will program will start and scan your system. * The scan will take a while so be patient and let it run. * Once the scan is complete it will display if your system has been infected. o Now click on the Save as Text button: * Save the file to your desktop. * Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Kaspersky scan could not be run because it seems that after completing the proceeding instuctions, I am unable to launch IE (After being infected to begin with, I stated using Firefox, but I was still able to lauch IE, until now???) Please return with logs from: AboutBuster As noted, I downloded and unzipped AboutBuster, but could not update nor Run because of a RunTimeError Ewdio As noted, although I ran the scan, and removed many infections, Ewido was closed before the log file was saved. I believe one of my kids had something to do with this premature closure.....ooops! HJT Logfile of HijackThis v1.99.1 Scan saved at 8:39:25 PM, on 10/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe C:\QUICKENW\QWDLLS.EXE C:\Program Files\TextBridge Classic\Bin\TBMenu.exe C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE C:\Program Files\MSCAN\Msoffice\panel.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R3 - Default URLSearchHook is missing O2 - BHO: Class - {94FF99D7-2E37-11BC-607E-4634938059E0} - C:\WINDOWS\mfcih32.dll (file missing) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\STOMPS~1\PPControl.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [netbj.exe] C:\WINDOWS\netbj.exe O4 - HKLM\..\Run: [sysgo32.exe] C:\WINDOWS\sysgo32.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent O4 - HKLM\..\Run: [Spyware X-terminator] "C:\Program Files\StompSoft\SpywareXterminatorV5\SpywareX.exe" -w -b O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/c29211c6/enter.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04512246c97b20b...p/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120354391703 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/en/wowbeta/Si.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Kaspersky Online Scan As noted, I was not able to run this scan, because I could not launch IE

10-15-2005, 11:47 AM	#5 (permalink)
dctuhy Registered User Join Date: Oct 2005 Posts: 15 OS: WinXP	Thank you for the quick response. As requested, I will ask questions that come up as I proceed. My intent was to reduce the number of posts that anyone would need to go through.....The infections do seem to affecting more as time goes by. I no longer have access to my e-mail (using Roadrunner Webmail, the browser states that the connection to the Webmail site (and some other, but not all sites) has been refused. This may be something that is resolved when everything gets cleaned....It just means that although I did subscribe to the thread, I will need to check preogress directly through the site, and not by any notifications. **Spybot Teatimer: The first step can not be completed as instructed. The Spybot Icon in the quick lanch toolbar initially appears but then disappears as soon as I move the cursor over it. It seems that I may be able to stop Teatimer through Task Manager --> Processes --> TeaTimer.exe --> End Process. Should I proceed in this manner??

10-15-2005, 01:42 PM	#7 (permalink)
dctuhy Registered User Join Date: Oct 2005 Posts: 15 OS: WinXP	OK...whatever works best for you...I am at your mercy. The link you provided for AboutBuster does not seem to work. I was able to get to www.malwarebytes.org, and have downloaded and unzipped AboutBuster5.1 to my Desktop as directed. Would the broken link, or anything else at this point have anything to do with the infections I have?

10-15-2005, 11:02 PM	#10 (permalink)
dctuhy Registered User Join Date: Oct 2005 Posts: 15 OS: WinXP	Hopefully, this went as expected...... Please return with results from: Ewido Skipped Ewido at this point Ab LogFile.txt Skipped AboutBuster at this point Antispyware.log Started Scanning Internet Cookies Programs in Memory Windows Registry Found '' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\PrecisionTime' Found '' in 'SOFTWARE\Classes\AppID\urlcli.DLL' Found '' in 'SOFTWARE\MyWay' Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall' Found '' in 'SOFTWARE\Classes\MyWayToolBar.SettingsPlugin.1' Found '' in 'SOFTWARE\Classes\MyWayToolBar.SettingsPlugin' Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeStartup.1' Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeStartup' Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown.1' Found '' in 'SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown' Found '' in 'SOFTWARE\Classes\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10}' Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}' Found '' in 'CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}' Found '' in 'SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5}' Internet URL Shortcuts Files and Directories Found '' in 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games' Found '' in 'C:\WINDOWS\SYSTEM32\FLEOK' Found 'mseggo.gif' in 'C:\WINDOWS\SYSTEM32' Finished Scanning Started Backup Finished Backup Started Cleaning Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games' in shortcut areas. Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games' in startup areas. Cleaning 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games' Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\Big Fish Games.url' in shortcut areas. Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\Big Fish Games.url' in startup areas. Cleaning 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\Big Fish Games.url' Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\FlyorDie Games.url' in shortcut areas. Checking for 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\FlyorDie Games.url' in startup areas. Cleaning 'C:\Documents and Settings\Donald Tuhy\Favorites\AT-Games\FlyorDie Games.url' Checking for 'C:\WINDOWS\SYSTEM32\FLEOK' in shortcut areas. Checking for 'C:\WINDOWS\SYSTEM32\FLEOK' in startup areas. Cleaning 'C:\WINDOWS\SYSTEM32\FLEOK' Checking for 'C:\WINDOWS\SYSTEM32\mseggo.gif' in shortcut areas. Checking for 'C:\WINDOWS\SYSTEM32\mseggo.gif' in startup areas. Cleaning 'C:\WINDOWS\SYSTEM32\mseggo.gif' Finished Cleaning Started Scanning Internet Cookies Programs in Memory Windows Registry Internet URL Shortcuts Files and Directories Finished Scanning Trend's Housecall Housecall: Auto-clean feature not available 8 detections (2) TROJ_STARTPAG.RE (5) TROJ_AGENT.ABJ (1) TROJ_AGENT.ACN I tried to clean, but did not have a "ticket number". I attempted to get a ticket number, but it said it was not able to connect to the "ticket server". Looks like I may need to purchase the program, which i am willing to do, f beneficial, in the future. There was additional information available through Trend regarding how to remove the 1st 2 infections, I printed these out, but did not do anything other than the scan. HJT Logfile of HijackThis v1.99.1 Scan saved at 9:42:11 PM, on 10/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe C:\QUICKENW\QWDLLS.EXE C:\Program Files\TextBridge Classic\Bin\TBMenu.exe C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE C:\Program Files\MSCAN\Msoffice\panel.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\STOMPS~1\PPControl.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Spyware X-terminator] "C:\Program Files\StompSoft\SpywareXterminatorV5\SpywareX.exe" -w -b O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/c29211c6/enter.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04512246c97b20b...p/RdxIE601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120354391703 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.wow-europe.com/en/wowbeta/Si.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

10-16-2005, 08:17 AM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,601 OS: 2000 Pro; XP Pro; XP Home	The results from that Housecall scan are not what I expected. Hmmmm....there should have been a way for Housecall to delete any file it couldn't cure. I can't help you remove infections without seeing the files that are responsible. If it gave you more precise information, (file name and location) I'm sure you would have included it. Your HJT log is clean. Unfortunately, HJT does not see everything out there these days. Does your IE work? If so, perform a Panda Online Scan. If not.... Will Ewido work? IF so, run it and post results.....if not.... We can try another scanner tool which will help me ID the associated files if the answers to my 2 questions are no. No need to purchase any tools yet. If the answers to my 2 questions are no, do this: Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool. Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3) 1. Save it to a folder. 2. Reboot into Safe Mode. 3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything. 4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file Note If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files. Once you copy that to a Notepad file...highlight the text and copy it here. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-16-2005, 11:07 PM	#12 (permalink)
dctuhy Registered User Join Date: Oct 2005 Posts: 15 OS: WinXP	Additional data I'm sorry....I did not include the additional information from the previous Houecall scan. After the scan finished, I saw no way of saving a log file, so I took some screen shots with as much info as I could, in case I needed to refer back to anything. I knew the Infection names would be the first part of it, and the way the window appear, I could not scroll over to view the entire filname, and I could not copy the entrie line either...so I left it off my last post..... InfectionName: Filename: TROJ_STARTPAG.RE(1) C:System Volume Information\_restore(21D7DD692-4662- TROJ_AGENT.ABJ(1) C:System Volume Information\_restore(21D7DD692-4662- TROJ_STARTPAG.RE(2) C:System Volume Information\_restore(21D7DD692-4662- TROJ_AGENT.ACN(1) C:\WINDOWS\SYSTEM32\ntvo32.exe TROJ_AGENT.ABJ(2) C:\WINDOWS\SYSTEM32\sdkhs.exe TROJ_AGENT.ABJ(3) C:\WINDOWS\atlzk.exe TROJ_AGENT.ABJ(4) C:\WINDOWS\d3yu.exe TROJ_AGENT.ABJ(5) C:\WINDOWS\syscs32.exe The answers to your 2 initial questions from the last post: ** No, I can not launch either IE nor Ewido at this point. I had registered the IE .dll files as instructed, and according to my system, everything registered OK. I wanted to get you the missing info from the Houscall scan, before working through the last instructions from your post; 10-16-05_07:17, but I expect that this is where I will begin. I was away from the house / computer most of the day Sunday, so I lost yet another day in this process. Thank you for your help, and your patience. Regards.....

10-18-2005, 07:32 AM	#14 (permalink)
dctuhy Registered User Join Date: Oct 2005 Posts: 15 OS: WinXP	MWav & StartDrek logs Tetonbob: This post contains the logs for MWav and StartDreck. (Actually only StartDreck....see below) I followed the instructions for the MWav scan which stated to Copy everything from the Lower Pan to a Notepad file, and then I noticed that the file seemed to contain no line breaks (in the text file the line breaks are actually there...there just do not appear as break in the txt file. Then I noticed the program created its own log file, so I saved it that way as well, and saw that this file did contain line breaks, and I first thought it might be easier for you to go through it if it contained these breaks, so I initially pasted this file into this post, but then noticed that it took considerable time to paste into this post, and considerable time to go preview it because of the number of lines it contained (?).....So I deleted that part of it and will now try and paste it in, as per you instructions, which seem to be very specifc for reasons I may not see on my side. I hope this comes through the way you wanted to see it. It looks like I need to give you these logs in 2 separate posts: With both logs: "The text that you have entered is too long (1546183 characters). Please shorten it to 100000 characters long." OK...that will not work either: The MWav log, as was, contained 1,535,427 characters.....The forum limits the posts to 100,000 char (justifiably so!) I noticed some repeition, so I replaced the text "Action Taken: No Action Taken" with "AT:NAT", hoping that this will reduce the size enough to get this through. I am afraid now that it might make this thread, all together, possibly too large to be working with? Please advise... Well that only reduced it to 1,287,289 char. you mentioned that the MWav scan will take some time...you weren't kidding, were you! I could keep trying to replace text with shorter strings, but I am thinking now it may not be enough....As such, I will post only the StartDreck log in this post, please let me know what to do with the MWav log (be nice!) Thankyou, once again, for your help. StartDreck Log File StartDreck (build 2.1.7 public stable) - 2005-10-18 @ 05:07:44 (GMT -07:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as Donald Tuhy at DB939P11 »Registry »Run Keys »Current User »Run ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe »RunOnce »Default User »Run »RunOnce »Local Machine »Run Microsoft Works Update Detection=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe IgfxTray=C:\WINDOWS\System32\igfxtray.exe HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe AdaptecDirectCD="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer Spyware X-terminator Control Center=C:\PROGRA~1\STOMPS~1\STOMPS~1\PPControl.exe TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime Spyware X-terminator="C:\Program Files\StompSoft\SpywareXterminatorV5\SpywareX.exe" -w -b KernelFaultCheck=%systemroot%\system32\dumprep 0 -k ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" +OptionalComponents +MSFS Installed=1 +MAPI Installed=1 NoChange=1 +MAPI Installed=1 NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat batfile="%1" %* +.com comfile="%1" % +.disabled SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe exefile="%1" %* +.hta htafile=C:\WINDOWS\System32\mshta.exe "%1" % +.htm FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" +.html FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" +.js JSFile=%SystemRoot%\System32\WScript.exe "%1" % +.jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" % +.pif piffile="%1" % +.reg regfile=regedit.exe "%1" +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" % +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278} StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe +Fax/{8b15971b-5355-4c82-8c07-7e181ea07608} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser »Browser Helper Objects (LM) Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872} `InprocServer32=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll »Internet Explorer »Current User Default_Page_URL=http://www.dellnet.com Local Page=C:\WINDOWS\system32\blank.htm Search Bar= Search Page= Start Page=about:blank SearchAssistant= +SearchUrl provider= »Default User Default_Page_URL=http://www.dellnet.com First Home Page=http://www.dellnet.com Start Page=http://www.dellnet.com »Local Machine Default_Search_URL= Local Page=%SystemRoot%\system32\blank.htm Search Bar= Search Page= Start Page=about:blank CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1} `InprocServer32=C:\WINDOWS\system32\upnpui.dll »Special NT Values »Current User Load= Run= Programs=com exe bat pif cmd SHELL= »Default User Load= Run= Programs=com exe bat pif cmd SHELL= »Local Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User C:\Documents and Settings\Donald Tuhy\Start Menu\Programs\Startup\DESKTOP.INI C:\Documents and Settings\Donald Tuhy\Start Menu\Programs\Startup\TextBridge Instant Access OCR.lnk C:\Documents and Settings\Donald Tuhy\Start Menu\Programs\Startup\Watch.lnk »Default User C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\msdos.sys C:\config.sys C:\WINDOWS\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\autoexec.bat C:\WINDOWS\system32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 »Program Files C:\ntldr C:\ntdetect.com C:\io.sys C:\WINDOWS\system32\win.com C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\WINDOWS\system32\TASKMGR.COM C:\WINDOWS\system32\taskmgr.exe +C:\WINDOWS\system32\notepad.exe C:\WINDOWS\notepad.exe +C:\WINDOWS\system32\slrundll.exe C:\WINDOWS\slrundll.exe +C:\WINDOWS\system32\sysad32.exe C:\WINDOWS\sysad32.exe +C:\WINDOWS\system32\TASKMAN.EXE C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\system32\WINHLP32.EXE C:\WINDOWS\winhlp32.exe +C:\WINDOWS\REGEDIT.COM *C:\WINDOWS\regedit.exe »System/Drivers »Running Processes +0=<idle> +4=<system> +592=\SystemRoot\System32\smss.exe +660=\??\C:\WINDOWS\system32\csrss.exe +684=\??\C:\WINDOWS\system32\winlogon.exe +728=C:\WINDOWS\system32\services.exe +740=C:\WINDOWS\system32\lsass.exe +892=C:\WINDOWS\system32\svchost.exe +936=C:\WINDOWS\system32\svchost.exe +1032=C:\WINDOWS\System32\svchost.exe +1100=C:\WINDOWS\System32\svchost.exe +1156=C:\WINDOWS\System32\svchost.exe +1320=C:\Program Files\Common Files\Symantec Shared\ccProxy.exe +1336=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe +1356=C:\Program Files\Norton Internet Security\ISSVC.exe +1396=C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe +1444=C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe +1460=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe +1960=C:\WINDOWS\system32\spoolsv.exe +160=C:\WINDOWS\System32\drivers\CDAC11BA.EXE +440=C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe +524=C:\WINDOWS\System32\tcpsvcs.exe +616=C:\WINDOWS\System32\svchost.exe +980=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe +2132=C:\WINDOWS\System32\alg.exe +3112=C:\WINDOWS\Explorer.EXE +3220=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe +3256=C:\WINDOWS\System32\hkcmd.exe +3264=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe +3276=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe +3368=C:\Program Files\Common Files\Real\Update_OB\realsched.exe +3400=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe +3428=C:\Program Files\QuickTime\qttask.exe +3544=C:\Program Files\Common Files\Symantec Shared\ccApp.exe +3572=C:\WINDOWS\system32\ctfmon.exe +3780=C:\WINDOWS\TWAIN_32\ScanWiz5\SDII.exe +3808=C:\QUICKENW\QWDLLS.EXE +3860=C:\Program Files\TextBridge Classic\Bin\TBMenu.exe +3868=C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE +3908=C:\Program Files\Real\RealPlayer\RealPlay.exe +3924=C:\Program Files\MSCAN\Msoffice\panel.exe +3612=C:\WINDOWS\system32\wuauclt.exe +2576=C:\Documents and Settings\Donald Tuhy\My Documents\Don's Documents\Computer Info\SecurityIssues\StartDrek\StartDreck.exe +1868=C:\Program Files\Messenger\msmsgs.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User

10-18-2005, 07:35 AM	#15 (permalink)
dctuhy Registered User Join Date: Oct 2005 Posts: 15 OS: WinXP	Windows XP Tetonbob: I almost forgot to answer your last question. WindowsXP was installed in my computer when i received it.....I believe I have the original recovery disks if needed.....

10-20-2005, 09:18 AM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,601 OS: 2000 Pro; XP Pro; XP Home	Wow -That is some mess you got going on......let's see how we do. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. Please use Symantec's guide to remove the Norton Quarantine files. Please clear your System Restore Points by doing the following: To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK. Now create a new Restore Point: To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. Let's make a backup of your registry. Please download and install ERUNT This will create daily complete backups of your computer's Registry. While System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore disabled. With ERUNT, you're able to restore the damaged Registry. This is a fairly simple program to use. Read the Readme, follow the prompts. If you have questions, post them before proceeding. Download the file I attached to this post - delbat.zip Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. From within delbat.zip, double click on delbat.bat after it has finished running, run it one more time Restart in normal mode. Await further instructions, and report any problems you may have encountered. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 01-18-2006 at 08:20 PM.

10-20-2005, 10:21 AM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,601 OS: 2000 Pro; XP Pro; XP Home	Donald - In addition to the instructions in my previous post, please confirm that this file is present on your computer: C:\Program Files\Internet Explorer\iexplore.exe __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

10-20-2005, 09:10 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,601 OS: 2000 Pro; XP Pro; XP Home	Be sure to read my previous two posts, and complete those instructions first. Next, I have attached another file to this post. Download it to your desktop - regdel.zip Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. From within regdel.zip, double click on regdel & answer YES when prompted to merge into the Registry. Reboot your system now. Await further instructions, and post any problems you may have encountered. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 01-18-2006 at 08:20 PM.