Dankwsc Posted September 27, 2005 Report Share Posted September 27, 2005 Before computer froze, I noticed that my homepage would default to a Winn/32 file and then I got large text on my desktop saying that my computer may be infected...Now my computer freezes when I reboot and it even freezes in safe mode when I went to run a "Hijack This Log". How do I run a log if I cannot do anything in safe mode...Please help!! thanks in advance! Link to post Share on other sites
Dankwsc Posted September 28, 2005 Author Report Share Posted September 28, 2005 Fortunately I was able to get a Logfile: Please Helpgfile of HijackThis v1.99.1Scan saved at 7:43:37 AM, on 9/28/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\csvun.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\Explorer.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\DOCUMENTS AND SETTINGS\SHANE DANKWORTH\DESKTOP\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SHANED~1\LOCALS~1\Temp\se.dll/spage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: (no name) - {6CFE85D3-C654-2F79-FA77-6D16801545BB} - C:\WINNT\system32\Z59JFLk0.dllO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocxO3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\dkslz.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [RunDLL] C:\WINNT\system32\rund11.exeO4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exeO4 - HKLM\..\Run: [icasServ] C:\WINNT\system32\icasServ.exeO4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn72.exe rundll.dll,LoadMouseProfileO4 - HKLM\..\Run: [dmehk.exe] C:\WINNT\system32\dmehk.exeO4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -hO4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXeO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sysvcs.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dllO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O14 - IERESET.INF: START_PAGE_URL=http://www.aol.comO17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 85.255.113.123,85.255.112.14O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37O21 - SSODL: qCmQLSyh - {6CFE85CD-C654-2F67-40F3-5C2A801545B8} - C:\WINNT\system32\mmrd.dllO21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_9.dllO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe Link to post Share on other sites
Dan Posted September 28, 2005 Report Share Posted September 28, 2005 Hi,Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.Download about:buster by RubbeRDuckY Here.Download CWShredder Here.Download SpSeHjfix Here.Download and install CleanUp! HereSave all of these files somewhere you will remember like to the Desktop.Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)Run the CleanUp! installer. You dont need to do anything with it right now.Update About:BusterUnzip the contents of AboutBuster.zip and an AboutBuster directory will be created.Navigate to the AboutBuster directory and double-click on AboutBuster.exe.Click "OK" at the prompt with instructions.Click "Update" and then "Check For Update" to begin the update process.If any updates exist please download them by clicking "Download Update" then click the X to close that window.Now close About:BusterUpdate CWShredderOpen CWShredder and click I AGREEClick Check For UpdateClose CWShredderBoot into Safe Mode:Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.Please run about:buster by RubbeRDuckY:Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.Click Yes to allow it to shutdown explorer.exe.It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.Reboot your computer into safe mode againRun about:buster again following the same instructions as above, this time without the restart at the endNow run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.dk Link to post Share on other sites
Dankwsc Posted September 29, 2005 Author Report Share Posted September 29, 2005 dknoppix,-Thanks for the instructions...Unfortunately I cannot seem to run any of the programs that you had me download except for CWShredder. Even when I'm working in safe mode my computer freezes and I cannot complete your instructions...Very frustrated...Please advise...Thanks! Link to post Share on other sites
Dan Posted September 30, 2005 Report Share Posted September 30, 2005 Hi,Lets see if you can get into Safe Mode again.When in there, press Ctrl-Alt-Delete to get into the task manager. Click the processes tab. Find the following process, click it, and select "End Process":csvun.exeNow, open Hijackthis, click the scan button, and check the following items:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SHANED~1\LOCALS~1\Temp\se.dll/spage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: (no name) - {6CFE85D3-C654-2F79-FA77-6D16801545BB} - C:\WINNT\system32\Z59JFLk0.dllO3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\dkslz.dllO4 - HKLM\..\Run: [RunDLL] C:\WINNT\system32\rund11.exeO4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exeO4 - HKLM\..\Run: [icasServ] C:\WINNT\system32\icasServ.exeO4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn72.exe rundll.dll,LoadMouseProfileO4 - HKLM\..\Run: [dmehk.exe] C:\WINNT\system32\dmehk.exeO4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sysvcs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 85.255.113.123,85.255.112.14O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37O21 - SSODL: qCmQLSyh - {6CFE85CD-C654-2F67-40F3-5C2A801545B8} - C:\WINNT\system32\mmrd.dllO21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_9.dllClose all windows except HijackThis, and click the Fix Checked button.Locate the following files and delete them:C:\WINNT\system32\rund11.exeC:\WINNT\system32\perfcl.exeC:\WINNT\system32\icasServ.exeC:\WINNT\system32\popcorn72.exeC:\WINNT\system32\dmehk.exeC:\WINNT\system32\sysvcs.exeC:\WINNT\system32\mmrd.dllC:\WINNT\system32\dcom_9.dllNow, please RIGHT-CLICK HERE to download Silent Runner's.Save it to the desktop.Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.You will receive a prompt:Do you want to skip supplementary searches?click NO[*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here in your next post.*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.Finally, Run HijackThis and post a new log, as well as your SilentRunners log. dk Link to post Share on other sites
Dankwsc Posted September 30, 2005 Author Report Share Posted September 30, 2005 dknoppix,Thanks...will do! Won't be able to post the results until tonight or tommorow as I have to download all programs from another computer till we can get the safe mode fixed. Thanks for your patience! Link to post Share on other sites
Dankwsc Posted October 1, 2005 Author Report Share Posted October 1, 2005 dknoppix,-tried to delete "csvun.exe" in task manager as you instructed...unfortunately, it said:process could not be completed...access denied...nothing seems to be working...please advise...thanks! Link to post Share on other sites
Dan Posted October 2, 2005 Report Share Posted October 2, 2005 Ok, lets try it this way.Boot into Safe Mode, and click Start --> Run. Type "cmd" and press enter.In the command prompt, type: taskkill /f csvun.exeNow locate "C:\WINNT\system32\csvun.exe and rename it csvun.old.Now do the instructions in the fix in my previous post.Good luck,dk Link to post Share on other sites
Dankwsc Posted October 2, 2005 Author Report Share Posted October 2, 2005 dknoppix,did as you instructed, however, when I clicked start and typed "cmd" into the run type it froze...I then tried to enter your instructions in the "cmd" through "safe mode with command prompts"...it then said that "taskkill" is not recognized as an internal or external command, operable program or batch file...are there any other ways to access it? Link to post Share on other sites
Dan Posted October 3, 2005 Report Share Posted October 3, 2005 Ok...lets try this:Download http://www.atribune.org/downloads/csvun.zip, and unzip it to your desktop using Winzip or a simliar program (If you don't have winzip, just unzip them on another computer, and just copy the files over)After you have unziped them, run csvun.bat.Now, please RIGHT-CLICK HERE to download Silent Runner's.Save it to the desktop.Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.You will receive a prompt:Do you want to skip supplementary searches?click NO[*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here in your next post.*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.dk Link to post Share on other sites
Dankwsc Posted October 4, 2005 Author Report Share Posted October 4, 2005 Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/Operating System: Windows 2000Output limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"AIM" = "C:\PROGRA~1\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]"ares" = ""C:\Program Files\Ares Lite Edition\Ares.exe" -h" [file not found]"NCLaunch" = "C:\WINNT\NCLAUNCH.EXe" ["Northcode Inc."]"ctfmon.exe" = "ctfmon.exe" [MS]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"Synchronization Manager" = "mobsync.exe /logon" [MS]"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]"PerformCl" = "C:\WINNT\system32\perfcl.exe" [null data]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]"{D3796116-94D3-4009-96D7-51578411CC7D}" = "Outpost Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll" [file not found]"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\INFECTION WARNING! "{6AC3806F-8B39-4746-9C38-6B01CB7331FF}" = "Memory monitor" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\q20924938_disk.dll" [file not found]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\INFECTION WARNING! "System" = "csvun.exe" [file not found]HKLM\Software\Classes\PROTOCOLS\Filter\INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]HKLM\Software\Classes\*\shellex\ContextMenuHandlers\avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]Active Desktop and Wallpaper:-----------------------------Active Desktop is enabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateHKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\WINNT\Firefox Wallpaper.bmp"Enabled Screen Saver:---------------------HKCU\Control Panel\Desktop\HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\"SCRNSAVE.EXE" = "C:\WINNT\system32\ss3dfo.scr" [MS]Startup items in "Shane Dankworth" & "All Users" startup folders:-----------------------------------------------------------------C:\Documents and Settings\Shane Dankworth\Start Menu\Programs\Startup"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]C:\Documents and Settings\All Users\Start Menu\Programs\Startup"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]Transport Service ProvidersHKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05Toolbars, Explorer Bars, Extensions:------------------------------------ToolbarsHKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dkslz.dll" [null data]HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\"{40D41A8B-D79B-43D7-99A7-9EE0F344C385}" = "AIM Search" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\AIMBar.dll" [file not found]"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dkslz.dll" [null data]HKLM\Software\Microsoft\Internet Explorer\Toolbar\"{4982D40A-C53B-4615-B15B-B5B5E98D167C}" = "AOL Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL Toolbar\toolbar.dll" [file not found]Explorer BarsHKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\Shdocvw.dll" [MS]Dormant Explorer Bars in "View, Explorer Bar" menuHKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKCU\Software\Microsoft\Internet Explorer\Extensions\{AF6CABAB-61F9-4F12-A198-B7D41EF1CB52}\"ButtonText" = "WeatherBug""CLSIDExtension" = "{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}""Exec" = "C:\Program Files\AWS\WeatherBug\Weather.exe" [file not found]HKLM\Software\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\"MenuText" = "Sun Java Console""CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]{92780B25-18CC-41C8-B9BE-3C9C571A8263}\"ButtonText" = "Research"{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\"ButtonText" = "AIM""Exec" = "C:\PROGRA~1\AIM\aim.exe" ["America Online, Inc."]{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\"ButtonText" = "Real.com"Miscellaneous IE Hijack Points------------------------------C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")Added lines (compared with English-language version):[strings]: START_PAGE_URL=http://www.aol.comMissing lines (compared with English-language version):[strings]: 1 lineAll Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):---------------------------------------------------------------------------Adobe LM Service, Adobe LM Service, ""C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"" [null data]avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]Logical Disk Manager Administrative Service, dmadmin, "C:\WINNT\System32\dmadmin.exe /com" ["VERITAS Software Corp."]Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]Network DDE DSDM, NetDDEdsdm, "C:\WINNT\system32\netdde.exe" [MS]Office Source Engine, ose, "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [MS]----------+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives took 665 seconds.+ The search for all Registry CLSIDs containing dormant Explorer Bars took 454 seconds.---------- (total run time: 1483 seconds)Finally, I was able to get this posted...I hope this helps! Please advise. Thanks! Link to post Share on other sites
Dan Posted October 4, 2005 Report Share Posted October 4, 2005 Hi,You may want to print out these instructions for reference, since you will have to restart your computer during the fix.Please download FixWareout from one of these sites:http://downloads.subratam.org/Fixwareout.exehttp://swandog46.geekstogo.com/Fixwareout.exeSave it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SHANED~1\LOCALS~1\Temp\se.dll/spage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =O2 - BHO: (no name) - {6CFE85D3-C654-2F79-FA77-6D16801545BB} - C:\WINNT\system32\Z59JFLk0.dllO3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\dkslz.dllO4 - HKLM\..\Run: [RunDLL] C:\WINNT\system32\rund11.exeO4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exeO4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn72.exe rundll.dll,LoadMouseProfileO4 - HKLM\..\Run: [dmehk.exe] C:\WINNT\system32\dmehk.exeO4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sysvcs.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 85.255.113.123,85.255.112.14O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37O21 - SSODL: qCmQLSyh - {6CFE85CD-C654-2F67-40F3-5C2A801545B8} - C:\WINNT\system32\mmrd.dllO21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_9.dllClick Fix Checked. Close HijackThis, and click OK to proceed.At the end of the fix, you may need to restart your computer again.Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.dk Link to post Share on other sites
Dankwsc Posted October 4, 2005 Author Report Share Posted October 4, 2005 dk,-Here is the fixwareout report:Check for missing files..... C:\WINNT\system32\AUTOEXEC.NT not there..... End check for missing files..... VXD CheckREGEDIT4[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]"VDD"=hex(7):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,6c,77,69,6c,\ 20,53,6f,66,74,77,61,72,65,5c,41,76,61,73,74,34,5c,61,73,77,4d,6f,6e,56,64,\ 2e,64,6c,6c,00,00..... End vxd check..... please post this at the forumdu to the fact that my computer freezes when I do more than one task at a time I will post the new hijack this log shortly. Please note that when I ran FixWareout it automatically posted my log after I clicked finish without asking me to reboot. Link to post Share on other sites
Dankwsc Posted October 4, 2005 Author Report Share Posted October 4, 2005 dk,-below is the hijack log:file of HijackThis v1.99.1Scan saved at 7:15:38 PM, on 10/4/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\Explorer.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Shane Dankworth\Desktop\HijackThis.exeO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -hO4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXeO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dllO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O14 - IERESET.INF: START_PAGE_URL=http://www.aol.comO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe Link to post Share on other sites
Dan Posted October 5, 2005 Report Share Posted October 5, 2005 Hmm...Download This: http://homepage.ntlworld.com/spencer.greystrong/W2kFiles.exe and run it.Now run fixwareout again, and post a new HijackThis log.dk Link to post Share on other sites
Dankwsc Posted October 5, 2005 Author Report Share Posted October 5, 2005 dk,-downloaded W2kfiles.exe...not sure it worked though since this "thing" keeps blocking everything we try( it says it is installed, but doesn't seem to do anything)...after doing that though I ran fixwareout again and this time it said:download Brute Force Unistaller at www.merijn.com-should I do this? Please advise Link to post Share on other sites
Dan Posted October 6, 2005 Report Share Posted October 6, 2005 (edited) Try fixwareout in normal mode. This may be the problem.If you can't get into normal mode, download BFU.zip from http://dknoppix.com/downloads.php?dl=bfu, and unzip it into "C:\fixwareout".Then try.dk Edited October 6, 2005 by dknoppix Link to post Share on other sites
Dankwsc Posted October 7, 2005 Author Report Share Posted October 7, 2005 dk,--I cannot run anything is normal mode...as the desktop icons do not even come up on the screen and it freezes as soon as the actual desktop appears...I tried to follow your instructions in safe mode by running BFU then fixwareout but as usual it only lets me start to run BFU then it freezes and I can't even try to run fixwareout...very frustrating...are we running out of options??? Link to post Share on other sites
didom Posted October 7, 2005 Report Share Posted October 7, 2005 Please download bfu.zip (no need to unzip it!!!) and copy it to this folder C:\fixwareout\SUBThen try to run the wareoutfix again! Link to post Share on other sites
Dankwsc Posted October 9, 2005 Author Report Share Posted October 9, 2005 I am able to download BFU to the desktop, but everytime I try to save to the C drive it freezes. Everytime I run fixwareout it says it is downloading BFU. Link to post Share on other sites
didom Posted October 9, 2005 Report Share Posted October 9, 2005 (edited) So it's on your desktop now? If it's not please download it to your desktop!Restart the computer.As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.Use the arrow keys to select the (Safe Mode with) Command Prompt menu item.Press the Enter key.Probably you will see this: C:\DOCUMENTS AND SETTINGS\SHANE DANKWORTHIf not type: CD DOCUMENTS AND SETTINGS then hit enter and type: CD SHANE DANKWORT and hit enter again.Now you'll be in C:\DOCUMENTS AND SETTINGS\SHANE DANKWORTHType: CD DESKTOP and hit enter.Type: COPY bfu.zip C:\fixwareout\SUB and hit enter.Then you can exit the command prompt by typing: EXITThen try the wareoutfix again! Edited October 9, 2005 by didom Link to post Share on other sites
Dankwsc Posted October 9, 2005 Author Report Share Posted October 9, 2005 It worked!!!! Here is the hijack log after fixwareout ran...Please advise.ile of HijackThis v1.99.1Scan saved at 6:56:01 PM, on 10/9/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\Explorer.EXEC:\fixwareout\SUB\BFU.exeC:\hijackthis.exeO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -hO4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXeO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dllO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O14 - IERESET.INF: START_PAGE_URL=http://www.aol.comO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe Link to post Share on other sites
didom Posted October 10, 2005 Report Share Posted October 10, 2005 Scan again with HijackThis and check the following items:O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)After checking these items, close all browser windows except HijackThis and click "Fix checked".Then reboot your computer and post a fresh HJT log!-----------------------------09 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)Did you installed WeatherBug yourself?Are you able to run your computer in normal mode again? Link to post Share on other sites
Dankwsc Posted October 10, 2005 Author Report Share Posted October 10, 2005 - no I did not install Weather Bug and I would hopefully like to remove all traces of AOL as well...Unfortunately I still cannot run in normal mode as the desktop icons still do not come up, and it still freezes immediately...even in safe mode, it seems to have defaulted back to what it was doing before we fixed with fixwareout yesterday...here is the fresh hijack this log....thanksogfile of HijackThis v1.99.1Scan saved at 7:51:02 AM, on 10/10/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\Explorer.EXEC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Shane Dankworth\Desktop\HijackThis.exeO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [ares] "C:\Program Files\Ares Lite Edition\Ares.exe" -hO4 - HKCU\..\Run: [NCLaunch] C:\WINNT\NCLAUNCH.EXeO4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dllO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O14 - IERESET.INF: START_PAGE_URL=http://www.aol.comO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe Link to post Share on other sites
didom Posted October 10, 2005 Report Share Posted October 10, 2005 Step #1Scan again with HijackThis and check the following items:O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O14 - IERESET.INF: START_PAGE_URL=http://www.aol.comAfter checking these items, close all browser windows except HijackThis and click "Fix checked".Step #2We need to make sure all hidden files are showing so please:Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide file extensions for known types option.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Step #3Reboot Your System in Safe Mode:Restart the computer.As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Step #4Find and delete these files and folders (if they are still there):C:\Program Files\AWS <= this folderStep #5Restart the computer.As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.Use the arrow keys to select the (Safe Mode with) Command Prompt menu item.Press the Enter key.Step #6At the prompt type sfc /scannow Please note that there is a single space between sfc and /scannow.Typing this will start the program, and a box should appear telling you how much longer the process should take.Sometimes the scan will prompt you for your Windows XP disc upon starting the scan. if this happens please make sure that you can view protected files:My ComputerToolsFolder OptionsView"Uncheck" Hide protected operating system files.Then rerun the scan. If this still asks you to put in your windows XP CD, and you do not have the CD (If you bought it preinstalled) post back for more tips, otherwise enter Windows CD.Once the scan is complete:Check your Windows Updates! After using the File Protection Service, you might need to reapply some updates.Please reboot, and let me know if anything has changed.Also, please rehide the protected files:My ComputerToolsFolder OptionsView"Check" Hide protected operating system files. Link to post Share on other sites
Recommended Posts