ibjammin21 Posted December 13, 2005 Report Share Posted December 13, 2005 Hello,I'm running windows xp w/sp2. I keep gettings a recurring virus pop up called new poly win32.My security can't seem to delete it. I have McAfee and PC Surgeon Spyware Removal and Registry Mechanic. Here is a copy of my HJT log. Thankyou for your time.Logfile of HijackThis v1.99.1Scan saved at 9:28:13 PM, on 12/12/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\RegSrvc.exeC:\WINDOWS\System32\ScsiAccess.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Voyetra Turtle Beach\tbaspi.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\System32\1XConfig.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\BacsTray.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\QuickSet\QuickSet.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exeC:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\system32\dla\tfswctrl.exec:\progra~1\mcafee.com\vso\mcvsescn.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\system32\links.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\PROGRA~1\WINZIP\winzip32.exeC:\Documents and Settings\The Man\My Documents\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://linkschain.net/fr/?id=us24O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dllO2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dllO2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO2 - BHO: (no name) - {C7CF1142-0785-4B12-A280-B64681E4D45E} - C:\WINDOWS\prflbmsgp32.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [bacstray] BacsTray.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exeO4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktaskO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exeO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exeO4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [links] links.exeO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Adobe\Photoshop5\Calibrat\Adobe Gamma Loader.exeO4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.coolwebsearch.comO15 - Trusted Zone: *.searchmeup.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08b7359114491f...ip/RdxIE601.cabO16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cabO16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp...23/cpbrkpie.cabO16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} (CheckControl Class) - http://content-loader.com/load/ccaccess.cabO20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dllO20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dllO20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dllO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXEO23 - Service: tbaspi - Unknown owner - C:\Program Files\Voyetra Turtle Beach\tbaspi.exeO23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\VOYETR~1\x10nets.exe Link to post Share on other sites
Matt Posted December 14, 2005 Report Share Posted December 14, 2005 Hi gilgamesh! Welcome to Besttechie! I will be assisting you in cleaning up your computer.Please print out all directions given throughout this process so that you can follow them if/when you do not have access to the pagePlease download CWShredder Here to its own folder.Update CWShredderOpen CWShredder and click I AGREEClick Check For UpdateClose CWShredderBoot into Safe Mode:Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.In HiJackThis, please place a check next to the following items (if present) and click FIX CHECKED:O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dllO2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dllO2 - BHO: (no name) - {C7CF1142-0785-4B12-A280-B64681E4D45E} - C:\WINDOWS\prflbmsgp32.dllO4 - HKLM\..\Run: [links] links.exeO15 - Trusted Zone: *.coolwebsearch.comO15 - Trusted Zone: *.searchmeup.comO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - <a href=\"http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab\" target=\"_blank\">http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab</a>O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - <a href=\"http://software-dl.real.com/08b7359114491f...ip/RdxIE601.cab\" target=\"_blank\">http://software-dl.real.com/08b7359114491f...ip/RdxIE601.cab</a>O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} (CheckControl Class) - <a href=\"http://content-loader.com/load/ccaccess.cab\" target=\"_blank\">http://content-loader.com/load/ccaccess.cab</a>O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dllO20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dllBoot into safe mode againNext, find and delete the following files, if present:C:\WINDOWS\adsldpbe.dllC:\WINDOWS\adsldpb.dllC:\WINDOWS\prflbmsgp32.dllC:\WINDOWS\system32\links.exeC:\WINDOWS\system32\st3.dllReboot your computer normally, and post a new HJT log.Matt Link to post Share on other sites
