AndreaHaley
asked on
Ads234 hijacked my browser, and Sandboxer won't go away.
Hello,
1.) I am having a problem with ads234, my browser has been hijacked. 2.) I also cannot seem to get rit of Sandboxer, I delete the 14 digit key that starts with a number in my registry, it's ok for a couple of weeks then comes back. Can somebody help, I am using Windows 2000, networked via wireless. Thanks.
1.) I am having a problem with ads234, my browser has been hijacked. 2.) I also cannot seem to get rit of Sandboxer, I delete the 14 digit key that starts with a number in my registry, it's ok for a couple of weeks then comes back. Can somebody help, I am using Windows 2000, networked via wireless. Thanks.
Hi Andrea,
First check for trojans/viruses and remove them: (Courtesy of Sunray 2003 PAQ which I just lost the link to)
online virus scanner:
---------------------
http://housecall.trendmicro.com/
http://security.symantec.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.pcpitstop.com/antivirus/default.asp
DOS based : http://www.f-prot.com/download/download_fpdos.html
There are also numerous spyware/adware removal programs available : always make sure you update them first before running them,
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
Trojan Remover :http://www.simplysup.com/
KL-Detector :http://www.webattack.com/download/dlkldetector.shtml
X-Cleaner Free :http://www.webattack.com/download/dlxcleaner.shtml
SpywareBlaster :http://www.webattack.com/download/dlspywareblaster.shtml
SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml
SpySites :http://www.webattack.com/download/dlspysites.shtml
Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml
Spycop: http://www.spycop.com/
BHODemon : http://www.spywareinfo.com/downloads/bhod/
Browser Hijack Blaster : http://www.wilderssecurity.net/bhblaster.html
Goodbye Spy http://www.topshareware.com/GoodBye-Spy-download-2012.htm
Other spyware removal instructions: http://www.pchell.com/support/click2findnow.shtml
I noticed that you posted your hijackthis log earlier. Experts exchange now recommends that we suggest you do the following with these logs:
First make sure that you use the most recent version of hijack this:
HijackThis 1.98.2
http://www.majorgeeks.com/download3155.html
Download it, run it, save your log file.
Then use the following site to analyse and remove any "nasty" entries by pasting your saved logfile into it - which I noted from your previous post you DID have some nasties there,
HijackThis log file analysis
http://www.hijackthis.de/index.php?langselect=english
P.S don't worry about not getting EE rules first time round - most of us didn't ;-)
Post back if that little lot didn't help,
Deb :))
First check for trojans/viruses and remove them: (Courtesy of Sunray 2003 PAQ which I just lost the link to)
online virus scanner:
---------------------
http://housecall.trendmicro.com/
http://security.symantec.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.pcpitstop.com/antivirus/default.asp
DOS based : http://www.f-prot.com/download/download_fpdos.html
There are also numerous spyware/adware removal programs available : always make sure you update them first before running them,
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
Trojan Remover :http://www.simplysup.com/
KL-Detector :http://www.webattack.com/download/dlkldetector.shtml
X-Cleaner Free :http://www.webattack.com/download/dlxcleaner.shtml
SpywareBlaster :http://www.webattack.com/download/dlspywareblaster.shtml
SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml
SpySites :http://www.webattack.com/download/dlspysites.shtml
Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml
Spycop: http://www.spycop.com/
BHODemon : http://www.spywareinfo.com/downloads/bhod/
Browser Hijack Blaster : http://www.wilderssecurity.net/bhblaster.html
Goodbye Spy http://www.topshareware.com/GoodBye-Spy-download-2012.htm
Other spyware removal instructions: http://www.pchell.com/support/click2findnow.shtml
I noticed that you posted your hijackthis log earlier. Experts exchange now recommends that we suggest you do the following with these logs:
First make sure that you use the most recent version of hijack this:
HijackThis 1.98.2
http://www.majorgeeks.com/download3155.html
Download it, run it, save your log file.
Then use the following site to analyse and remove any "nasty" entries by pasting your saved logfile into it - which I noted from your previous post you DID have some nasties there,
HijackThis log file analysis
http://www.hijackthis.de/index.php?langselect=english
P.S don't worry about not getting EE rules first time round - most of us didn't ;-)
Post back if that little lot didn't help,
Deb :))
Oh and if you're running Windows xp or Me, make sure that you disable your system restore prior to attempting removal (otherwise you'll just restore the problems too)
Hi! AndreaHaley
Just to start things out - you have a Peper Trojan on your system.
Do the following to remove it -
Download and run these:
Download Newuninst.exe - Download from: http://downloads.subratam.org/Newuninst.exe
Run it and make sure you have an active internet connection.
Reboot and run the tool once again (again with an active internet connection).
Download PeperFix.exe - Download from: http://downloads.sbratam.org/PeperFix.exe
Start
Run it and click Find and Fix.
Reboot into "Safe" mode and run the tool a second time to make certain it's done its job.
Reboot into "Normal" mode when finished and post a new HijackThis log here
(I have a copy of your HijackThis logfile that you posted in another members thread)
Good luck!
RF
Just to start things out - you have a Peper Trojan on your system.
Do the following to remove it -
Download and run these:
Download Newuninst.exe - Download from: http://downloads.subratam.org/Newuninst.exe
Run it and make sure you have an active internet connection.
Reboot and run the tool once again (again with an active internet connection).
Download PeperFix.exe - Download from: http://downloads.sbratam.org/PeperFix.exe
Start
Run it and click Find and Fix.
Reboot into "Safe" mode and run the tool a second time to make certain it's done its job.
Reboot into "Normal" mode when finished and post a new HijackThis log here
(I have a copy of your HijackThis logfile that you posted in another members thread)
Good luck!
RF
ASKER
Hi rossfingal, (and everyone)
Bsed upon all your comments, I'm a mess! Thanks for your efforts everyone! I performed what appeared to be the easiest task above. The fix for my Peper Trojan. Here is my log from after I ran Newuninst.exe, twice, Peper fix twice, and then downloded the Latest & Greatest HiJack this.
