1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Aiieeee! Damn LOL.scr!

Discussion in 'Virus & Other Malware Removal' started by BudTheSpud, Feb 1, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. BudTheSpud

    BudTheSpud Thread Starter

    Joined:
    Feb 1, 2005
    Messages:
    10
    I got that damn LOL.scr virus on me! I got it from a cousin and thought it was a movie file. Little did I know he wasnt even at his computer! I saw that thread concerning it earlier, however AVG cant find it. Housecall wont work right, and neither will panda. Both seem to screw up. My ActiveX is messed up or something. I tried getting Adaware to work and suspiciously jams up at around the 1800th file, around the system files, the .dll files and so on. Anyways, heres the log. I need some guidance! Would be much appreciated!

    Whatever problems you can find on this thing, would also be helpful! Might as well clean up the whole mess than a part of it. LOL

    Logfile of HijackThis v1.99.0
    Scan saved at 11:09:10 PM, on 01/02/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\[email protected]\[email protected]
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\winis.exe
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Grisoft\AVG Free\avgcc.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Francis\Application Data\Mozilla\Profiles\default\3m7y5ikj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Francis\Application Data\Mozilla\Profiles\default\3m7y5ikj.slt\prefs.js)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [update] winis.exe
    O4 - HKLM\..\RunServices: [update] winis.exe
    O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Eyeball Chat] "C:\PROGRA~1\Eyeball\EYEBAL~1\EyeballChat.exe" -min
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
    O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4339/mcfscan.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
     
  2. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
  3. BudTheSpud

    BudTheSpud Thread Starter

    Joined:
    Feb 1, 2005
    Messages:
    10
    Like I said I did all that. If you read my post. Ad-aware actually, I found, right now, its locked up while scanning LOL.scr, also does for this other program realsched.exe.

    I'll download Spyboy S&D right now. But I would really ask that someone please check that log.
     
  4. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
    Remove new.net "Might as well clean up the whole mess than a part of it. LOL " (y)
     
  5. BudTheSpud

    BudTheSpud Thread Starter

    Joined:
    Feb 1, 2005
    Messages:
    10
    Heres an update after Spybot. LOL.scr is still there, and I tried to delete that new.net thing. But it gave me some sort of error. Like access denied or something. Weird.

    I know those yahoo taskbar stuff in there is stuff that I willingly downloaded for IE, even though I dont use it, My brother often dl's crap without thinking and puts those darn search bars on there, but I was able to get rid of those easily enough with Ad-Aware when it was working. But that virus seems to block it from working too. So I couldnt scan with it, had to use Spybot, but again, its still there. I have no idea about that realsched, I bet thats not good news. TrojanHunter I uninstalled after my trial expired, I dont know why thats still there. Got alot of svchosts there, not sure why that is. Same for two rundll32's. And that Eyeball Chat I thought I deleted as well. Hmm.

    EDIT: I added in the startup list as well as running processes into this list in case theres more there.

    Anyways, again, help would be appreciated.

    Logfile of HijackThis v1.99.0
    Scan saved at 12:31:00 AM, on 02/02/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\[email protected]\[email protected]
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Grisoft\AVG Free\avgcc.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\winis.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Francis\Application Data\Mozilla\Profiles\default\3m7y5ikj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Francis\Application Data\Mozilla\Profiles\default\3m7y5ikj.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [update] winis.exe
    O4 - HKLM\..\RunServices: [update] winis.exe
    O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Eyeball Chat] "C:\PROGRA~1\Eyeball\EYEBAL~1\EyeballChat.exe" -min
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
    O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4339/mcfscan.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    Process list saved on 12:30:37 AM, on 02/02/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)

    [full path to filename] [file version] [company name]
    C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe 0.10.0.3000
    C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe 7.1.0.299 GRISOFT, s.r.o.
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe 7.1.0.285 GRISOFT, s.r.o.
    C:\WINDOWS\system32\nvsvc32.exe 6.14.10.6177 NVIDIA Corporation
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\system32\RunDll32.exe 5.1.2600.2180 Microsoft Corporation
    C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe 3.1.2.17 Lavasoft Sweden
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe 7.1.0.300 GRISOFT, s.r.o.
    C:\Program Files\[email protected]\[email protected] 3.8.0.0 University of California, Berkeley
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe 0.10.0.1000
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.0.3208 RealNetworks, Inc.
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Messenger\msmsgs.exe 4.7.0.3000 Microsoft Corporation
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Trillian\users\Francis\downloads\MSN\[email protected]\LOL.scr
    C:\Program Files\Grisoft\AVG Free\avgcc.exe 7.1.0.298 GRISOFT, s.r.o.
    C:\WINDOWS\system32\ntvdm.exe 5.1.2600.2180 Microsoft Corporation
    C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE 7.2.0.0 Mozilla, Netscape
    C:\WINDOWS\explorer.exe 6.0.2900.2180 Microsoft Corporation
    C:\WINDOWS\system32\winis.exe
    C:\Program Files\HijackThis\HijackThis.exe 1.99.0.0 Soeperman Enterprises Ltd.
     
  6. BudTheSpud

    BudTheSpud Thread Starter

    Joined:
    Feb 1, 2005
    Messages:
    10
    Anyone gonna check this out?
     
  7. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Lets try this again

    Go to Add/Remove programs and uninstall New.Net (NewDotNet). If that doesn't work do this:

    First Click here to download LspFix

    You may not need it, but go ahead and download it just in case.


    Now go here and scroll to the bottom of the page to Precedure 4 and download and run the New.Net uninstaller.

