Solved

Ads234 hijacked my browser, and Sandboxer won't go away.

Posted on 2004-09-18
46
409 Views
Last Modified: 2013-12-04
Hello,

1.) I am having a problem with ads234, my browser has been hijacked.  2.) I also cannot seem to get rit of Sandboxer, I delete the 14 digit key that starts with a number in my registry, it's ok for a couple of weeks then comes back.  Can somebody help, I am using Windows 2000, networked via wireless.  Thanks.
0
Comment
Question by:AndreaHaley
  • 19
  • 13
  • 8
  • +2
46 Comments
 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
Hi AndreaHaley,

1) Check this page: http://www.angelfire.com/un/midaddle/index.html

2) For Sandboxer, try Manual Removal at bottom of http://www.pestpatrol.com/PestInfo/s/sandboxer.asp

Regards,
Zyloch
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi Andrea,

First check for trojans/viruses and remove them: (Courtesy of Sunray 2003 PAQ which I just lost the link to)

online virus scanner:
---------------------

http://housecall.trendmicro.com/

http://security.symantec.com/

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

http://www.pcpitstop.com/antivirus/default.asp

DOS based : http://www.f-prot.com/download/download_fpdos.html

There are also numerous spyware/adware removal programs available : always make sure you update them first before running them,

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml

Ad-aware : http://www.webattack.com/download/dladaware.shtml

Trojan Remover :http://www.simplysup.com/

KL-Detector  :http://www.webattack.com/download/dlkldetector.shtml

X-Cleaner Free  :http://www.webattack.com/download/dlxcleaner.shtml

SpywareBlaster  :http://www.webattack.com/download/dlspywareblaster.shtml

SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml

SpySites  :http://www.webattack.com/download/dlspysites.shtml

Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml

Spycop: http://www.spycop.com/

BHODemon : http://www.spywareinfo.com/downloads/bhod/

Browser Hijack Blaster : http://www.wilderssecurity.net/bhblaster.html

Goodbye Spy http://www.topshareware.com/GoodBye-Spy-download-2012.htm

Other spyware removal instructions: http://www.pchell.com/support/click2findnow.shtml

I noticed that you posted your hijackthis log earlier. Experts exchange now recommends that we suggest you do the following with these logs:

First make sure that you use the most recent version of hijack this:
HijackThis 1.98.2
http://www.majorgeeks.com/download3155.html
Download it, run it, save your log file.

Then use the following site to analyse and remove any "nasty" entries by pasting your saved logfile into it - which I noted from your previous post you DID have some nasties there,
HijackThis log file analysis
http://www.hijackthis.de/index.php?langselect=english

P.S don't worry about not getting EE rules first time round - most of us didn't ;-)

Post back if that little lot didn't help,

Deb :))

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Oh and if you're running Windows xp or Me, make sure that you disable your system restore prior to attempting removal (otherwise you'll just restore the problems too)
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!  AndreaHaley

Just to start things out - you have a Peper Trojan on your system.
Do the following to remove it -
Download and run these:
Download Newuninst.exe - Download from:   http://downloads.subratam.org/Newuninst.exe
Run it and make sure you have an active internet connection.
Reboot and run the tool once again (again with an active internet connection).

Download PeperFix.exe - Download from:   http://downloads.sbratam.org/PeperFix.exe
Start
Run it and click Find and Fix.
Reboot into "Safe" mode and run the tool a second time to make certain it's done its job.
Reboot into "Normal" mode when finished and post a new HijackThis log here
(I have a copy of your HijackThis logfile that you posted in another members thread)
Good luck!
RF
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Sorry, that second link should be:
http://downloads.subratam.org/PeperFix.exe
Oops! :)
RF
0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi rossfingal, (and everyone)

Bsed upon all your comments, I'm a mess!  Thanks for your efforts everyone!  I performed what appeared to be the easiest task above.  The fix for my Peper Trojan.  Here is my log from after I ran Newuninst.exe, twice, Peper fix twice, and then downloded the Latest & Greatest HiJack this.