Here goes nothin:
Logfile of HijackThis v1.98.2
Scan saved at 9:19:04 PM, on 09/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\FergusonVPN\cvpnd.ex e
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost. exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\system32\svchost. exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e xe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
C:\WINNT\system32\Smtray.e xe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e
C:\PROGRA~1\NoPops\POPUPK~ 1.EXE
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\WINNT\Plaxo\1.4.2.25\In stallStub. exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\WinDates\WinDates.ex e
D:\Trash\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = file://C:\WINNT\system32\S earchBar.h tm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://usa.autodesk.com/adsk/servlet/home?siteID=123112&id=129446
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.comcast.net
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2 16055BF991 8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0 0C0DFF1DE9 E} - C:\Program Files\NoPops\PopupKiller.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F D4411C1FEF 4} - C:\Program Files\404Search\404Search. dll (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [InstallRA] C:\PROGRA~1\FEI\RemoteAcce ssInstall\ InstallRA. exe
O4 - HKLM\..\Run: [Configuration Loader] iexplore.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e /nosplash
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat e.exe"
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex e
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex e
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\In stallStub. exe -a
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller. exe /startup
O4 - HKCU\..\Run: [hwv8RUfmO] secdtect.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex e
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\Sys tem\Temp\c ouponsando ffers_scri pt0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: ComcastHSI - {124F45C6-861B-47CD-A822-D 766958768B 6} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {6930DB25-CD27-4DF7-A0C0-B 4288CEF457 5} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {8DAA8434-3152-4804-9458-2 2993FC6147 1} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {87067F04-DE4C-4688-BC3C-4 FCF39D609E 7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {D97287B6-4018-4060-948D-5 4D2122FC5C 3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O17 - HKLM\System\CS1\Services\T cpip\Param eters: SearchList = sygate
O17 - HKLM\System\CS2\Services\T cpip\Param eters: SearchList = sygate
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = sygate
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6 48E4327141 5} - C:\WINNT\system32\mssaru.d ll
Whatdya think?
Andrea
Bsed upon all your comments, I'm a mess! Thanks for your efforts everyone! I performed what appeared to be the easiest task above. The fix for my Peper Trojan. Here is my log from after I ran Newuninst.exe, twice, Peper fix twice, and then downloded the Latest & Greatest HiJack this.
Here goes nothin:
Logfile of HijackThis v1.98.2
Scan saved at 9:19:04 PM, on 09/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\FergusonVPN\cvpnd.ex
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\dr
C:\WINNT\system32\Smtray.e
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi
C:\PROGRA~1\NoPops\POPUPK~
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\WINNT\Plaxo\1.4.2.25\In
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\WinDates\WinDates.ex
D:\Trash\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [InstallRA] C:\PROGRA~1\FEI\RemoteAcce
O4 - HKLM\..\Run: [Configuration Loader] iexplore.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\In
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.
O4 - HKCU\..\Run: [hwv8RUfmO] secdtect.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\Sys
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F
O9 - Extra button: ComcastHSI - {124F45C6-861B-47CD-A822-D
O9 - Extra button: Help - {6930DB25-CD27-4DF7-A0C0-B
O9 - Extra button: Support - {8DAA8434-3152-4804-9458-2
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {87067F04-DE4C-4688-BC3C-4
O16 - DPF: {D97287B6-4018-4060-948D-5
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CCS\Services\T
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6
Whatdya think?
Andrea
Hi
The current EE suggestion as I posted earlier is to paste your HJT log into the site below for analysis - this also helps prevent this site from becoming overloaded with logs,
http://www.hijackthis.de/index.php?langselect=english
Having had a look at your log I suggest you fix the following, unless you know for a fact the entries relate to programs etc that you installed yourself,
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\ProgramFiles\SEP\sep.dl l (file m
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\andrea\Lo
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (fi
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\WinDates\WinDates.ex e
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = file://C:\WINNT\system32\S earchBar.
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2 16055BF991 8} - (no file)
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F D4411C1FEF 4} - C:\Program Files\404Search\404S
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file m
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\andrea\Lo
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (fi
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [Configuration Loader] iexplore.exe
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat e.exe"
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex e
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex e
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [hwv8RUfmO] secdtect.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex e
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\Sys tem\Temp\c oupons
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (fi
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\m
O16 - DPF: {87067F04-DE4C-4688-BC3C-4 FCF39D609E 7} - http://download.websearch.com/Dnl/T_50151/QDow_A
O16 - DPF: {D97287B6-4018-4060-948D-5 4D2122FC5C 3} - http://www.fastfind.org/ss/client/52983/vsigns/0
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6 48E4327141 5} - C:\WINNT\system32\mssaru.d ll
Potentially fix these - Are you using sygate at all?
O4 - HKLM\..\Run: [InstallRA] C:\PROGRA~1\FEI\RemoteAcce ssInstall\ InstallRA. exe
O17 - HKLM\System\CS1\Services\T cpip\Param eters: SearchList = sygate
O17 - HKLM\System\CS2\Services\T cpip\Param eters: SearchList = sygate
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = sygate
I still strongly suggest that you use the virus scans posted earlier, as it's possible that unless you remove the source of the problem, the symptoms will just keep coming back,
Deb :))
The current EE suggestion as I posted earlier is to paste your HJT log into the site below for analysis - this also helps prevent this site from becoming overloaded with logs,
http://www.hijackthis.de/index.php?langselect=english
Having had a look at your log I suggest you fix the following, unless you know for a fact the entries relate to programs etc that you installed yourself,
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\WinDates\WinDates.ex
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [Configuration Loader] iexplore.exe
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [hwv8RUfmO] secdtect.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\Sys
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F
O16 - DPF: {87067F04-DE4C-4688-BC3C-4
O16 - DPF: {D97287B6-4018-4060-948D-5
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6
Potentially fix these - Are you using sygate at all?
O4 - HKLM\..\Run: [InstallRA] C:\PROGRA~1\FEI\RemoteAcce
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CCS\Services\T
I still strongly suggest that you use the virus scans posted earlier, as it's possible that unless you remove the source of the problem, the symptoms will just keep coming back,
Deb :))
ASKER
Hi Deb,
What exactly do you mean by Potentially fix these? Find them in the registry and delete them?
I will tell you that my husband does not use either of these programs anymore, FEI or Sygate.
I am running one of these scanners now, but another problem has occurred. I now can no longer use my internet Explorer at all on my login. I simply created a new one to get back to this dialog, but I am afraid of loosing all of my settings now.
My Norton just popped up and found this:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.ByteVerify
File: C:\Documents and Settings\Andrea2\Local Settings\Temp\V7M43Ma01552
Location: Quarantine
Computer: ANDREAW2K
User: Andrea2
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sat Sep 18 22:39:25 2004
Popped up again with this:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.ByteVerify
File: C:\Documents and Settings\Andrea2\Local Settings\Temp\V7M43Ma01552
Location: Quarantine
Computer: ANDREAW2K
User: Andrea2
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sat Sep 18 22:43:53 2004
AAAGGHHH!!!
Help!......Andrea
What exactly do you mean by Potentially fix these? Find them in the registry and delete them?
I will tell you that my husband does not use either of these programs anymore, FEI or Sygate.
I am running one of these scanners now, but another problem has occurred. I now can no longer use my internet Explorer at all on my login. I simply created a new one to get back to this dialog, but I am afraid of loosing all of my settings now.
My Norton just popped up and found this:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.ByteVerify
File: C:\Documents and Settings\Andrea2\Local Settings\Temp\V7M43Ma01552
Location: Quarantine
Computer: ANDREAW2K
User: Andrea2
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sat Sep 18 22:39:25 2004
Popped up again with this:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.ByteVerify
File: C:\Documents and Settings\Andrea2\Local Settings\Temp\V7M43Ma01552
Location: Quarantine
Computer: ANDREAW2K
User: Andrea2
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sat Sep 18 22:43:53 2004
AAAGGHHH!!!
Help!......Andrea
Hi
Restart in safe mode and then delete ALL the contents of these folders (don't delete the folders - just what's in them) - should have asked you to do that anyway, but it needed a scan, or alternatively scan it again from safe mode - at least these have been quarantined so you can delete them from the quarantine on the antivirus.
C:\Documents and Settings\Andrea2\Local Settings\Temp\
C:\documents and settings\andrea\local settings\temp\
C:\Documents and Settings\Paige\Local Settings\Temp
Search for and delete the following again in safe mode:
Web Offer Folder and contents
C:\WINNT\system32\mssaru.d ll
vmmreg32.exe
Potentially fix these meant fix them with hijackthis if you don't recognise them,
Deb :))
Restart in safe mode and then delete ALL the contents of these folders (don't delete the folders - just what's in them) - should have asked you to do that anyway, but it needed a scan, or alternatively scan it again from safe mode - at least these have been quarantined so you can delete them from the quarantine on the antivirus.
C:\Documents and Settings\Andrea2\Local Settings\Temp\
C:\documents and settings\andrea\local settings\temp\
C:\Documents and Settings\Paige\Local Settings\Temp
Search for and delete the following again in safe mode:
Web Offer Folder and contents
C:\WINNT\system32\mssaru.d
vmmreg32.exe
Potentially fix these meant fix them with hijackthis if you don't recognise them,
Deb :))
ASKER
Hi Deb,
Starting fresh this morning: I went into safemode and deleted all of the filles (AND FOLDERS) in
C:\Documents and Settings\Andrea2\Local Settings\Temp\
C:\documents and settings\andrea\local settings\temp\
C:\Documents and Settings\Paige\Local Settings\Temp
I did not delete these items to the two other users on my machine, my husband and my son, should I have?
I Deleted "Web Content" folder, and went ahead and deleted, "Hotbar", "WhenuSearch" and "Memorywatcher", too.
Deleted mssaru.dll, but could not locate vmmreg32.exe
I set up a new user for myself, Andrea2 last night cuz my Internet Explorer does not work in my old login, is there anything I can do to clean up, (delete the old login once everything is switched over, (my e-mail, addresses & mail, custom toolbars in Autocad, etc.)
Thanks for your help, we are already running much faster, and no ads234 anymore. Thanks.
Andrea
Starting fresh this morning: I went into safemode and deleted all of the filles (AND FOLDERS) in
C:\Documents and Settings\Andrea2\Local Settings\Temp\
C:\documents and settings\andrea\local settings\temp\
C:\Documents and Settings\Paige\Local Settings\Temp
I did not delete these items to the two other users on my machine, my husband and my son, should I have?
I Deleted "Web Content" folder, and went ahead and deleted, "Hotbar", "WhenuSearch" and "Memorywatcher", too.
Deleted mssaru.dll, but could not locate vmmreg32.exe
I set up a new user for myself, Andrea2 last night cuz my Internet Explorer does not work in my old login, is there anything I can do to clean up, (delete the old login once everything is switched over, (my e-mail, addresses & mail, custom toolbars in Autocad, etc.)
Thanks for your help, we are already running much faster, and no ads234 anymore. Thanks.
Andrea
ASKER
Hi Deb,
Upon re-reading your meticulous instructions, I realized I probably should not have deleted the folders nested below my Temp folder for each login. I left my C:\~\temp in tact, but there were folders below that, I deleted all files and sub-folders below my Temp directory. Everything seems to be ok, Should I have left the folders, and just deleted their contents?
Thanks, Andrea
Upon re-reading your meticulous instructions, I realized I probably should not have deleted the folders nested below my Temp folder for each login. I left my C:\~\temp in tact, but there were folders below that, I deleted all files and sub-folders below my Temp directory. Everything seems to be ok, Should I have left the folders, and just deleted their contents?
Thanks, Andrea
Shouldn't matter. It's a %TEMP% folder anyways :)
Hi Andrea
Sorry - was offline yesterday - No it shouldn't matter - temp folders are just that - folders for holding temp files. It's good practise to empty them on a regular basis. Make sure that you empty all the temp folders under each users directory too. Is the pc clear of pop-ups after reboot? If so then your problem should be resolved for now. I would suggest that you get a decent virus protection software (Just in case you have it -Symantec/Norton just isn't cutting it at the moment - it missed 9 trojans on my system the other week, and I've encountered others using it who have had severe problems due to what it's missed - Trend Internet Security is pretty good - anyway I digress..)
So onto your profile which needs fixing. Is it only internet explorer that isn't working?
Deb :))
Sorry - was offline yesterday - No it shouldn't matter - temp folders are just that - folders for holding temp files. It's good practise to empty them on a regular basis. Make sure that you empty all the temp folders under each users directory too. Is the pc clear of pop-ups after reboot? If so then your problem should be resolved for now. I would suggest that you get a decent virus protection software (Just in case you have it -Symantec/Norton just isn't cutting it at the moment - it missed 9 trojans on my system the other week, and I've encountered others using it who have had severe problems due to what it's missed - Trend Internet Security is pretty good - anyway I digress..)
So onto your profile which needs fixing. Is it only internet explorer that isn't working?
Deb :))
ASKER
Hi Deb,
I have Symantec Corporate edition, which I download monthly on each machine. It was a requirement when my husband was using that FEI software (That I cleaned using hijackthis, by the way)
I will look into Trend Internet Security, thanks for the tip.
Pop-ups are virtually gone, ads234 is gone and sandboxer has gone away for the moment. Yes, in my old login, Internet Explorer was the only program that gave me an error, it created an error log, which I could not make sense out of. This has happened once before in my son's login, the fix was to create a new login. I'd like to have a solution, in case it happens again. Otherwise I am pretty happy! You have been great, precise, meticulous, etc!!
Thank you, Thank you.
Andrea
I have Symantec Corporate edition, which I download monthly on each machine. It was a requirement when my husband was using that FEI software (That I cleaned using hijackthis, by the way)
I will look into Trend Internet Security, thanks for the tip.
Pop-ups are virtually gone, ads234 is gone and sandboxer has gone away for the moment. Yes, in my old login, Internet Explorer was the only program that gave me an error, it created an error log, which I could not make sense out of. This has happened once before in my son's login, the fix was to create a new login. I'd like to have a solution, in case it happens again. Otherwise I am pretty happy! You have been great, precise, meticulous, etc!!
Thank you, Thank you.
Andrea
I'm glad to help :))
So you still have some pop-ups then? There could be some things left that we didn't fix - I was somewhat brutal though on what I got you to get rid of. You can always run hijack this again (I suggest you do this anyway), and post your log into the link I posted. This will clearly identify what you need to fix and things that it suspects are dodgy for further investigation. If you could post your internet explorer error that's logged we could maybe trouble-shoot it. Other options are to try system file checker
Have your windows 2000 cd handy:
Click start - run - sfc /scannow - this will check for valid versions of windows 2000 files. Next you can re-install service pack 4, and then check for any further updates from windows update. If this has happened on another login than there's something not quite right somewhere. The error log will help. Alternatively you can just recreate your profile and copy the contents of your old profile into your new one.
Deb :))
So you still have some pop-ups then? There could be some things left that we didn't fix - I was somewhat brutal though on what I got you to get rid of. You can always run hijack this again (I suggest you do this anyway), and post your log into the link I posted. This will clearly identify what you need to fix and things that it suspects are dodgy for further investigation. If you could post your internet explorer error that's logged we could maybe trouble-shoot it. Other options are to try system file checker
Have your windows 2000 cd handy:
Click start - run - sfc /scannow - this will check for valid versions of windows 2000 files. Next you can re-install service pack 4, and then check for any further updates from windows update. If this has happened on another login than there's something not quite right somewhere. The error log will help. Alternatively you can just recreate your profile and copy the contents of your old profile into your new one.
Deb :))
ASKER
Oops, sent accidentally
Where was I - 5 logs in 5 minutes:
C:\Documents and Settings\All Users\Documents\DrWatson\d rwtsn32.lo g
c:\plaxo.log
c:\Programfiles\hotbar\hot bar_109569 8978.log
C:\WINNT\Debug\UserMode\us erenv.log
Which one is the culprit?
Quickly, before I have to go back to work: my log from hijack this:
Logfile of HijackThis v1.98.2
Scan saved at 12:58:56 PM, on 09/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\FergusonVPN\cvpnd.ex e
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost. exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\svchost. exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e xe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
C:\WINNT\system32\Smtray.e xe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e
C:\Program Files\WinDates\WinDates.ex e
C:\PROGRA~1\NoPops\POPUPK~ 1.EXE
C:\PROGRA~1\MICROS~2\Offic e\OUTLOOK. EXE
C:\WINNT\msagent\AgentSvr. exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Trash\HijackThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = https://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2 16055BF991 8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0 0C0DFF1DE9 E} - C:\Program Files\NoPops\PopupKiller.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F D4411C1FEF 4} - C:\Program Files\404Search\404Search. dll (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e /nosplash
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat e.exe"
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex e
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex e
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex e
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-6 3A1A2373AD 6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F 1ECE174D97 E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9 E46F506EE8 F} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0 060B0FCC12 2} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4 FCF39D609E 7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-0 0108302FDF D} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0 010830243B D} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D97287B6-4018-4060-948D-5 4D2122FC5C 3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O16 - DPF: {F281A59C-7B65-11D3-8617-0 010830243B D} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6 48E4327141 5} - C:\WINNT\system32\mssaru.d ll (file missing)
Gotta Run....
Where was I - 5 logs in 5 minutes:
C:\Documents and Settings\All Users\Documents\DrWatson\d
c:\plaxo.log
c:\Programfiles\hotbar\hot
C:\WINNT\Debug\UserMode\us
Which one is the culprit?
Quickly, before I have to go back to work: my log from hijack this:
Logfile of HijackThis v1.98.2
Scan saved at 12:58:56 PM, on 09/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\FergusonVPN\cvpnd.ex
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\dr
C:\WINNT\system32\Smtray.e
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi
C:\Program Files\WinDates\WinDates.ex
C:\PROGRA~1\NoPops\POPUPK~
C:\PROGRA~1\MICROS~2\Offic
C:\WINNT\msagent\AgentSvr.
C:\Program Files\Internet Explorer\iexplore.exe
D:\Trash\HijackThis.exe
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.ex
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-6
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0
O16 - DPF: {87067F04-DE4C-4688-BC3C-4
O16 - DPF: {AE563720-B4F5-11D4-A415-0
O16 - DPF: {C6637286-300D-11D4-AE0A-0
O16 - DPF: {D97287B6-4018-4060-948D-5
O16 - DPF: {F281A59C-7B65-11D3-8617-0
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6
Gotta Run....
ASKER
Hi Deb,
I'm Back, no real problems, except I cannot even find my Windows 2000 Disk. I'm pretty comfortable with my new login, I save all my data to my "D" Drive, so I won't be confused with like where are "My Documents" between (login) Andrea or (login) Andrea2......I'm ok.
I purchased a virus package, Trend Micro, the first website listed above. I will load it tonight.
I have had soome funky things happen, A search bar loaded itself on my Internet Explorer. Have had a few pop-ups, my pop-up killer usually catches them, but I still have a list of what is getting that far.
I really just wanted to thank you for all your help, my system is in much better shape, Thanks you you and your colleagues. EE will be my new first source for computer help, not my last resort.
One last question, why do I have to go into "safe Mode" to delete my temporary files?
Thats it.......Andrea
I'm Back, no real problems, except I cannot even find my Windows 2000 Disk. I'm pretty comfortable with my new login, I save all my data to my "D" Drive, so I won't be confused with like where are "My Documents" between (login) Andrea or (login) Andrea2......I'm ok.
I purchased a virus package, Trend Micro, the first website listed above. I will load it tonight.
I have had soome funky things happen, A search bar loaded itself on my Internet Explorer. Have had a few pop-ups, my pop-up killer usually catches them, but I still have a list of what is getting that far.
I really just wanted to thank you for all your help, my system is in much better shape, Thanks you you and your colleagues. EE will be my new first source for computer help, not my last resort.
One last question, why do I have to go into "safe Mode" to delete my temporary files?
Thats it.......Andrea
If you are in safe mode the minimum stuff is running - things that are nasty, sometimes "hide" in
temp files - quite often, in safe mode they are not running - therefore: they're not "active" -
it's possible to remove them - they're not "active".
Just my opinion!
Glad everything has been rsolved!
Regards...
RF
temp files - quite often, in safe mode they are not running - therefore: they're not "active" -
it's possible to remove them - they're not "active".
Just my opinion!
Glad everything has been rsolved!
Regards...
RF
Ross is right on that one - Safe mode just loads up with the minimum amount of drivers etc needed to get windows to start,
Glad we helped,
Deb :))
Glad we helped,
Deb :))
1. Please download DllCompare ( http://download.broadbandmedic.com/DllCompare.exe )
2. Start the Program with its default settings and put a check mark in the include subdirectories. Click the Run Locate.com and wait until the scan says complete.
3. Click the Compare button to start the next process.
4. Files in the upper portion have been verified to "exist", Files in the bottom section were not able to be accessed. Very few files should be listed in the bottom section when the Compare scan is complete.
5. Click on each of the listed entries in the lower section to select them. Right-click on the file and use the Option Rescan.
6. This will cause Windows Find to see if the file does exist, and then it will be removed from the list (to reduce the number of identified files)
7. Click the Make a Log of what was found button, and post the log here
2. Start the Program with its default settings and put a check mark in the include subdirectories. Click the Run Locate.com and wait until the scan says complete.
3. Click the Compare button to start the next process.
4. Files in the upper portion have been verified to "exist", Files in the bottom section were not able to be accessed. Very few files should be listed in the bottom section when the Compare scan is complete.
5. Click on each of the listed entries in the lower section to select them. Right-click on the file and use the Option Rescan.
6. This will cause Windows Find to see if the file does exist, and then it will be removed from the list (to reduce the number of identified files)
7. Click the Make a Log of what was found button, and post the log here
ASKER
Hi Shattuc,
What a treat, round two....thanks for offering your service.
Here is my log file from dllcompare.exe
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
__________________________ __________ __________ __
O^E says: "There were no files found :)"
__________________________ __________ __________ __
2,137 items found: 2,137 files (1 H/S), 0 directories.
Total of file sizes: 401,361,867 bytes 382.77 M
Administrator Account = True
--------------------End log---------------------
It searched my C:\WINNT\system32 annd did find one file, but when I re-scanned, it found it and removed it from the bottom portion of the dialog box. What did I do this for?
AndreaHaley
Incidentally, I am having another problem, I cannot get my wireless network to find my other machine. I cannot communicate at all between machines. Both machines can surf, and I get my e-mail on both, but I cannot access the hard drives using microsoft explore, nor can I print from the machine that is wireless. I plan to call my network support, "Netgear" tonight - unless you have another suggestion. - Thanks.
What a treat, round two....thanks for offering your service.
Here is my log file from dllcompare.exe
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
__________________________
O^E says: "There were no files found :)"
__________________________
2,137 items found: 2,137 files (1 H/S), 0 directories.
Total of file sizes: 401,361,867 bytes 382.77 M
Administrator Account = True
--------------------End log---------------------
It searched my C:\WINNT\system32 annd did find one file, but when I re-scanned, it found it and removed it from the bottom portion of the dialog box. What did I do this for?
AndreaHaley
Incidentally, I am having another problem, I cannot get my wireless network to find my other machine. I cannot communicate at all between machines. Both machines can surf, and I get my e-mail on both, but I cannot access the hard drives using microsoft explore, nor can I print from the machine that is wireless. I plan to call my network support, "Netgear" tonight - unless you have another suggestion. - Thanks.
Hi!
> "It searched my C:\WINNT\system32 annd did find one file, but when I re-scanned, it found it and
removed it from the bottom portion of the dialog box. What did I do this for?"
Do you remember the name of the file?
RF
> "It searched my C:\WINNT\system32 annd did find one file, but when I re-scanned, it found it and
removed it from the bottom portion of the dialog box. What did I do this for?"
Do you remember the name of the file?
RF
ASKER
Hi Rossfingal,
I do not remember the name of the file when I ran DllCompare.exe yesterday, however, I ran the program again, just now, and in the bottom pane it found "msxbse35.dll"
I will not run the Option re-scan 'till I hear from you.
Andrea
I do not remember the name of the file when I ran DllCompare.exe yesterday, however, I ran the program again, just now, and in the bottom pane it found "msxbse35.dll"
I will not run the Option re-scan 'till I hear from you.
Andrea
ASKER
Here's the log file indicating the file that was found.
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
__________________________ __________ __________ __
C:\WINNT\SYSTEM32\msxbse35 .dll Mon Jun 23 1997 1:06:50p A.SH. 287,504 280.77 K
__________________________ __________ __________ __
2,137 items found: 2,137 files (1 H/S), 0 directories.
Total of file sizes: 401,361,867 bytes 382.77 M
Administrator Account = True
--------------------End log---------------------
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
__________________________
C:\WINNT\SYSTEM32\msxbse35
__________________________
2,137 items found: 2,137 files (1 H/S), 0 directories.