    If you lose your internet connection after running the New.Net uninstaller, Run LspFix, and click Finish. (Don't do anything else)

    That should restore the internet connection.

    Then post a new hijackthis log
     
  8. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
  9. BudTheSpud

    BudTheSpud Thread Starter

    Joined:
    Feb 1, 2005
    Messages:
    10
    Oh how fun is this? I finally found the backup uninstall on the windows folder, and finished uninstalling and rebooted. Now when I come back, I get an error message popping up telling me they couldnt find the module newdnet.dll or something like that. Plus my AdWatch software is currently at 1400 registry modifications and counting as I speak.


    Says Ad-Watch Alarm
    An attempt to alter a protected object has been detected. (Attempt to add a registry value)
    Root : HKEY_LOCAL_MACHINE
    Key: Software\Microsoft\Windows\CurrentVersion\RunServices
    Value:update
    Data:
    New Data :winis.exe

    Anyone know whats going on? I just accepted it so it would stop spamming. Its obviously a concern. That and I STILL got that LOL.scr roaming around on my computer.

    Here is the updated log plus the running process list.

    Logfile of HijackThis v1.99.0
    Scan saved at 1:51:34 PM, on 02/02/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
    C:\WINDOWS\system32\winis.exe
    C:\Program Files\[email protected]\[email protected]
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Francis\Application Data\Mozilla\Profiles\default\3m7y5ikj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Francis\Application Data\Mozilla\Profiles\default\3m7y5ikj.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [update] winis.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    O4 - HKLM\..\RunServices: [update] winis.exe
    O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Eyeball Chat] "C:\PROGRA~1\Eyeball\EYEBAL~1\EyeballChat.exe" -min
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
    O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4339/mcfscan.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    Process list saved on 1:52:30 PM, on 02/02/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)

    [full path to filename] [file version] [company name]
    C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe 0.10.0.3000
    C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe 7.1.0.299 GRISOFT, s.r.o.
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe 7.1.0.285 GRISOFT, s.r.o.
    C:\WINDOWS\system32\nvsvc32.exe 6.14.10.6177 NVIDIA Corporation
    C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe 0.1.0.3208 RealNetworks, Inc.
    C:\WINDOWS\system32\RunDll32.exe 5.1.2600.2180 Microsoft Corporation
    C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe 3.1.2.17 Lavasoft Sweden
    C:\WINDOWS\system32\winis.exe
    C:\Program Files\[email protected]\[email protected] 3.8.0.0 University of California, Berkeley
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe 0.10.0.1000
    C:\Program Files\MSN Messenger\MsnMsgr.Exe 6.2.0.137 Microsoft Corporation
    C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE 7.2.0.0 Mozilla, Netscape
    C:\WINDOWS\system32\NOTEPAD.EXE 5.1.2600.2180 Microsoft Corporation
    C:\WINDOWS\system32\NOTEPAD.EXE 5.1.2600.2180 Microsoft Corporation
    C:\Program Files\HijackThis\HijackThis.exe 1.99.0.0 Soeperman Enterprises Ltd.
     
  10. Dust Sailor

    Dust Sailor

    Joined:
    Mar 17, 2004
    Messages:
    2,735
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

    Close all windows except Hijack This and make a check beside the above entires Click " fix checked
    Reboot your computer "

    Uninstall New.Net. Delete the folder C:\Program Files\QuickSearch\

    Uninstall NewDotNet and delete the folder C:\Program Files\NewDotNet\

    Reboot and post another log here please
     
  11. BudTheSpud

    BudTheSpud Thread Starter

    Joined:
    Feb 1, 2005
    Messages:
    10
    Okay, I also removed a couple other things, that weather network heartbeat monitor, as well as the other weather network thing. As well as EyeballChat, all three of those were things that I uninstalled, or thought I did.

    Here is the updated log. Again, My Ad Aware is still hanging up very early in the scan, and this didnt happen before that LOL.scr, so I am thinking its still in there.

    Logfile of HijackThis v1.99.0
    Scan saved at 4:29:02 PM, on 02/02/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
    C:\WINDOWS\system32\winis.exe
    C:\Program Files\[email protected]\[email protected]
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/*http://rogers.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Francis\Application Data\Mozilla\Profiles\default\3m7y5ikj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Francis\Application Data\Mozilla\Profiles\default\3m7y5ikj.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [update] winis.exe
    O4 - HKLM\..\RunServices: [update] winis.exe
    O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
    O4 - HKCU\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\The Weather Channel.exe
    O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4339/mcfscan.cab
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
     
  12. BudTheSpud

    BudTheSpud Thread Starter

    Joined:
    Feb 1, 2005
    Messages:
    10
    Okay, Another strange thing is going on. Three times now, out of nowhere, somehow, the volume control bar in the windows volume control program, just goes down to minimum.

    The bar just suddenly is at the bottom. Three times this happens, like my computer mutes itself. Each time I set the volume bar back to its original position, a few minutes later, its back on the bottom again. What the hell?
     
  13. pinci

    pinci

    Joined:
    Feb 1, 2005
    Messages:
    5
    i also had all these problems
     
  14. BudTheSpud

    BudTheSpud Thread Starter

    Joined:
    Feb 1, 2005
    Messages:
    10
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O4 - HKLM\..\Run: [update] winis.exe
    O4 - HKLM\..\RunServices: [update] winis.exe

    Close all applications and browser windows before you click "fix checked".

    Restart in safe mode

    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

    Delete this file: C:\WINDOWS\system32\winis.exe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/325858

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice