Dankwsc

June 28, 2005

Insipid,

-Here is my last Hijack this Log that I ran in safe mode:

Logfile of HijackThis v1.99.1

Scan saved at 8:49:18 PM, on 6/27/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\Documents and Settings\Shane Dankworth\Desktop\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [xdkbyxru] c:\winnt\system32\xdkbyxru.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h

O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Awlwsterkfp - Unknown owner - (no file)

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

June 25, 2005

I proceeded with your instructions despite not being able to use ewido even in safe mode. However, when I started to "fix all checked" in Hijack This(normal mode) I would get the following window and it would closethe program down:

The instruction at "0x100018a6" referenced memory at "0xeb01001b". The memory could not be "written".

Very frustrated!!!

June 20, 2005

Insipid,

-I installed both cleanup and Ewido, however when I tried to update Ewido per your instructions, I could not since my internet isn't working. I guess we need to fix the internet problem before I can go any further with the instructions above. Please advise. Thanks!

June 19, 2005

Insipid,

-Unfortunately last night when I tried to run a log in normal mode, it would cut me off every time. I will proceed today with your instructions. Thanks!

June 18, 2005

Isipid,

-I will try to get a log in normal mode today if I can, otherwise the most recent log run in safe mode is on the original message. Thanks!

June 14, 2005

Thanks insipid for your reply. To answer your question, Dave38 on spywareinfo was in the process of helping me. The log that I listed was in fact done in safe mode as that is the only mode that I can truly operate on. When I try to run a hijack this log in the normal mode, Spy Sheriff and Ware out completely shut me down and wont let me finish running it(it freezes my computer and I am getting tons of popups). My internet will not work properly as a result of this too. That is why I am having to correspond with you from my office at work, so please be patient with me. Once you give me direction(s) I will usually have to go home at night and work on it, then I will email you back the next day with the result until we can get the internet up and running again. My computer is barely breathing, but I am confident that help is on the way!! Thanks again!

June 13, 2005

Browser has been hijacked...not sure how, when, or why. I was receiving assistance with this till the forum I was on before is no longer working. Could someone please take over where we left off? Attached is my most recent HijackThis Log. Unfortunately, this nasty "thing" has rendered my internet useless therefore I will be corresponding from another computer, so I appreciate your patience. Thanks in advance!

Logfile of HijackThis v1.99.1

Scan saved at 3:01:06 PM, on 6/13/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\userinit.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\ctfmon.exe

C:\Documents and Settings\Shane Dankworth\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.html

R3 - URLSearchHook: (no name) - {C6000CE3-6670-D005-3C35-F82D96F63836} - NsCplTray.dll (file missing)

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\vfxrc.dll

O2 - BHO: Internet Explorer Hot Fix - {D849BA66-677C-421A-9916-FCFB5D6B9A75} - C:\WINNT\system32\itunb.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\vfxrc.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe

O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

O4 - HKLM\..\Run: [WindowsUpdate] C:\WINNT\System\svchost.exe /s

O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn64.exe rundll.dll,LoadMouseProfile

O4 - HKLM\..\Run: [abrek] PasswdMon.exe

O4 - HKLM\..\Run: [MONITER] DTOURS.exe

O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1

O4 - HKCU\..\Run: [eB7mRPfsj] aamcom.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -h

O4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

O4 - HKCU\..\Run: [setupExeDll] RtlFindVal.exe

O4 - HKCU\..\Run: [keybdll] SysEntry.exe

O4 - HKCU\..\Run: [xxtoolbar] 34763.exe