Computer running very very slow

onstar · 02-24-2006, 07:03 AM

Hi,

I was advised to post a hijackthis log here.

I run win 2000, pentium 4, DSL. I still have lots of space in the PC.

My computer started running slowly to the point it takes up to 5 minutes to open up a notepad. It doesn't connect to the internet anymore. I have used ad-aware se, kaspersky, ewido, and cleanup. Kaspersky was able to find and delete 5 viruses. Since then, no more virus or anything could be seen, yet there is no improvement.

I was able to run my computer in safe mode and obtained this log below:

Logfile of HijackThis v1.99.1
Scan saved at 6:34:41 PM, on 2/21/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\uzo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINNT\System32\BhoSSafe.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37380.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

Mods note:

Please do not wrap logs in any sort of code tags. It makes the log more difficult to read.

**POADB** · 02-24-2006, 11:13 AM

Can you access Normal Mode? If so, any future HJT logs MUST come from Normal Mode. HJT fixes are performed in Safe Mode.

You are running multiple AntiVirus programs. I understand you're urgency and persistence to clean your machine, but keeping mutiple AV's installed has undesired effects on a computer. Please choose one.

Download & RUN WinsockFix.zip - Unzip & Run - This should enable you to get online again.

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

Please post that log in your next reply.

onstar · 02-24-2006, 09:11 PM

POADB,

Thanks for your effort to help. I am now able to connect online. I have the report from pandascan below:

HTML Code:

Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Adware:adware/adsmart                                                           Not disinfected               C:\WINNT\SYSTEM32\vx.tll                                                                                                                                                                                                                                        
Adware:adware/superspider                                                       Not disinfected               C:\Documents and Settings\uzo\Favorites\Online Dating.url                                                                                                                                                                                                       
Adware:adware/popuper                                                           Not disinfected               C:\Documents and Settings\uzo\Favorites\Online Gambling.url                                                                                                                                                                                                     
Adware:adware/msxmidi                                                           Not disinfected               C:\WINNT\msxmidi.exe                                                                                                                                                                                                                                            
Adware:adware/downloadware                                                      Not disinfected               C:\PROGRAM FILES\MediaLoads                                                                                                                                                                                                                                     
Spyware:spyware/smitfraud                                                       Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@doubleclick[1].txt                                                                                                                                                                                                    
Spyware:Cookie/YieldManager                                                     Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@ad.yieldmanager[1].txt                                                                                                                                                                                                
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@atdmt[2].txt                                                                                                                                                                                                          
Spyware:Cookie/Advertising                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@advertising[1].txt                                                                                                                                                                                                    
Adware:Adware/SAHAgent                                                          Not disinfected               C:\WINDOWS\INF\payload.inf                                                                                                                                                                                                                                      
Adware:Adware/SAHAgent                                                          Not disinfected               C:\WINDOWS\INF\BI.INF                                                                                                                                                                                                                                           
Adware:Adware/RCSync                                                            Not disinfected               C:\WINDOWS\Downloaded Program Files\default.inf                                                                                                                                                                                                                 
Spyware:Cookie/RealMedia                                                        Not disinfected               C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp                                                                                                                                                                                                               
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@doubleclick[1].txt                                                                                                                                                                                                    
Spyware:Cookie/YieldManager                                                     Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@ad.yieldmanager[1].txt                                                                                                                                                                                                
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@atdmt[2].txt                                                                                                                                                                                                          
Spyware:Cookie/Advertising                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@advertising[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Belnk                                                            Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@belnk[1].txt                                                                                                                                                                                                          
Spyware:Cookie/Adserver                                                         Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@z1.adserver[1].txt                                                                                                                                                                                                    
Spyware:Cookie/QuestionMarket                                                   Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@questionmarket[1].txt                                                                                                                                                                                                 
Spyware:Cookie/Zedo                                                             Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@zedo[2].txt                                                                                                                                                                                                           
Spyware:Cookie/Mediaplex                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@mediaplex[1].txt                                                                                                                                                                                                      
Spyware:Cookie/WebtrendsLive                                                    Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@statse.webtrendslive[2].txt                                                                                                                                                                                           
Spyware:Cookie/Belnk                                                            Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@dist.belnk[2].txt                                                                                                                                                                                                     
Spyware:Cookie/2o7.net                                                          Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@2o7[2].txt

**POADB** · 02-25-2006, 03:05 AM

Please enable the viewing of hidden files, and delete the following files;

C:\WINNT\SYSTEM32\vx.tll
C:\Documents and Settings\uzo\Favorites\Online Dating.url
C:\Documents and Settings\uzo\Favorites\Online Gambling.url
C:\WINNT\msxmidi.exe
C:\WINDOWS\INF\payload.inf
C:\WINDOWS\INF\BI.INF
C:\WINDOWS\Downloaded Program Files\default.inf

Delete this folder:

C:\PROGRAM FILES\MediaLoads

Empty Yahoo's Quarantine folder:

C:\Program Files\Yahoo!\YPSR\Quarantine\

Clear your cookies:

Please download CleanUp! and install it. Do not run it yet!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Set the slider to "Standard CleanUp!"
Uncheck the following:
- Delete Newsgroup cache
- Delete Newsgroup Subscriptions
- Scan local drives for temporary files
Click OK

Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep that are stored in these locations; Move Them Now!!!

Reboot and re run an online virus scan.
Rerutn with the results and a new hjt log.
Please describe any problems or symptoms you are now experieincing.

onstar · 02-25-2006, 11:56 AM

Thanks again for your help. I have followed the instructions. I can't find c:\windows\downloaded program files\default.inf to remove. The computer doesn't seem to be having any problems after I removed kaspersky virus scanner.

HTML Code:

Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Spyware:spyware/smitfraud                                                       Not disinfected               Windows Registry                                                                                                                                                                                                                                                
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@doubleclick[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Advertising                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@advertising[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@atdmt[2].txt                                                                                                                                                                                                          
Spyware:Cookie/YieldManager                                                     Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@ad.yieldmanager[2].txt                                                                                                                                                                                                
Adware:Adware/RCSync                                                            Not disinfected               C:\WINDOWS\Downloaded Program Files\default.inf                                                                                                                                                                                                                 
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@doubleclick[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Advertising                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@advertising[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@atdmt[2].txt                                                                                                                                                                                                          
Spyware:Cookie/YieldManager                                                     Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@ad.yieldmanager[2].txt

HTML Code:

Logfile of HijackThis v1.99.1
Scan saved at 12:52:14 PM, on 2/25/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\pctspk.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\ShopSafe\ShopSafe.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\mysql\bin\winmysqladmin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\uzo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINNT\System32\BhoSSafe.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe  /dontopenmycards
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

**POADB** · 02-26-2006, 01:37 AM

Hi.

Go to Start > Run and type regsvr32 /u occache.dll

Now delete:

C:\WINDOWS\Downloaded Program Files\default.inf

Go to Start > Run and type: regsvr32 occache.dll

The new Panda results show signs of SmitFraud, a nasty infection, which you do NOT want finding it's way on to your system. Please do the following:

==== Downloads ====

Download smitRem.exe and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Download DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf

Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

====

REBOOT TO SAFE MODE

Restart the computer. The computer begins processing a set of instructions known as BIOS.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
Continue to do so until the 'Windows Advanced Options' menu appears.
Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

********************************PREPAIRING********************************

Enable the viewing of Hidden files

From Windows Explorer, go to Tools>Folder Options>View tab.
Enable the option for `Show hidden files and folder´
Disable the option for `Hide file extensions for known types´
Disable the option for `Hide protected operating system files´
Click Yes to confirm & then click OK

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Re run panda also, please and post those results in your next post.

onstar · 02-26-2006, 01:15 PM

Poadb,

thanks again. You are really helpful. I have those files posted below.

HTML Code:

Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@doubleclick[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Casalemedia                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@casalemedia[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Serving-sys                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@serving-sys[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@atdmt[2].txt                                                                                                                                                                                                          
Spyware:Cookie/Adrevolver                                                       Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@adrevolver[1].txt                                                                                                                                                                                                     
Spyware:Cookie/Adrevolver                                                       Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@adrevolver[2].txt                                                                                                                                                                                                     
Spyware:Cookie/Mediaplex                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@mediaplex[1].txt                                                                                                                                                                                                      
Spyware:Cookie/Adserver                                                         Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@z1.adserver[1].txt                                                                                                                                                                                                    
Spyware:Cookie/PointRoll                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@ads.pointroll[2].txt                                                                                                                                                                                                  
Spyware:Cookie/YieldManager                                                     Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@ad.yieldmanager[1].txt                                                                                                                                                                                                
Spyware:Cookie/Coremetrics                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@data.coremetrics[1].txt                                                                                                                                                                                               
Spyware:Cookie/RealMedia                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@realmedia[1].txt                                                                                                                                                                                                      
Spyware:Cookie/Traffic Marketplace                                              Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@trafficmp[2].txt                                                                                                                                                                                                      
Spyware:Cookie/Overture                                                         Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@overture[1].txt                                                                                                                                                                                                       
Spyware:Cookie/Apmebf                                                           Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@apmebf[1].txt                                                                                                                                                                                                         
Spyware:Cookie/360i                                                             Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@ct.360i[1].txt                                                                                                                                                                                                        
Spyware:Cookie/2o7.net                                                          Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@2o7[1].txt                                                                                                                                                                                                            
Spyware:Cookie/Advertising                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@advertising[2].txt                                                                                                                                                                                                    
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@doubleclick[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Casalemedia                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@casalemedia[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Serving-sys                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@serving-sys[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@atdmt[2].txt                                                                                                                                                                                                          
Spyware:Cookie/Adrevolver                                                       Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@adrevolver[1].txt                                                                                                                                                                                                     
Spyware:Cookie/Adrevolver                                                       Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@adrevolver[2].txt                                                                                                                                                                                                     
Spyware:Cookie/Mediaplex                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@mediaplex[1].txt                                                                                                                                                                                                      
Spyware:Cookie/Adserver                                                         Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@z1.adserver[1].txt                                                                                                                                                                                                    
Spyware:Cookie/PointRoll                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@ads.pointroll[2].txt                                                                                                                                                                                                  
Spyware:Cookie/YieldManager                                                     Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@ad.yieldmanager[1].txt                                                                                                                                                                                                
Spyware:Cookie/Coremetrics                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@data.coremetrics[1].txt                                                                                                                                                                                               
Spyware:Cookie/RealMedia                                                        Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@realmedia[1].txt                                                                                                                                                                                                      
Spyware:Cookie/Traffic Marketplace                                              Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@trafficmp[2].txt                                                                                                                                                                                                      
Spyware:Cookie/Overture                                                         Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@overture[1].txt                                                                                                                                                                                                       
Spyware:Cookie/Apmebf                                                           Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@apmebf[1].txt                                                                                                                                                                                                         
Spyware:Cookie/360i                                                             Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@ct.360i[1].txt                                                                                                                                                                                                        
Spyware:Cookie/2o7.net                                                          Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@2o7[1].txt                                                                                                                                                                                                            
Spyware:Cookie/Advertising                                                      Not disinfected               C:\Documents and Settings\uzo\Cookies\uzo@advertising[2].txt

HTML Code:

smitRem log file
     version 2.5

     by noahdfear

The current date is: Sun 02/26/2006 
The current time is: 11:13:49.88

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Pre-run Files Present


 ~~~ Program Files ~~~



 ~~~ Shortcuts ~~~



 ~~~ Favorites ~~~



 ~~~ system32 folder ~~~



 ~~~ Icons in System32 ~~~



 ~~~ Windows directory ~~~



 ~~~ Drive root ~~~


 ~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



   Post-run Files Present


 ~~~ Program Files ~~~



 ~~~ Shortcuts ~~~



 ~~~ Favorites ~~~



 ~~~ system32 folder ~~~



 ~~~ Icons in System32 ~~~



 ~~~ Windows directory ~~~



 ~~~ Drive root ~~~



 ~~~ Miscellaneous Files/folders ~~~




 ~~~ Wininet.dll ~~~

 CLEAN! :)

**POADB** · 02-27-2006, 01:12 AM

Excellent.

You need to clear cookies regularly as they do build up. Don't allow the panda results to scare you. Cookies are only called 'Spyware' so they can remember if you clicked their advertisement banners or not...

Run Cleanup now.

FYI - If you have one of these, you will most likely have the other. Either way, here are some information on them:

BroadJump - Newer name for BroadJump Foundation Client (BJCFD) from BroadJump.com, now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit.

Support.com - Spyware from SupportSoft provided to manufacturers, such as Sony (Vaio Support Agent) and Toshiba (Virtual Tech), and ISPs, such as Comcast, Cox and Charter (Pipeline Support Agent), that allows them to offer on-line support. This part ensures that software is installed correctly. Regarded as spyware as it has the ability to retrieve user information.

I would ask your ISP on how to remove it and why they installed it in the first place. Please do not uninstall the program, since it looks like it is required for your internet connection. This especially applies to those who use SBC as their ISP (Internet Service Provider). If they can't/won't resolve this problem for you, then it's time to switch to another provider that don't embed this spyware in their program. You will most likely also have BroadJump installed. The same situation applies here also. Try to find out how to remove it from your ISP. Don't uninstall it yourself.

Otherwise:

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

onstar · 03-04-2006, 12:31 PM

Thanks to POADB and all techsupportforum people. My computer now works very smoothly. This thread can now be close.

Again, thank you very much for the help.

02-24-2006, 07:03 AM	#1 (permalink)
onstar Registered User Join Date: Sep 2005 Posts: 18 OS: WIN 2000	Computer running very very slow Hi, I was advised to post a hijackthis log here. I run win 2000, pentium 4, DSL. I still have lots of space in the PC. My computer started running slowly to the point it takes up to 5 minutes to open up a notepad. It doesn't connect to the internet anymore. I have used ad-aware se, kaspersky, ewido, and cleanup. Kaspersky was able to find and delete 5 viruses. Since then, no more virus or anything could be seen, yet there is no improvement. I was able to run my computer in safe mode and obtained this log below: Logfile of HijackThis v1.99.1 Scan saved at 6:34:41 PM, on 2/21/2006 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\Documents and Settings\uzo\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINNT\System32\BhoSSafe.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe /dontopenmycards O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kav.exe" /minimize O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37380.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe Mods note: Please do not wrap logs in any sort of code tags. It makes the log more difficult to read. Last edited by tetonbob; 02-24-2006 at 08:41 AM. Reason: removed html tags

02-24-2006, 11:13 AM	#2 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	Can you access Normal Mode? If so, any future HJT logs MUST come from Normal Mode. HJT fixes are performed in Safe Mode. You are running multiple AntiVirus programs. I understand you're urgency and persistence to clean your machine, but keeping mutiple AV's installed has undesired effects on a computer. Please choose one. Download & RUN WinsockFix.zip - Unzip & Run - This should enable you to get online again. Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report Please post that log in your next reply. __________________

02-25-2006, 03:05 AM	#4 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	Please enable the viewing of hidden files, and delete the following files; C:\WINNT\SYSTEM32\vx.tll C:\Documents and Settings\uzo\Favorites\Online Dating.url C:\Documents and Settings\uzo\Favorites\Online Gambling.url C:\WINNT\msxmidi.exe C:\WINDOWS\INF\payload.inf C:\WINDOWS\INF\BI.INF C:\WINDOWS\Downloaded Program Files\default.inf Delete this folder: C:\PROGRAM FILES\MediaLoads Empty Yahoo's Quarantine folder: C:\Program Files\Yahoo!\YPSR\Quarantine\ Clear your cookies: Please download CleanUp! and install it. Do not run it yet! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Set the slider to "Standard CleanUp!" Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep that are stored in these locations; Move Them Now!!! Reboot and re run an online virus scan. Rerutn with the results and a new hjt log. Please describe any problems or symptoms you are now experieincing. __________________

02-26-2006, 01:37 AM	#6 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	Hi. Go to Start > Run and type regsvr32 /u occache.dll Now delete: C:\WINDOWS\Downloaded Program Files\default.inf Go to Start > Run and type: regsvr32 occache.dll The new Panda results show signs of SmitFraud, a nasty infection, which you do NOT want finding it's way on to your system. Please do the following: ==== Downloads ==== Download smitRem.exe and save the file to your desktop. Right click on the file and extract it to it's own folder on the desktop. Download DelO15Domains.inf - Right click on this & choose "Save As..." DelO15Domains.inf Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards. ==== REBOOT TO SAFE MODE Restart the computer. The computer begins processing a set of instructions known as BIOS. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the 'Windows Advanced Options' menu appears. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode. ******************************PREPAIRING**************************** Enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options>View tab. Enable the option for `Show hidden files and folder´ Disable the option for `Hide file extensions for known types´ Disable the option for `Hide protected operating system files´ Click Yes to confirm & then click OK Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt** in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Re run panda also, please and post those results in your next post. __________________

02-27-2006, 01:12 AM	#8 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	Excellent. You need to clear cookies regularly as they do build up. Don't allow the panda results to scare you. Cookies are only called 'Spyware' so they can remember if you clicked their advertisement banners or not... Run Cleanup now. FYI - If you have one of these, you will most likely have the other. Either way, here are some information on them: BroadJump - Newer name for BroadJump Foundation Client (BJCFD) from BroadJump.com, now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit. Support.com - Spyware from SupportSoft provided to manufacturers, such as Sony (Vaio Support Agent) and Toshiba (Virtual Tech), and ISPs, such as Comcast, Cox and Charter (Pipeline Support Agent), that allows them to offer on-line support. This part ensures that software is installed correctly. Regarded as spyware as it has the ability to retrieve user information. I would ask your ISP on how to remove it and why they installed it in the first place. Please do not uninstall the program, since it looks like it is required for your internet connection. This especially applies to those who use SBC as their ISP (Internet Service Provider). If they can't/won't resolve this problem for you, then it's time to switch to another provider that don't embed this spyware in their program. You will most likely also have BroadJump installed. The same situation applies here also. Try to find out how to remove it from your ISP. Don't uninstall it yourself. Otherwise: Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder) Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________

03-04-2006, 12:31 PM	#9 (permalink)
onstar Registered User Join Date: Sep 2005 Posts: 18 OS: WIN 2000	Thanks a lot Thanks to POADB and all techsupportforum people. My computer now works very smoothly. This thread can now be close. Again, thank you very much for the help.