ibjammin21 Posted December 14, 2005 Author Report Share Posted December 14, 2005 Hi gilgamesh! Welcome to Besttechie! I will be assisting you in cleaning up your computer.Please print out all directions given throughout this process so that you can follow them if/when you do not have access to the pagePlease download CWShredder Here to its own folder.Update CWShredderOpen CWShredder and click I AGREEClick Check For UpdateClose CWShredderBoot into Safe Mode:Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.In HiJackThis, please place a check next to the following items (if present) and click FIX CHECKED:O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: C:\WINDOWS\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - C:\WINDOWS\adsldpbe.dllO2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dllO2 - BHO: (no name) - {C7CF1142-0785-4B12-A280-B64681E4D45E} - C:\WINDOWS\prflbmsgp32.dllO4 - HKLM\..\Run: [links] links.exeO15 - Trusted Zone: *.coolwebsearch.comO15 - Trusted Zone: *.searchmeup.comO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - <a href=\"http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab\" target=\"_blank\">http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab</a>O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - <a href=\"http://software-dl.real.com/08b7359114491f...ip/RdxIE601.cab\" target=\"_blank\">http://software-dl.real.com/08b7359114491f...ip/RdxIE601.cab</a>O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} (CheckControl Class) - <a href=\"http://content-loader.com/load/ccaccess.cab\" target=\"_blank\">http://content-loader.com/load/ccaccess.cab</a>O20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dllO20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dllBoot into safe mode againNext, find and delete the following files, if present:C:\WINDOWS\adsldpbe.dllC:\WINDOWS\adsldpb.dllC:\WINDOWS\prflbmsgp32.dllC:\WINDOWS\system32\links.exeC:\WINDOWS\system32\st3.dllReboot your computer normally, and post a new HJT log.MattThankyou for your help, Matt. I did everything as requested with the exception of one thing. When I tried to delete the C:\WINDOWS\system32\st3.dll file it denied me access because either the disk was full or the file was write protected. I went into the properties and the parent file had given permission to read write and execute the file to a third party address that I had no idea where it came from. I changed the settings to deny permission, but still, I can't delete the file. Here is my most current HJT file.Logfile of HijackThis v1.99.1Scan saved at 1:05:44 AM, on 12/14/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\System32\1XConfig.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\drivers\KodakCCS.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\BacsTray.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\QuickSet\QuickSet.exeC:\WINDOWS\System32\DSentry.exeC:\WINDOWS\System32\RegSrvc.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exeC:\Program Files\Apoint\Apntex.exeC:\WINDOWS\System32\ScsiAccess.EXEC:\WINDOWS\system32\dla\tfswctrl.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Voyetra Turtle Beach\tbaspi.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\PROGRA~1\mcafee.com\agent\McAgent.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\The Man\My Documents\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://linkschain.net/fr/?id=us24O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: C:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - C:\WINDOWS\adsldpbd.dllO2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [bacstray] BacsTray.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Adobe\Photoshop5\Calibrat\Adobe Gamma Loader.exeO4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.coolwebsearch.comO15 - Trusted Zone: *.searchmeup.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cabO16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp...23/cpbrkpie.cabO20 - Winlogon Notify: gs - C:\WINDOWS\adsldpbd.dllO20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dllO20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dllO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXEO23 - Service: tbaspi - Unknown owner - C:\Program Files\Voyetra Turtle Beach\tbaspi.exeO23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\VOYETR~1\x10nets.exe Link to post Share on other sites
Matt Posted December 14, 2005 Report Share Posted December 14, 2005 Welcome back! Download win32delfkil.exe.Save it on your desktop. Do not run it yet.RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.RIGHT-CLICK DelDomains.inf and select: InstallDouble click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.Close all windows, open the win32delfkil folder and double click on fix.bat.The computer will reboot automatically.Post the contents of the logfile c\windelf.txt, along with a new hijackhislog.Matt Link to post Share on other sites
ibjammin21 Posted December 15, 2005 Author Report Share Posted December 15, 2005 Here is the log file for win32delfkil:A Logfile is saved in c:\windelf.txtIf the tool doesn't work, there will be probably a new clsid under Sharedtaskscheduler and / or a new notify key.BHO's which are being deleted:----------------------------{B212D577-05B7-4963-911E-4A8588160DFA}{6AC3806F-8B39-4746-9C38-6B01CB7331FF}{0976BE78-EA53-4DD6-91E6-E6175940032B}{405132A4-5DD1-4BA8-A181-95C8D435093A}{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}{7A7E6D97-B492-4884-9ABB-C31281DCC4F2}{16875E09-927B-4494-82BD-158A1CD46BA0}{C7CF1142-0785-4B12-A280-B64681E4D45E}{8D82BB89-B58C-4F21-9C5D-377F65947806}{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}{826B2228-BC09-49F2-B5F8-42CE26B1B711}{826B2228-BC09-49F2-B5F8-42CE26B1B712}{C0E5FF11-4AE0-4699-A6A7-2FB7118F2081}{FCADDC14-BD46-408A-9842-111111111111}{E412F14A-E998-4543-9E7A-1031A3189A87}{D8569837-3CD6-4AD7-9A77-65975B581925}{08DF42F3-792D-4944-941B-512582B87219}{11111111-2222-408A-9842-CDBE1C6D37EB}{DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB}{7507739F-BC2E-4DC3-B233-816783C25DC9}Notify keys which are being deleted:------------------------------------style2Style32st3st3iggggggggggggsSharedtaskscheduler keys which are being deleted:-------------------------------------------------{B212D577-05B7-4963-911E-4A8588160DFA}{6AC3806F-8B39-4746-9C38-6B01CB7331FF}{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}{7A7E6D97-B492-4884-9ABB-C31281DCC4F2}{16875E09-927B-4494-82BD-158A1CD46BA0}{C7CF1142-0785-4B12-A280-B64681E4D45E}{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}{DA223E41-3F7F-4B2B-8CC8-22C6A1197EEB}Run keys which are being deleted:---------------------------------ClearCookiesFiles which are being deleted:------------------------------windows\q*_disk.dll (or WINNT\q*_disk.dll)windows\adsldpbc.dll (or WINNT\adsldpbc.dll)windows\adsldpbd.dll (or WINNT\adsldpbd.dll)windows\adsldpbe.dll (or WINNT\adsldpbe.dll)windows\slassac.dll (or WINNT\slassac.dll)windows\cc.exe (or winnt\cc.exe)windows\mpatrol.dll (or WINNT\mpatrol.dll)windows\netdde.dll (or WINNT\netdde.dll)system32\winstyle2.dllsystem32\winstyle3.dllsystem32\winstyle32.dllsystem32\prflbmsgp32.dllsystem32\st3.dll---------------Version History---------------Version: 1.0Version: 1.1Fix for windows 2000 if shutdown.exe is not present.Version: 1.2new bho and Sharedtaskscheduler key added: clsid {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}Version 1.3new bho and Sharedtaskscheduler key added: clsid {7A7E6D97-B492-4884-9ABB-C31281DCC4F2}version 1.4new bho and Sharedtaskscheduler key added: clsid {16875E09-927B-4494-82BD-158A1CD46BA0}Version: 2.0Logfile added: After running the tool you can find logfile in c:\windelf.txt)Fixed the automatically reboot for windows 2000. Version: 2.1new bho and Sharedtaskscheduler key added: clsid {C7CF1142-0785-4B12-A280-B64681E4D45E}Version: 2.11new bho added: clsid {8D82BB89-B58C-4F21-9C5D-377F65947806}Version: 2.2new bho and Sharedtaskscheduler key added: clsid {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}new key under notify: st3Version: 2.21new key under notify: st3iVersion: 2.30new keys under notify: gg and ggggnew bho's: {826B2228-BC09-49F2-B5F8-42CE26B1B717} and {826B2228-BC09-49F2-B5F8-42CE26B1B712}If the notifykey gg is present you need to reboot manually, by turning the power off and then back on.Version: 2.31new key under notify: gggggnew bho: clsid {C0E5FF11-4AE0-4699-A6A7-2FB7118F2081}Version: 2.32new key under notify: gsversion: 2.33run key added: ClearCookiesnew file: C:\WINDOWS\cc.exeadded a few older CLSID's (thanks to Ton)version: 2.34new files: adsldpbe.dll new bho: {7507739F-BC2E-4DC3-B233-816783C25DC9}version: 2.35new random files in windows directory: g*.dllversion: 2.36run key added: AlexaToolbarnew file: c:\windows\alt.exeHere is my new HJT log:Logfile of HijackThis v1.99.1Scan saved at 11:31:04 PM, on 12/14/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\System32\1XConfig.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\RegSrvc.exeC:\WINDOWS\System32\ScsiAccess.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Voyetra Turtle Beach\tbaspi.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\BacsTray.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\QuickSet\QuickSet.