Total of file sizes: 401,361,867 bytes 382.77 M
Administrator Account = True
--------------------End log---------------------
Hi! AndreaHaley
That file appears to be legitimate - check it's properties.
Info here:
http://www.manifold.net/support/import_shp.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;155666
http://support.microsoft.com/default.aspx?scid=kb;EN-US;179203
It looks to be the same as on my install of Win 2000.
Regards...
RF
That file appears to be legitimate - check it's properties.
Info here:
http://www.manifold.net/support/import_shp.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;155666
http://support.microsoft.com/default.aspx?scid=kb;EN-US;179203
It looks to be the same as on my install of Win 2000.
Regards...
RF
ASKER
Okee doke, I'm good........Thanks again for everything.
As far as what your last HJT log shows -
This entry can be dealt with by Ad-Aware SE
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F D4411C1FEF 4} - C:\Program Files\404Search\404Search. dll (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
http://doxdesk.com/parasite/Sidesearch.html
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
http://www.adrants.com/2004/06/adspyre-launches-midaddle-ad-system.php
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat e.exe"
http://www.mac-net.com/744489.page
http://www.pestpatrol.com/PestInfo/p/peopleonpage.asp
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6 48E4327141 5} - C:\WINNT\system32\mssaru.d ll (file missing)
http://213.173.251.14/~fbeejdk/NewHJTEntries.htm
Just some information.
How is your computer running?
RF
This entry can be dealt with by Ad-Aware SE
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
http://doxdesk.com/parasite/Sidesearch.html
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7
http://www.adrants.com/2004/06/adspyre-launches-midaddle-ad-system.php
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat
http://www.mac-net.com/744489.page
http://www.pestpatrol.com/PestInfo/p/peopleonpage.asp
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6
http://213.173.251.14/~fbeejdk/NewHJTEntries.htm
Just some information.
How is your computer running?
RF
Sorry I was out of town yesterday, I thought maybe you might have a certain one, but I was wrong, if you find nothing when you run dllcompare, and you hit rescan, and it finds nothing, then you are clean, at least from that particular Hijacker...
the rest...
I'll post more in a bit, but after fixing with Ad-Aware and Spybot S&D howisyour system running?
the rest...
I'll post more in a bit, but after fixing with Ad-Aware and Spybot S&D howisyour system running?
ASKER
Hi,
So, with the exception of the first item listed above, I should run RJT, and fix the remainder of the entries above?
As far as my system - My system is much, much better/faster. A few pop-ups still, my "Pop-up Killer" catches them though. ADS234 is gone, and Sandboxer seems to be gone for good. My network is not working, between two machines, I suspect it is the firewall settings on the new virus protector I purchased, Trend-Micro.
Andrea
So, with the exception of the first item listed above, I should run RJT, and fix the remainder of the entries above?
As far as my system - My system is much, much better/faster. A few pop-ups still, my "Pop-up Killer" catches them though. ADS234 is gone, and Sandboxer seems to be gone for good. My network is not working, between two machines, I suspect it is the firewall settings on the new virus protector I purchased, Trend-Micro.
Andrea
clear your Temp Folders...
Both Temporary internet files, and
C:\documents and settings\andrea\local settings\temp\
Delete all the files in that folder...
if they are not already gone...
and I hate to say it...
(Sorry EE)
please run HJT again and post a new log.
Both Temporary internet files, and
C:\documents and settings\andrea\local settings\temp\
Delete all the files in that folder...
if they are not already gone...
and I hate to say it...
(Sorry EE)
please run HJT again and post a new log.
But Delete the files in your temp folders first.
ASKER
Here is my log immediately after I cleared all the temp files from each persons login, in safe mode. This log was created in safe mode also.
Logfile of HijackThis v1.98.2
Scan saved at 6:09:23 PM, on 09/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\Explorer.EXE
D:\Trash\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.comcast.net
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3 D5FEC94A18 3} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2 16055BF991 8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0 0C0DFF1DE9 E} - C:\Program Files\NoPops\PopupKiller.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F D4411C1FEF 4} - C:\Program Files\404Search\404Search. dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\Sys tem\Temp\c ouponsando ffers_scri pt0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: ComcastHSI - {55E7E90E-DFB7-440B-85DD-3 8A2D70B05A 3} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {6A35814A-2315-4452-A948-0 FF82A0B35F 0} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C0D68DA6-F08F-40DC-B185-2 D32750D7BB 3} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0 060B0FCC12 2} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4 FCF39D609E 7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-0 0108302FDF D} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0 010830243B D} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D97287B6-4018-4060-948D-5 4D2122FC5C 3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O16 - DPF: {F281A59C-7B65-11D3-8617-0 010830243B D} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6 48E4327141 5} - C:\WINNT\system32\mssaru.d ll (file missing)
Logfile of HijackThis v1.98.2
Scan saved at 6:09:23 PM, on 09/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\WBEM\Win
C:\WINNT\Explorer.EXE
D:\Trash\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\Sys
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F
O9 - Extra button: ComcastHSI - {55E7E90E-DFB7-440B-85DD-3
O9 - Extra button: Help - {6A35814A-2315-4452-A948-0
O9 - Extra button: Support - {C0D68DA6-F08F-40DC-B185-2
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0
O16 - DPF: {87067F04-DE4C-4688-BC3C-4
O16 - DPF: {AE563720-B4F5-11D4-A415-0
O16 - DPF: {C6637286-300D-11D4-AE0A-0
O16 - DPF: {D97287B6-4018-4060-948D-5
O16 - DPF: {F281A59C-7B65-11D3-8617-0
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6
I hate to say this, but a log in safe mode does not show everything we want to see {Sorry EE}
However, while you're in safe mode, do a complete search on your computer and delete any instances of the
following files (check your prefetch and dllcache folders, as well as ALL temp folders):
404Search.dll
onAE.dll
sep.dll
mssaru.dll
Delete all instances you find, of any of these
Also, have HijackThis "fix" these:
O16 - DPF: {87067F04-DE4C-4688-BC3C-4 FCF39D609E 7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {D97287B6-4018-4060-948D-5 4D2122FC5C 3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
Clean out your temp folders
Empty the recycle bin
Reboot your computer into "Normal" mode
And - Again - post a new HijackThis log for us to take a look at. :)
Regards..
RF
However, while you're in safe mode, do a complete search on your computer and delete any instances of the
following files (check your prefetch and dllcache folders, as well as ALL temp folders):
404Search.dll
onAE.dll
sep.dll
mssaru.dll
Delete all instances you find, of any of these
Also, have HijackThis "fix" these:
O16 - DPF: {87067F04-DE4C-4688-BC3C-4
O16 - DPF: {D97287B6-4018-4060-948D-5
Clean out your temp folders
Empty the recycle bin
Reboot your computer into "Normal" mode
And - Again - post a new HijackThis log for us to take a look at. :)
Regards..
RF
ASKER
A couple of things:
1.) I did not find any of the above dll files
2.) I did not delete folder CONTENT.IE5, at some point along this road I read to only delete CONTENTIE, (not "content.ie5") So I have not deleted this folder from my Temporary Internet Files directory, nor it's contents - should I have?
3.) Does each user have a seperate recycle bin? I deleted the contents of the login "administrator" but could not locate anybody elses.
My log sir - created under regular boot circumstances. (not safe mode)
Thanks again!
Logfile of HijackThis v1.98.2
Scan saved at 10:03:11 PM, on 09/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost. exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\system32\svchost. exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e xe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
C:\WINNT\system32\Smtray.e xe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e
C:\PROGRA~1\NoPops\POPUPK~ 1.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.ex e
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
D:\Trash\HijackThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = https://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2 16055BF991 8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0 0C0DFF1DE9 E} - C:\Program Files\NoPops\PopupKiller.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F D4411C1FEF 4} - C:\Program Files\404Search\404Search. dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex e
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-6 3A1A2373AD 6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F 1ECE174D97 E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9 E46F506EE8 F} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0 060B0FCC12 2} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-0 0108302FDF D} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0 010830243B D} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0 010830243B D} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6 48E4327141 5} - C:\WINNT\system32\mssaru.d ll (file missing)
1.) I did not find any of the above dll files
2.) I did not delete folder CONTENT.IE5, at some point along this road I read to only delete CONTENTIE, (not "content.ie5") So I have not deleted this folder from my Temporary Internet Files directory, nor it's contents - should I have?
3.) Does each user have a seperate recycle bin? I deleted the contents of the login "administrator" but could not locate anybody elses.
My log sir - created under regular boot circumstances. (not safe mode)
Thanks again!
Logfile of HijackThis v1.98.2
Scan saved at 10:03:11 PM, on 09/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\dr
C:\WINNT\system32\Smtray.e
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi
C:\PROGRA~1\NoPops\POPUPK~
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.ex
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
D:\Trash\HijackThis.exe
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-6
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0
O16 - DPF: {AE563720-B4F5-11D4-A415-0
O16 - DPF: {C6637286-300D-11D4-AE0A-0
O16 - DPF: {F281A59C-7B65-11D3-8617-0
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6
ASKER
Greetings RF,
I guess the silence means I should have deleted the "Content.ie5" folder?
I guess the silence means I should have deleted the "Content.ie5" folder?
NO!
Sorry!
Don't delete the "Content.ie5" - OPEN UP
Sorry!
Don't delete the "Content.ie5" - OPEN UP
Sorry - posted by accident -
don't delete that folder - open it, you'll see subfolders -open them -
and delete ALL the contents, except "desktop.ini" (and you might get a question about "thumbs.db
Probably - don't delete it
Refards...RF
don't delete that folder - open it, you'll see subfolders -open them -
and delete ALL the contents, except "desktop.ini" (and you might get a question about "thumbs.db
Probably - don't delete it
Refards...RF
ASKER
Hi RF,
Yes, I deleted all of the contents, (in safe mode) my desktop.ini files arein:
c:\Program Files
c:\program Files\support.com\backup\d e
c:\winnt
c:\winnt\system32
d:\andreas stuff
Here is my HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 6:31:00 AM, on 09/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost. exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\system32\svchost. exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e xe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
C:\WINNT\system32\Smtray.e xe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e
C:\PROGRA~1\NoPops\POPUPK~ 1.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.ex e
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = https://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2 16055BF991 8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0 0C0DFF1DE9 E} - C:\Program Files\NoPops\PopupKiller.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F D4411C1FEF 4} - C:\Program Files\404Search\404Search. dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\System32\msdxm.oc x
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex e
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-6 3A1A2373AD 6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F 1ECE174D97 E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9 E46F506EE8 F} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0 060B0FCC12 2} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-0 0108302FDF D} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0 010830243B D} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0 010830243B D} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6 48E4327141 5} - C:\WINNT\system32\mssaru.d ll (file missing)
Can I "fix" the files that are missing here?
Thanks....Andrea
Yes, I deleted all of the contents, (in safe mode) my desktop.ini files arein:
c:\Program Files
c:\program Files\support.com\backup\d
c:\winnt
c:\winnt\system32
d:\andreas stuff
Here is my HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 6:31:00 AM, on 09/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\dr
C:\WINNT\system32\Smtray.e
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi
C:\PROGRA~1\NoPops\POPUPK~
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.ex
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-6
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0
O16 - DPF: {AE563720-B4F5-11D4-A415-0
O16 - DPF: {C6637286-300D-11D4-AE0A-0
O16 - DPF: {F281A59C-7B65-11D3-8617-0
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6
Can I "fix" the files that are missing here?
Thanks....Andrea
Hi! Andrea
Have HijackThis fix the following:
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F D4411C1FEF 4} - C:\Program Files\404Search\404Search. dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F 0B44B4BD2A C} - C:\WINNT\system32\ms.exe (file missing)
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6 48E4327141 5} - C:\WINNT\system32\mssaru.d ll (file missing)
Since comcast appears to be your Internet provider these are optional:
(although, I have comcast and I've removed them with no problems)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-6 3A1A2373AD 6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F 1ECE174D97 E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9 E46F506EE8 F} - http://www.comcast.net (file missing) (HKCU)
Clean out your temp files
Empty the recycle bin
Reboot your computer and let's see how things look.
Cheers!
RF
Have HijackThis fix the following:
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-F
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-6
Since comcast appears to be your Internet provider these are optional:
(although, I have comcast and I've removed them with no problems)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-6
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9
Clean out your temp files
Empty the recycle bin
Reboot your computer and let's see how things look.
Cheers!
RF
ASKER
Logfile of HijackThis v1.98.2
Scan saved at 4:35:21 PM, on 10/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost. exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\system32\svchost. exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e xe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
C:\WINNT\system32\Smtray.e xe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e
C:\PROGRA~1\NoPops\POPUPK~ 1.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.ex e
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = https://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2 16055BF991 8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0 0C0DFF1DE9 E} - C:\Program Files\NoPops\PopupKiller.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex e
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0 060B0FCC12 2} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-0 0108302FDF D} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0 010830243B D} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0 010830243B D} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
I emptied everybody's recycle bin from each login, is there an easier way?
Thanks.......Andrea
Scan saved at 4:35:21 PM, on 10/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\dr
C:\WINNT\system32\Smtray.e
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi
C:\PROGRA~1\NoPops\POPUPK~
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.ex
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0
O16 - DPF: {AE563720-B4F5-11D4-A415-0
O16 - DPF: {C6637286-300D-11D4-AE0A-0
O16 - DPF: {F281A59C-7B65-11D3-8617-0
I emptied everybody's recycle bin from each login, is there an easier way?
Thanks.......Andrea
Hi!
Log looks much better.
One more thing to do - go to Add/Remove Programs and look for an entry for:
Twain-Tech
If it's present, uninstall it.
Reboot your computer into "safe" mode.
Search your entire computer for any instances of -
preinsmt.exe
(your profilepath)\start menu\programs\pc powerscan\uninstall pc powerscan.lnk
C:\Program Files\intrigue learning\unwise.exe
C:\Program Files\intrigue learning\unwise.ini
C:\Program Files\intrigue learning\update.exe
C:\Program Files\intrigue learning\updates_v2.inf
C:\WINNT\\xgn.exe
C:\WINNT\system\mxtarget.d ll
C:\WINNT\system\twaintec.d ll (twaintech.dll)
C:\WINNT\system32\mxtarget .dll
C:\WINNT\system32\twaintec .dll
C:\WINNT\twaintec.dll
C:\WINNT\twaintec.ini
C:\WINNT\wsem218.dll
Delete any that you find.
If twaintech.dll is in use, then you would need to rename it, (something like twaintech.bad)
reboot the computer, and then delete it.
Clean out your temp files
Empty the rercycle bin
Reboot and let's see how things look.
Good luck!
RF
Log looks much better.
One more thing to do - go to Add/Remove Programs and look for an entry for:
Twain-Tech
If it's present, uninstall it.
Reboot your computer into "safe" mode.
Search your entire computer for any instances of -
preinsmt.exe
(your profilepath)\start menu\programs\pc powerscan\uninstall pc powerscan.lnk
C:\Program Files\intrigue learning\unwise.exe
C:\Program Files\intrigue learning\unwise.ini
C:\Program Files\intrigue learning\update.exe
C:\Program Files\intrigue learning\updates_v2.inf
C:\WINNT\\xgn.exe
C:\WINNT\system\mxtarget.d
C:\WINNT\system\twaintec.d
C:\WINNT\system32\mxtarget
C:\WINNT\system32\twaintec
C:\WINNT\twaintec.dll
C:\WINNT\twaintec.ini
C:\WINNT\wsem218.dll
Delete any that you find.
If twaintech.dll is in use, then you would need to rename it, (something like twaintech.bad)
reboot the computer, and then delete it.
Clean out your temp files
Empty the rercycle bin
Reboot and let's see how things look.
Good luck!
RF
ASKER
Logfile of HijackThis v1.98.2
Scan saved at 6:15:20 PM, on 10/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost. exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\system32\svchost. exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e xe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
C:\WINNT\system32\Smtray.e xe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\PROGRA~1\NoPops\POPUPK~ 1.EXE
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.ex e
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = https://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2 16055BF991 8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0 0C0DFF1DE9 E} - C:\Program Files\NoPops\PopupKiller.d ll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5 00A16B6CF9 4} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr ivers\w32x 86\3\hpzts b06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi llerGUI.ex e /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex e
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0 060B0FCC12 2} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-0 0108302FDF D} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0 010830243B D} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0 010830243B D} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
I could not fine even ONE of the files in your last post, is this a problem?
Andrea
Scan saved at 6:15:20 PM, on 10/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\Win
C:\WINNT\system32\svchost.
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.e
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\System32\spool\dr
C:\WINNT\system32\Smtray.e
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKi
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\PROGRA~1\NoPops\POPUPK~
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.ex
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-5
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\dr
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKi
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.ex
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0
O16 - DPF: {AE563720-B4F5-11D4-A415-0
O16 - DPF: {C6637286-300D-11D4-AE0A-0
O16 - DPF: {F281A59C-7B65-11D3-8617-0
I could not fine even ONE of the files in your last post, is this a problem?
Andrea
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi!
Just remembered one other thing.
This line:
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
Here's some info on cfd.exe:
splintercell990 May 18, 2004 (splintercell990 is a malware expert active on several security forums)
http://forums.net-integration.net/index.ph...indpost&p=74369
"BroadJump program on your computer. It is not a true spyware program, but it may have been installed on your system when
you got cable Internet from your cable company. The software collects information on your Internet activity and sends it
to your ISP so that your ISP can serve you advertisements related to the type of sites you visit."
Cheers!
RF
Just remembered one other thing.
This line:
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
Here's some info on cfd.exe:
splintercell990 May 18, 2004 (splintercell990 is a malware expert active on several security forums)
http://forums.net-integration.net/index.ph...indpost&p=74369
"BroadJump program on your computer. It is not a true spyware program, but it may have been installed on your system when
you got cable Internet from your cable company. The software collects information on your Internet activity and sends it
to your ISP so that your ISP can serve you advertisements related to the type of sites you visit."
Cheers!
RF
ASKER
Hi RF,
I un-installed Broad Jump, thanks.
Andrea
I un-installed Broad Jump, thanks.
Andrea
1) Check this page: http://www.angelfire.com/un/midaddle/index.html
2) For Sandboxer, try Manual Removal at bottom of http://www.pestpatrol.com/PestInfo/s/sandboxer.asp
Regards,
Zyloch