Here goes nothin:

Logfile of HijackThis v1.98.2
Scan saved at 9:19:04 PM, on 09/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\FergusonVPN\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\WinDates\WinDates.exe
D:\Trash\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://usa.autodesk.com/adsk/servlet/home?siteID=123112&id=129446
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [InstallRA] C:\PROGRA~1\FEI\RemoteAccessInstall\InstallRA.exe
O4 - HKLM\..\Run: [Configuration Loader] iexplore.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [hwv8RUfmO] secdtect.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: ComcastHSI - {124F45C6-861B-47CD-A822-D766958768B6} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {6930DB25-CD27-4DF7-A0C0-B4288CEF4575} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {8DAA8434-3152-4804-9458-22993FC61471} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sygate
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sygate
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sygate
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll

Whatdya think?

Andrea

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi
The current EE suggestion as I posted earlier is to paste your HJT log into the site below for analysis - this also helps prevent this site from becoming overloaded with logs,
http://www.hijackthis.de/index.php?langselect=english

Having had a look at your log I suggest you fix the following, unless you know for a fact the entries relate to programs etc that you installed yourself,

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\ProgramFiles\SEP\sep.dll (file m
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Lo
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (fi
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\WinDates\WinDates.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404S
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file m
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Lo
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (fi
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [Configuration Loader] iexplore.exe
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [hwv8RUfmO] secdtect.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\coupons
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (fi
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\m
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_A
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll


Potentially fix these - Are you using sygate at all?
O4 - HKLM\..\Run: [InstallRA] C:\PROGRA~1\FEI\RemoteAccessInstall\InstallRA.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sygate
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sygate
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sygate

I still strongly suggest that you use the virus scans posted earlier, as it's possible that unless you remove the source of the problem, the symptoms will just keep coming back,

Deb :))


0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi Deb,

What exactly do you mean by Potentially fix these?  Find them in the registry and delete them?
I will tell you that my husband does not use either of these programs anymore, FEI or Sygate.

I am running one of these scanners now, but another problem has occurred.  I now can no longer use my internet Explorer at all on my login.  I simply created a new one to get back to this dialog, but I am afraid of loosing all of my settings now.  

My Norton just popped up and found this:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan.ByteVerify
File:  C:\Documents and Settings\Andrea2\Local Settings\Temp\V7M43Ma01552
Location:  Quarantine
Computer:  ANDREAW2K
User:  Andrea2
Action taken:  Clean failed : Quarantine succeeded : Access denied
Date found: Sat Sep 18 22:39:25 2004

Popped up again with this:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan.ByteVerify
File:  C:\Documents and Settings\Andrea2\Local Settings\Temp\V7M43Ma01552
Location:  Quarantine
Computer:  ANDREAW2K
User:  Andrea2
Action taken:  Clean failed : Quarantine succeeded : Access denied
Date found: Sat Sep 18 22:43:53 2004

AAAGGHHH!!!

Help!......Andrea
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

Restart in safe mode and then delete ALL the contents of these folders (don't delete the folders - just what's in them) - should have asked you to do that anyway, but it needed a scan, or alternatively scan it again from safe mode - at least these have been quarantined so you can delete them from the quarantine on the antivirus.
C:\Documents and Settings\Andrea2\Local Settings\Temp\
C:\documents and settings\andrea\local settings\temp\
C:\Documents and Settings\Paige\Local Settings\Temp

Search for and delete the following again in safe mode:
Web Offer Folder and contents
C:\WINNT\system32\mssaru.dll
vmmreg32.exe

Potentially fix these meant fix them with hijackthis if you don't recognise them,

Deb :))

0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi Deb,

Starting fresh this morning:  I went into safemode and deleted all of the filles (AND FOLDERS) in
C:\Documents and Settings\Andrea2\Local Settings\Temp\
C:\documents and settings\andrea\local settings\temp\
C:\Documents and Settings\Paige\Local Settings\Temp

I did not delete these items to the two other users on my machine, my husband and my son, should I have?

I Deleted "Web Content" folder, and went ahead and deleted, "Hotbar", "WhenuSearch" and "Memorywatcher", too.

Deleted mssaru.dll, but could not locate vmmreg32.exe

I set up a new user for myself, Andrea2 last night cuz my Internet Explorer does not work in my old login, is there anything I can do to clean up, (delete the old login once everything is switched over, (my e-mail, addresses & mail, custom toolbars in Autocad, etc.)

Thanks for your help, we are already running much faster, and no ads234 anymore.  Thanks.

Andrea


0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi Deb,

Upon re-reading your meticulous instructions, I realized I probably should not have deleted the folders nested below my Temp folder for each login.  I left my C:\~\temp in tact, but there were folders below that, I deleted all files and sub-folders below my Temp directory.  Everything seems to be ok, Should I have left the folders, and just deleted their contents?

Thanks, Andrea
0
 
LVL 36

Expert Comment

by:Zyloch
Comment Utility
Shouldn't matter. It's a %TEMP% folder anyways :)
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi Andrea

Sorry - was offline yesterday - No it shouldn't matter - temp folders are just that - folders for holding temp files. It's good practise to empty them on a regular basis. Make sure that you empty all the temp folders under each users directory too. Is the pc clear of pop-ups after reboot? If so then your problem should be resolved for now. I would suggest that you get a decent virus protection software (Just in case you have it -Symantec/Norton just isn't cutting it at the moment - it missed 9 trojans on my system the other week, and I've encountered others using it who have had severe problems due to what it's missed - Trend Internet Security is pretty good - anyway I digress..)

So onto your profile which needs fixing. Is it only internet explorer that isn't working?

Deb :))
0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi Deb,

I have Symantec Corporate edition, which I download monthly on each machine.  It was a requirement when my husband was using that FEI software (That I cleaned using hijackthis, by the way)

I will look into Trend Internet Security, thanks for the tip.  

Pop-ups are virtually gone, ads234 is gone and sandboxer has gone away for the moment. Yes, in my old login, Internet Explorer was the only program that gave me an error, it created an error log, which I could not make sense out of.  This has happened once before in my son's login, the fix was to create a new login.  I'd like to have a solution, in case it happens again.  Otherwise I am pretty happy!  You have been great, precise, meticulous, etc!!

Thank you, Thank you.

Andrea

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
I'm glad to help :))
So you still have some pop-ups then? There could be some things left that we didn't fix - I was somewhat brutal though on what I got you to get rid of. You can always run hijack this again (I suggest you do this anyway), and post your log into the link I posted. This will clearly identify what you need to fix and things that it suspects are dodgy for further investigation. If you could post your internet explorer error that's logged we could maybe trouble-shoot it. Other options are to try system file checker

Have your windows 2000 cd handy:

Click start - run - sfc /scannow - this will check for valid versions of windows 2000 files. Next you can re-install service pack 4, and then check for any further updates from windows update. If this has happened on another login than there's something not quite right somewhere. The error log will help. Alternatively you can just recreate your profile and copy the contents of your old profile into your new one.

Deb :))
0
 

Author Comment

by:AndreaHaley
Comment Utility
Oops, sent accidentally

Where was I - 5 logs in 5 minutes:

C:\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log

c:\plaxo.log

c:\Programfiles\hotbar\hotbar_1095698978.log

C:\WINNT\Debug\UserMode\userenv.log

Which one is the culprit?

Quickly, before I have to go back to work: my log from hijack this:

Logfile of HijackThis v1.98.2
Scan saved at 12:58:56 PM, on 09/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\FergusonVPN\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\Program Files\WinDates\WinDates.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Trash\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-63A1A2373AD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F1ECE174D97E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9E46F506EE8F} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)

Gotta Run....
0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi Deb,

I'm Back, no real problems, except I cannot even find my Windows 2000 Disk.  I'm pretty comfortable with my new login, I save all my data to my "D" Drive, so I won't be confused with like where are "My Documents" between (login) Andrea or (login) Andrea2......I'm ok.

I purchased a virus package, Trend Micro, the first website listed above.  I will load it tonight.

I have had soome funky things happen, A search bar loaded itself on my Internet Explorer.  Have had a few pop-ups, my pop-up killer usually catches them, but I still have a list of what is getting that far.  

I really just wanted to thank you for all your help, my system is in much better shape, Thanks you you and your colleagues.  EE will be my new first source for computer help, not my last resort.

One last question, why do I have to go into "safe Mode" to delete my temporary files?  

Thats it.......Andrea

0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
If you are in safe mode the minimum stuff is running - things that are nasty, sometimes "hide" in
temp files - quite often, in safe mode they are not running - therefore: they're not "active" -
it's possible to remove them - they're not  "active".
Just my opinion!
Glad everything has been rsolved!
Regards...
RF
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Ross is right on that one - Safe mode just loads up with the minimum amount of drivers etc needed to get windows to start,

Glad we helped,

Deb :))
0
 
LVL 2

Expert Comment

by:Shattuc
Comment Utility
1. Please download DllCompare ( http://download.broadbandmedic.com/DllCompare.exe )

2. Start the Program with its default settings and put a check mark in the include subdirectories. Click the Run Locate.com and wait until the scan says complete.

3. Click the Compare button to start the next process.

4. Files in the upper portion have been verified to "exist", Files in the bottom section were not able to be accessed. Very few files should be listed in the bottom section when the Compare scan is complete.

5. Click on each of the listed entries in the lower section to select them. Right-click on the file and use the Option Rescan.

6. This will cause Windows Find to see if the file does exist, and then it will be removed from the list (to reduce the number of identified files)

7. Click the Make a Log of what was found button, and post the log here
0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi Shattuc,

What a treat, round two....thanks for offering your service.

Here is my log file from dllcompare.exe


*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

2,137 items found:  2,137 files (1 H/S), 0 directories.
Total of file sizes:  401,361,867 bytes    382.77 M

Administrator Account =  True

--------------------End log---------------------

It searched my C:\WINNT\system32 annd did find one file, but when I re-scanned, it found it and removed it from the bottom portion of the dialog box.  What did I do this for?

AndreaHaley

Incidentally, I am having another problem, I cannot get my wireless network to find my other machine.  I cannot communicate at all between machines.  Both machines can surf, and I get my e-mail on both, but I cannot access the hard drives using microsoft explore, nor can I print from the machine that is wireless.  I plan to call my network support, "Netgear" tonight - unless you have another suggestion. - Thanks.
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!

>  "It searched my C:\WINNT\system32 annd did find one file, but when I re-scanned, it found it and
      removed it from the bottom portion of the dialog box.  What did I do this for?"

Do you remember the name of the file?

RF
0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi Rossfingal,

I do not remember the name of the file when I ran DllCompare.exe yesterday, however, I ran the program again, just now, and in the bottom pane it found "msxbse35.dll"

I will not run the Option re-scan 'till I hear from you.

Andrea



0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:AndreaHaley
Comment Utility
Here's the log file indicating the file that was found.

*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\msxbse35.dll   Mon Jun 23 1997   1:06:50p  A.SH.        287,504   280.77 K
________________________________________________

2,137 items found:  2,137 files (1 H/S), 0 directories.
Total of file sizes:  401,361,867 bytes    382.77 M

Administrator Account =  True

--------------------End log---------------------
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi! AndreaHaley

That file appears to be legitimate - check it's properties.
Info here:
http://www.manifold.net/support/import_shp.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;155666
http://support.microsoft.com/default.aspx?scid=kb;EN-US;179203

It looks to be the same as on my install of Win 2000.

Regards...
RF
0
 

Author Comment

by:AndreaHaley
Comment Utility
Okee doke, I'm good........Thanks again for everything.
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
As far as what your last HJT log shows -

This entry can be dealt with by Ad-Aware SE
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
http://doxdesk.com/parasite/Sidesearch.html

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
http://www.adrants.com/2004/06/adspyre-launches-midaddle-ad-system.php

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
http://www.mac-net.com/744489.page
http://www.pestpatrol.com/PestInfo/p/peopleonpage.asp

O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)
http://213.173.251.14/~fbeejdk/NewHJTEntries.htm

Just some information.
How is your computer running?

RF
0
 
LVL 2

Expert Comment

by:Shattuc
Comment Utility
Sorry I was out of town yesterday, I thought maybe you might have a certain one, but I was wrong, if you find nothing when you run dllcompare, and you hit rescan, and it finds nothing, then you are clean, at least from that particular Hijacker...
the rest...
I'll post more in a bit, but after fixing with Ad-Aware and Spybot S&D howisyour system running?
0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi,

So, with the exception of the first item listed above, I should run RJT, and fix the remainder of the entries above?  

As far as my system - My system is much, much better/faster.  A few pop-ups still, my "Pop-up Killer" catches them though.  ADS234 is gone, and Sandboxer seems to be gone for good.  My network is not working, between two machines, I suspect it is the firewall settings on the new virus protector I purchased, Trend-Micro.

Andrea

0
 
LVL 2

Expert Comment

by:Shattuc
Comment Utility
clear your Temp Folders...
Both Temporary internet files, and
C:\documents and settings\andrea\local settings\temp\
Delete all the files in that folder...
if they are not already gone...
and I hate to say it...
(Sorry EE)
please run HJT again and post a new log.
0
 
LVL 2

Expert Comment

by:Shattuc
Comment Utility
But Delete the files in your temp folders first.
0
 

Author Comment

by:AndreaHaley
Comment Utility
Here is my log immediately after I cleared all the temp files from each persons login, in safe mode.  This log was created in safe mode also.

Logfile of HijackThis v1.98.2
Scan saved at 6:09:23 PM, on 09/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
D:\Trash\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: ComcastHSI - {55E7E90E-DFB7-440B-85DD-38A2D70B05A3} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {6A35814A-2315-4452-A948-0FF82A0B35F0} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C0D68DA6-F08F-40DC-B185-2D32750D7BB3} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)

0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
I hate to say this, but a log in safe mode does not show everything we want to see {Sorry EE}
However, while you're in safe mode, do a complete search on your computer and delete any instances of the
following files (check your prefetch and dllcache folders, as well as ALL temp folders):
404Search.dll
onAE.dll
sep.dll
mssaru.dll
Delete all instances you find, of any of these

Also, have HijackThis "fix" these:
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe

Clean out your temp folders
Empty the recycle bin
Reboot your computer into "Normal" mode
And - Again - post a new HijackThis log for us to take a look at.  :)

Regards..
RF
0
 

Author Comment

by:AndreaHaley
Comment Utility
A couple of things:
1.)  I did not find any of the above dll files
2.) I did not delete folder CONTENT.IE5, at some point along this road I read to only delete CONTENTIE, (not "content.ie5")  So I have not deleted this folder from my Temporary Internet Files directory, nor it's contents - should I have?
3.) Does each user have a seperate recycle bin?  I deleted the contents of the login "administrator" but could not locate anybody elses.

My log sir - created under regular boot circumstances. (not safe mode)

Thanks again!

Logfile of HijackThis v1.98.2
Scan saved at 10:03:11 PM, on 09/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
D:\Trash\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-63A1A2373AD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F1ECE174D97E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9E46F506EE8F} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)

0
 

Author Comment

by:AndreaHaley
Comment Utility
Greetings RF,

I guess the silence means I should have deleted the "Content.ie5" folder?
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
NO!

Sorry!
Don't delete the "Content.ie5" - OPEN UP
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Sorry - posted by accident -
don't delete that folder - open it, you'll see subfolders  -open them -
and delete ALL the contents, except "desktop.ini" (and you might get a question about "thumbs.db
Probably - don't delete it
Refards...RF
0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi RF,

Yes, I deleted all of the contents, (in safe mode) my desktop.ini files arein:
c:\Program Files
c:\program Files\support.com\backup\de
c:\winnt
c:\winnt\system32
d:\andreas stuff

Here is my HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 6:31:00 AM, on 09/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.exe
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-63A1A2373AD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F1ECE174D97E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9E46F506EE8F} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)

Can I "fix" the files that are missing here?

Thanks....Andrea
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!   Andrea

Have HijackThis fix the following:
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)

Since comcast appears to be your Internet provider these are optional:
(although, I have comcast and I've removed them with no problems)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-63A1A2373AD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F1ECE174D97E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9E46F506EE8F} - http://www.comcast.net (file missing) (HKCU)

Clean out your temp files
Empty the recycle bin
Reboot your computer and let's see how things look.

Cheers!
RF
0
 

Author Comment

by:AndreaHaley
Comment Utility
Logfile of HijackThis v1.98.2
Scan saved at 4:35:21 PM, on 10/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.exe
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx

I emptied everybody's recycle bin from each login, is there an easier way?

Thanks.......Andrea
0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!

Log looks much better.
One more thing to do - go to Add/Remove Programs and look for an entry for:
Twain-Tech
If it's present, uninstall it.
Reboot your computer into "safe" mode.
Search your entire computer for any instances of -
preinsmt.exe
(your profilepath)\start menu\programs\pc powerscan\uninstall pc powerscan.lnk
C:\Program Files\intrigue learning\unwise.exe
C:\Program Files\intrigue learning\unwise.ini
C:\Program Files\intrigue learning\update.exe
C:\Program Files\intrigue learning\updates_v2.inf
C:\WINNT\\xgn.exe
C:\WINNT\system\mxtarget.dll
C:\WINNT\system\twaintec.dll (twaintech.dll)
C:\WINNT\system32\mxtarget.dll
C:\WINNT\system32\twaintec.dll
C:\WINNT\twaintec.dll
C:\WINNT\twaintec.ini
C:\WINNT\wsem218.dll

Delete any that you find.
If twaintech.dll is in use, then you would need to rename it, (something like twaintech.bad)
reboot the computer, and then delete it.
Clean out your temp files
Empty the rercycle bin
Reboot and let's see how things look.
Good luck!
RF
0
 

Author Comment

by:AndreaHaley
Comment Utility
Logfile of HijackThis v1.98.2
Scan saved at 6:15:20 PM, on 10/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.exe
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx

I could not fine even ONE of the files in your last post, is this a problem?

Andrea
0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 250 total points
Comment Utility
Hi

This has been going on for quite a while and normally you wouldn't get this much support for 50 points (500 yes, 50 no). So please run hijack this, put a check by the following and hit fix:

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)    
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} -
C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe

This should sort it out and hopefully you can close this question,

Deb :))
0
 
LVL 12

Accepted Solution

by:
rossfingal earned 250 total points
Comment Utility
I'm not here for the points

Sometimes it takes a while - this link is interesting:
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
It's "Twaintec"
Here's why I left it to last (hint - it's a "transponder"):
HijackThis cannot fix it - yes; I suppose I could have dealt with it first, I decided not to -
for reasons "arcane"

>AndreaHaley
Like I said above - I'm not here for the points - just "stumbled" into your post,
and decided to try and help (hope I have!)
If I haven't, or I've spent way too much time (OH NO!) - give the points to someone else.
It's your call! Oh, and by the way, this should also be "fixed":
O2 - BHO: (no name) - SOFTWARE - (no file)
As a side note - most (if not all) of the questionable entries left in your log are "leftover"
registry entries - probably not harmful.
Also, if you didn't find any of those files - that's very good! :)

Best Regards!
RF


0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!

Just remembered one other thing.
This line:
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
Here's some info on cfd.exe:
splintercell990 May 18, 2004 (splintercell990 is a malware expert active on several security forums)
http://forums.net-integration.net/index.ph...indpost&p=74369
"BroadJump program on your computer. It is not a true spyware program, but it may have been installed on your system when
you got cable Internet from your cable company. The software collects information on your Internet activity and sends it
to your ISP so that your ISP can serve you advertisements related to the type of sites you visit."

Cheers!
RF
0
 

Author Comment

by:AndreaHaley
Comment Utility
Hi RF,

I un-installed Broad Jump, thanks.

Andrea
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now