1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Can't open Windows XP

Discussion in 'Virus & Other Malware Removal' started by melonhead, Feb 13, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    I can only get into safe mode with this computer. When trying to boot normally, the computer opens up to the users names (but there is not the usual messages below each members names such as unread e-mail), then takes quite a while to load personal settings, then loads up but there is only the wallpaper - no explorer.

    In safe mode I've run adaware, spybot, cww shredder that removed something in msconfig, hijack this which didn't show anything real obvious


    They have Mcaffee on this computer from AOL which they said detected a trojan a couple of days ago.

    I've tried starting with start up on diagnostics and also with everything unchecked in start up.

    Nothing else seems obviously wrong.

    Any other suggestions?

    Thanks in advance.
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742

    Download>> www.radiosplace.com

    Hijackthis.exe is what you want. You will it seems have to run hijackthis in Safe Mode, which does not give a complete log but may show the problem and allow us to help you get rid of some things. We need to see a NEW log, malware often changes filenames...
     
  3. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Thanks for your reply!

    I booted the computer back up in safe mode. Unfortunately, now I can't get on the internet from that computer making it impossible to paste the log into this forum.

    I went to device manager to check on the network adapter - and there is NOTHING in device manager.

    Really weird- I had created a folder earlier called hijack where I was holding the log, etc. It is gone. I checked the recycle bin and it is not in there.

    I did upload hijack this again from a CD but like I said earlier - I can't paste it all in here

    Any suggestions? I feel like I have tried everything and I am so frustrated!

    Thanks in advance.
     
  4. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    I fooled around with some settings and was able to get on the net in safe mode. The hijack this is below.

    One more thing - when I open up windows not in safe mode, I am able to pull up explorer by typing control - alt - delete and then typing in explorer.exe in run task. However, it is very unstable and blinks off and on and won't let me open most thing. If it would help, I could type in all the running processes, however, and e-mail.

    Anyway, heres the log. Hope someone can detect something! Thanks in advance.

    Logfile of HijackThis v1.99.0
    Scan saved at 8:44:49 AM, on 2/14/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijack\hijack2\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ww3.weatherbug.com/survey/uninstall/uninstall.asp?regid=-1&ZCode=&DLID=1800&Version=
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\b630.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - HKLM\..\RunOnce: [z7tgj4.exe] C:\WINDOWS\System32\z7tgj4.exe /k
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.37/holdem/holdem-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.9.4.30/whackdown/whackdown-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DE385F88-91EA-4CF4-8DE5-F770CFAEE6D4}: NameServer = 205.171.3.65
    O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager - Unknown - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Unknown - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
    O23 - Service: McAfee Personal Firewall Service - Unknown - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,
    Something important> you must close all browser windows, when you FIX anything with Hijackthis> I guess if you can get online with Safe Mode with Networking, that will work...remember to close Internet Explorer etc when you actually run HJT to fix items!!!!!!!!!!

    Hijackthis.exe as well as the hijack log will easily fit on floppy diskette, if it would be easier for you and if both computers do have a floppy disk drive you could do log copying to the forum here that way.

    I do see the malware, whether it is everything or not is not known, but if you can download the removal tool below and run it, might fix enough to get you online> And, there are some other tools you should get...one way would be to download them to a good computer that has a CD burner and make a CD that you can install programs from. Installing software may not work in Safe Mode though. One other thing is to try creating a new user account on the computer and try booting to normal Windows mode from a new user account logon.

    http://vil.nai.com/vil/stinger/

    You said you have tried unchecking everything in msconfig>Startups---this is the wrong thing to do when using Hijackthis to see problems, as they will not appear in your logs! You should keep everything CHECKED, even if that results in things running poorly and only in Safe Mode, just for now> so put the checks back in all items and send us a new log, you should run Stinger removal tool first, tho. Run AdAware and Spybot etc after that.

    I trust that you did download the updates to those programs now that you can get online? I am not sure the updates will install using Safe Mode with Networking tho.

    Post a new log, be sure to post how the log was made, in Normal or Safe mode w/networking etc.
     
  6. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Thanks for the quick response.

    I downloaded the McAffee program you suggested and ran it but it did not detect anything.

    I unchecked everything in start up just to see if I could get into windows without the junk running. However, I'm so glad you mentioned it because I forgot to uncheck before I ran the last Hijack this.

    Also, I tried creating a new user but was not able to get into normal windows.

    The hijack this log has much more junk in it then I originally ran when I first started working on this computer - and everything was unchecked at that time. That's after running spybot, adaware,etc. I don't get it!?! Anyway, here it is and again thanks for your help!!!


    Logfile of HijackThis v1.99.0
    Scan saved at 9:38:48 AM, on 2/14/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijack\hijack2\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\b630.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\Run: [s7nV32P] lfehed20.exe
    O4 - HKLM\..\Run: [Rxagik] C:\WINDOWS\Meruoq.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [mnksmc] C:\WINDOWS\System32\mnksmc.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100787366\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [4f9d366c4cb0] C:\WINDOWS\System32\cabview1.exe
    O4 - HKLM\..\Run: [02fc98ed4cf9] C:\WINDOWS\System32\bootvid3.exe
    O4 - HKLM\..\RunOnce: [z7tgj4.exe] C:\WINDOWS\System32\z7tgj4.exe /k
    O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.37/holdem/holdem-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.9.4.30/whackdown/whackdown-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108393171187
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DE385F88-91EA-4CF4-8DE5-F770CFAEE6D4}: NameServer = 205.171.3.65
    O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager - Unknown - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Unknown - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
    O23 - Service: McAfee Personal Firewall Service - Unknown - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  7. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Anybody able to review a HJT log?
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Sorry I could not reply earlier, an ice storm here had caused cable service outage, it's back working now but for how long I don't know.

    You should keep this computer off the Net as much as possible, and disconnect any network cable from a modem when you are off-line fixing things. These trojans download more of their buddies as you go along....

    You have another computer there apparently, use that to check the thread if you can.

    Let me get you straight with msconfig> when you UNcheck an entry there, that item does not start up when Windows does....when you have them checkmarked, they do. You need to have ALL items checked and starting up, just for now so they can be fixed. You still have some items UNchecked, so put those back so they start up, I know it sounds crazy but you have to or I cannot help you.

    From Add/Remove Programs, uninstall:

    Bullseye Network/Bargain anything...

    WinTools/Easy Installer or similar...

    TVMedia/TBPS/Ibis Toolbar

    NaviSearch or Toolbar or similar...

    DealHelper anything....


    Now> The first part, using Hijackthis, is done in Normal mode> put checks next to all the items below, and then click "Fix checked":

    O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\b630.dll


    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\Run: [s7nV32P] lfehed20.exe
    O4 - HKLM\..\Run: [Rxagik] C:\WINDOWS\Meruoq.exe

    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [mnksmc] C:\WINDOWS\System32\mnksmc.exe
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [4f9d366c4cb0] C:\WINDOWS\System32\cabview1.exe
    O4 - HKLM\..\Run: [02fc98ed4cf9] C:\WINDOWS\System32\bootvid3.exe
    O4 - HKLM\..\RunOnce: [z7tgj4.exe] C:\WINDOWS\System32\z7tgj4.exe /k
    O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

    O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)


    Boot to Safe Mode (no networking!) that's the only way you are going to fix anything... And, you must have all Internet Explorer windows CLOSED for it to work. You should copy the steps to a Notepad text file or print them out so you have them to refer to in Safe Mode.


    Have the settings for hidden files etc as before (they may not have stayed set, check them again:


    Next, navigate to the folders shown that hold the files listed...delete the files from those folders: Keep in mind they may not all be there, but look well:


    C:\WINDOWS\system32\b630.dll

    C:\Program Files\Common Files\WinTools\WToolsA.exe

    C:\Program Files\TV Media\Tvm.exe

    C:\PROGRA~1\Toolbar\TBPS.exe

    C:\WINDOWS\Meruoq.exe

    lfehed20.exe <<use Search to find it

    C:\Program Files\NaviSearch\bin\nls.exe

    C:\WINDOWS\System32\mnksmc.exe

    C:\WINDOWS\DHUpdt.exe

    C:\WINDOWS\dhbrwsr.exe

    C:\Program Files\CSBB\CSV7P070.exe

    C:\Program Files\BullsEye Network\bin\bargains.exe

    C:\WINDOWS\System32\cabview1.exe

    C:\WINDOWS\System32\bootvid3.exe

    C:\WINDOWS\System32\z7tgj4.exe /k

    C:\WINDOWS\System32\spoolsrv32.exe


    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box, and OK. The Temp folder will open. Click Edit > Select All then File > Delete to delete the entire contents of the Temp folder.
    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.