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\PROGRA~1\mcafee.com\agent\McAgent.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\The Man\My Documents\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://linkschain.net/fr/?id=us24O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [bacstray] BacsTray.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exeO4 - HKLM\..\Run: [links] links.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Adobe\Photoshop5\Calibrat\Adobe Gamma Loader.exeO4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cabO16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp...23/cpbrkpie.cabO20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dllO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXEO23 - Service: tbaspi - Unknown owner - C:\Program Files\Voyetra Turtle Beach\tbaspi.exeO23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\VOYETR~1\x10nets.exe Link to post Share on other sites
Matt Posted December 15, 2005 Report Share Posted December 15, 2005 Welcome back! Please copy these directions into a text file so that you can copy and paste from them laterScan with HJT, and place a check next to the following items:R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://linkschain.net/fr/?id=us24O4 - HKLM\..\Run: [links] links.exeO16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp...23/cpbrkpie.cabThen, make sure all browser windows and other applications are closed, and click the Fix Checked button.1) Please download the Killbox.Unzip it to the desktop but do NOT run it yet.2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.3) Once in Safe Mode, please run Killbox.4) Select "Delete on Reboot".5) Open the text file with these instructions in it, and copy the file name below to the clipboard by highlighting them and pressing Control-C:C:\WINDOWS\system32\links.exe6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..Let the system reboot. Finally, rescan with HJT, and post a new log. Link to post Share on other sites
ibjammin21 Posted December 16, 2005 Author Report Share Posted December 16, 2005 Well, I've done all you have said with no hang ups. Here is my HJT log:Logfile of HijackThis v1.99.1Scan saved at 8:41:33 PM, on 12/15/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\System32\1XConfig.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\drivers\KodakCCS.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\RegSrvc.exeC:\WINDOWS\System32\ScsiAccess.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Voyetra Turtle Beach\tbaspi.exeC:\Program Files\Apoint\Apoint.exeC:\WINDOWS\system32\BacsTray.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\QuickSet\QuickSet.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\PROGRA~1\mcafee.com\agent\McAgent.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\The Man\My Documents\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://linkschain.net/fr/?id=us24O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [bacstray] BacsTray.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exeO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Adobe\Photoshop5\Calibrat\Adobe Gamma Loader.exeO4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?O4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cabO20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dllO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: Intel NCS NetService (NetSvc) - IntelĀ® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXEO23 - Service: tbaspi - Unknown owner - C:\Program Files\Voyetra Turtle Beach\tbaspi.exeO23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\VOYETR~1\x10nets.exe Link to post Share on other sites
Matt Posted December 16, 2005 Report Share Posted December 16, 2005 Congrats! Your log is clean! The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.SpywareBlaster - Great prevention tool to keep malware from installing on your system.SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein Link to post Share on other sites
ibjammin21 Posted December 16, 2005 Author Report Share Posted December 16, 2005 Thankyou again for all your help Matt. My computer has been running normally since the last barrage of virsus cleansing counter-attacks. I placed a similar request for help on tomcoyote.com, but it hasn't even been looked at yet. Sincerely,Gilgamesh (ancient mesopotamian warrior/demigod)(in case you wondered about the user name) Link to post Share on other sites
Matt Posted December 16, 2005 Report Share Posted December 16, 2005 This thread is being closed because it has been resolved. If you would like it to be reopened please a member of the Moderating team.Matt Link to post Share on other sites
Recommended Posts