Tech Support Forum banner
Cancel

Help! Desktop/Explorer and System tray are gone

Jump to Latest Follow
Status
Not open for further replies.
1 - 8 of 8 Posts
M

· Registered
Joined
·
4 Posts
Discussion Starter · #1 ·
a few days ago I lost my desktop and system tray. It seems that explorer.exe won't start (or it does for a split second, then goes away, comes on for a split second, goes away..._. By using the Task Manager I've been able to get to teh web and look for solutions, which led me here. I found this trhread http://www.techsupportforum.com/computer/topic/62073-1.html and did my best to follow it. I now have a hijackthis log, but don't know what to do with it. If someone could look it over, tell me what it tells them and what I might be able to do to get my system back to normal, I would HUGELY appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 8:06:41 AM, on 8/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sesinetd.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\hserver.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Aveo\Attune\Bitmap\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bwbqelxx.slt\prefs.js)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: PlexTools Professional.lnk = C:\Program Files\Plextor\PlexTool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: P&&PDIE - {1A1FA8E3-8462-4D1D-BD4C-E5DE5AA73D40} - C:\Program Files\Pop up Blocker Pro\pdie.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} -
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_cracks.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\Barbaras\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
MicroBell

· TSF Security Team, Emeritus
Joined
·
6,969 Posts
#2 · (Edited)
Hi and Welcome to TSF

Please DISABLE spybot's teatimer and LEAVE IT OFF until this fix is complete!

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK..

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop.

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.


Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remopve the following IF listed.

YourSiteBar
SurfAccuracy
InstaFind
180 Solutions
Aveo\Attune

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Aveo\Attune\Bitmap\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O16 - DPF: {10003000-1000-0000-1000-000000000000} -
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...iTunesSetup.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_cracks.cab


Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)


C:\WINDOWS\ceres.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\Parallel Tasking\ptask.exe
C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
C:\Program Files\Aveo\Attune\Bitmap\blank.htm
abu.exe <-locate and delete that file.


Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted

Once back to normal windows...

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with the following logs...

Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.


So I need....

Hijackthis log
Ewido Log
Panda log
Silentrunners log
 
Save Share
M

· Registered
Joined
·
4 Posts
Discussion Starter · #3 ·
finally got what i could get...

Wow MicroBell, thank you! I didn't know if I would make it through all that stuff. It took me a couple of days, and I'm not sure I did it all correctly, but I'll post what I can with my fingers crossed that you can continue to help me.

Before I post the logs, I should point out a few things. First, as of right now having just finished everything, I have a desktop and system tray! BUT... I don't feel confident it'll last. During this process, it's come up a few times, but then disappeared again.

Next point: In following your steps, when I go tto the point of running ewido, I did not do it in safe mode. I was in safe mode initially, pulled it up, but I couldn't read the GUI to know where to click. So I rebooted into normal mode and then ran it (not sure if that matters or not).

Next: When running CleanUp!, I couldn't click on "Delete Prefetch files" because it was greyed out.

Next: When I ran Silent runners, I got an error that said WScript.exe - Unable to locate DLL. I went back and removed my virus protection software that I thought may be interfering, ran it again, and got the same error (in the error box there were a bunch of paths, I think...) ANyway, once I clicked OK on that, I got another error saying
"Windows Script Host"
Script: C:HijackThis\SilentRunners.vbs
Line: 84
Char: 13
Error: could not create object named "WScript.shell"
Code: 80040111
Source: WScript Create Object​

So... I don't have a Silentrunners log to post. I'll post what I do have and keep my fingers crossed.

Thank you so much, in advance, for any further help you can offer!

Logfile of HijackThis v1.99.1
Scan saved at 8:02:07 PM, on 8/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Aveo\Attune\Bitmap\blank.htm
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bwbqelxx.slt\prefs.js)
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\system32\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: PlexTools Professional.lnk = C:\Program Files\Plextor\PlexTool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: P&&PDIE - {1A1FA8E3-8462-4D1D-BD4C-E5DE5AA73D40} - C:\Program Files\Pop up Blocker Pro\pdie.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\Barbaras\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


ewido log


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:38:17 AM, 8/17/2005
+ Report-Checksum: CE1020F1

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\uninstall.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\Documents and Settings\Barbara\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Barbara\Cookies\[email protected][1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\[email protected][1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\Juno\bin\getjuno.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\Kazaa\TopSearch.dll -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Need2Find -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History\search -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings\settings.dat -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings\settings.dat.bak -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings\settings.htm -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings\settings.htm.bak -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\PerfectNav\BHO\Tipb.exe -> TrojanDownloader.Keenval.e : Cleaned with backup
C:\RECYCLER\S-1-5-21-484763869-1343024091-854245398-500\Dc251.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\RECYCLER\S-1-5-21-484763869-1343024091-854245398-500\Dc262.exe -> Spyware.Abu : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller : Cleaned with backup
C:\WINDOWS\SYSTEM32\about_blank_uninstall.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\chktrust.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\P2P Networking\MARSHAL.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\SYSTEM32\P2P Networking\P2P Networking.exe -> Spyware.P2PNetworking : Cleaned with backup
E:\My Shared Folder\From the C drive\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEDATA2.CAB/BDEData2.dll -> Adware.BrilliantDigital : Cleaned with backup
E:\My Shared Folder\From the C drive\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEINSTA.CAB/bdedata2.dll -> Adware.BrilliantDigital : Cleaned with backup
E:\My Shared Folder\From the C drive\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/bdeplayer/BDELOAD.CAB/bdeload.dll -> Adware.BrilliantDigital : Cleaned with backup
E:\My Shared Folder\From the C drive\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/bdeviewer/bdeviewer.cab/BDEViewer.exe -> Adware.BrilliantDigital : Cleaned with backup
E:\My Shared Folder\From the C drive\AliasWavefront Maya4 Final.exe/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEDATA2.CAB/BDEData2.dll -> Adware.BrilliantDigital : Cleaned with backup
E:\My Shared Folder\From the C drive\AliasWavefront Maya4 Final.exe/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEINSTA.CAB/bdedata2.dll -> Adware.BrilliantDigital : Cleaned with backup
E:\My Shared Folder\From the C drive\AliasWavefront Maya4 Final.exe/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/bdeplayer/BDELOAD.CAB/bdeload.dll -> Adware.BrilliantDigital : Cleaned with backup
E:\My Shared Folder\From the C drive\AliasWavefront Maya4 Final.exe/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/bdeviewer/bdeviewer.cab/BDEViewer.exe -> Adware.BrilliantDigital : Cleaned with backup
E:\My Shared Folder\From the C drive\Microsoft Publisher 2002 Crack.exe -> Dialer.Generic : Cleaned with backup


::Report End


PANDA LOG


Incident Status Location

Adware:Adware/KeenValue No disinfected C:\Program Files\Kazaa\PerfectNavUninstall.exe
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\LimeShop1.exe
Virus:Trj/Norvo.A Disinfected C:\Program Files\Norton Antivirus\online\p.exe
Adware:Adware/KeenValue No disinfected C:\Program Files\PerfectNav\BHO\Setup.exe
Adware:adware/ipinsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\satmat.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking v126.cpl
Adware:adware/pacimedia No disinfected C:\WINDOWS\SYSTEM32\ps1.exe
 
MicroBell

· TSF Security Team, Emeritus
Joined
·
6,969 Posts
#4 ·
Well done. On to round 2......

Download KillBox http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Reboot into safe mode.....

Run hijackthis and fix these entrys...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Aveo\Attune\Bitmap\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - Startup: PowerReg Scheduler.exe

Run Ewido again and let it clean the PC. (Do it again in Normal mode if safe mode is not an option)

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
C:\Program Files\Parallel Tasking\ptask.exe
C:\Program Files\PerfectNav\BHO\Setup.exe
C:\WINDOWS\alchem.ini
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\inf\satmat.inf
C:\WINDOWS\satmat.ini
C:\WINDOWS\SYSTEM32\P2P Networking v126.cpl
C:\WINDOWS\SYSTEM32\ps1.exe
C:\????? abu.exe ????= You need to locate this files directory and put it in there. If it's C:\Windows\system32\abu.exe then put that there...ect

Once back to normal windows...run another Panda scan and post it's log along with a new hijackthis log and the logs from the following tools...

Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!


Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
Panda scan log
Hijackthis log
 
Save Share
M

· Registered
Joined
·
4 Posts
Discussion Starter · #5 ·
not able to complete all requests...

Once again, thank you for your help and getting me this far. I have my desktop back and my stystem seems to be working OK, but I would still like to complete the tasks you've given me to really clean it up. I've done what I could, but haven't been able to do it all. Here's what has happened:

After running HijackThis again, I fixed what you told me to, though not everything that was on your list showed up for me. Those that did, I fixed.

Next: After downloading WinPFind and trying to run it, I got an error that said "File Not Found". I thought perhaps is was still running regardless after I clicked OK on the error message and then on "Start Scan", but after waiting well over an hour, I got the feeling nothing was happening. I checked the task Manager and while WinPFind was running, it was utilizing 00 of the CPU, so I assumed it wasn't really doing anything for me and I moved on.

Next: I tried running the "Track qoo.vbs" but got the follwoing error message:
Windows Script Host
Script: C:\HijackThis\Track qoo.vbs
Line: 5
Char: 1
Error: Could not create object named "Scripting.FilesystemObject."
Code: 800700E
Source: WScript.Create Object​

So below I'll paste my most recent Panda scan log and HijackThis log and hope the failures of the other two aren't too detrimental to resolving whatever is going on.

Thanks again! :grin:


Incident Status Location

Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\alchem.inf
Adware:adware/myway No disinfected C:\PROGRAM FILES\MyWay
Adware:adware/keenvalue No disinfected C:\PROGRAM FILES\PerfectNav
Adware:adware/p2pnetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking
Spyware:spyware/cydoor No disinfected C:\WINDOWS\cdmxtras
Adware:adware/savenow No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\Program Files\Kazaa\PerfectNavUninstall.exe
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\LimeShop1.exe
Adware:Adware/KeenValue No disinfected C:\RECYCLER\NPROTECT\00137348.DLL
Virus:Trj/Downloader.gen Disinfected C:\RECYCLER\NPROTECT\00137356.exe
Virus:Trj/Norvo.A Disinfected C:\RECYCLER\NPROTECT\00138517.EXE
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
**********************************

Logfile of HijackThis v1.99.1
Scan saved at 11:12:23 AM, on 8/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\bwbqelxx.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: PlexTools Professional.lnk = C:\Program Files\Plextor\PlexTool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: P&&PDIE - {1A1FA8E3-8462-4D1D-BD4C-E5DE5AA73D40} - C:\Program Files\Pop up Blocker Pro\pdie.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\Barbaras\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 
G

· Premium Member
Joined
·
14,317 Posts
#6 ·
Make sure that WinPFind was ran in Safe Mode. Try again to see if it works.

Trackqoo should be run in Normal Mode. For that error message, see if this will fix it. Download this file and unzip it. Run that .bat file and see if you can run Trackqoo now.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Download KazaaBegone http://www.greyknight17.com/spy/KazaaBegone.zip. This uninstaller will remove all elements from all Kazaa versions, as well as all of the bundled software that comes with it. Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. Before using KazaaBegone, download WinsockFix http://www.greyknight17.com/spy/WinsockFix.zip just in case you need it (if it breaks your internet connection, run it).

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe

Locate and delete the following:

C:\WINDOWS\INF\alchem.inf
C:\PROGRAM FILES\MyWay
C:\PROGRAM FILES\PerfectNav
C:\WINDOWS\SYSTEM32\P2P Networking
C:\Program Files\Kazaa\
C:\Program Files\LimeShop\
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\

Restart your computer and post the Ewido log and a new HijackThis log.
 
Save Share
M

· Registered
Joined
·
4 Posts
Discussion Starter · #7 ·
a couple questions befor I continue

Hi Greynight17,

Thanks for the tips. I did initially try running WinPFind in safe mode and got the error I mentioned. I then thought I would try it in normal mode and get the exact same thing.

Track qoo was run in normal mode (and did not work for me). For that error I see the file you suggest I download to see if it will resolve it seems to be for XP; I am running Windows 2000 Pro. Will that make any difference? I just thought I would ask before continuing.

Thanks so much for your help.
 
G

· Premium Member
Joined
·
14,317 Posts
#8 ·
OK, try to do all the fixes first and then restart. Download a new copy of WinPFind and try running that again in Safe Mode. Then restart and run Trackqoo (run the .bat file if necessary) to see if that will make it work.
 
Save Share
1 - 8 of 8 Posts
Status
Not open for further replies.
About this Discussion
7 Replies
3 Participants
Last post:
greyknight17
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top