    Run CWShredder and use the "FIX" button, not scan only.

    Run AdAware and SpyBot, restarting between scans. If all you can get to Safe Mode, do it...just get the scans done.


    I assume by now...you have downloaded the detection updates for those two programs....if not, you need to get them.

    At the end, restart again and run Hijackthis and scan and save a log and post it. If it is from Safe Mode With Networking, please state that, or if it is from Normal mode, tell me.
     
  9. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Thanks so much for the reply, Byteman. I'm sorry for the bad weather. We had a small break from winter - 50 degrees!

    I was able to get back into regular windows long enough to download and run AVG which found and deleted 8 trojans.

    I'm now back in safe mode and ran another hijack this after following your instructions.

    Thank you again so much. This is such an awesome site.

    Here is the log:

    Logfile of HijackThis v1.99.0
    Scan saved at 9:43:57 PM, on 2/14/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\hijack\hijack2\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100787366\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - HKLM\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe
    O4 - HKLM\..\RunOnce: [z7tgj4.exe] C:\WINDOWS\System32\z7tgj4.exe /k
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
    O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.37/holdem/holdem-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.9.4.30/whackdown/whackdown-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108393171187
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DE385F88-91EA-4CF4-8DE5-F770CFAEE6D4}: NameServer = 205.171.3.65
    O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
    O23 - Service: McAfee SecurityCenter Update Manager - Unknown - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Unknown - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
    O23 - Service: McAfee Personal Firewall Service - Unknown - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  10. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    I can get into windows! Yahoo! Anyway, reran everything whenn I logged in and downloaded windows update.

    Here's another log> There are five users on this computer so I am going to log onto each, run adaware and spybot and then post back. Here is the first user:

    Logfile of HijackThis v1.99.0
    Scan saved at 11:18:43 PM, on 2/14/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    \?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
    \?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
    C:\PROGRA~1\COMMON~1\AOL\110078~1\EE\AOLHOS~1.EXE
    C:\PROGRA~1\COMMON~1\AOL\110078~1\EE\AOLServiceHost.exe
    C:\hijack\hijack2\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100787366\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe
    O4 - HKCU\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.37/holdem/holdem-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.9.4.30/whackdown/whackdown-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108393171187
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DE385F88-91EA-4CF4-8DE5-F770CFAEE6D4}: NameServer = 205.171.3.65
    O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  11. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Here is user #2 log.

    Logfile of HijackThis v1.99.0
    Scan saved at 11:42:59 PM, on 2/14/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\COMMON~1\AOL\110078~1\EE\AOLHOS~1.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\COMMON~1\AOL\110078~1\EE\AOLServiceHost.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
    C:\hijack\hijack2\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100787366\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.37/holdem/holdem-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.9.4.30/whackdown/whackdown-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108393171187
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DE385F88-91EA-4CF4-8DE5-F770CFAEE6D4}: NameServer = 205.171.3.65
    O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  12. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Here is user #3

    Logfile of HijackThis v1.99.0
    Scan saved at 11:47:13 PM, on 2/14/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
    C:\PROGRA~1\COMMON~1\AOL\110078~1\EE\AOLHOS~1.EXE
    C:\PROGRA~1\COMMON~1\AOL\110078~1\EE\AOLServiceHost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\hijack\hijack2\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100787366\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [dw49RSj4l] locetmgr.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.37/holdem/holdem-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.9.4.30/whackdown/whackdown-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108393171187
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DE385F88-91EA-4CF4-8DE5-F770CFAEE6D4}: NameServer = 205.171.3.65
    O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  13. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Here's user #4

    Logfile of HijackThis v1.99.0
    Scan saved at 11:57:11 PM, on 2/14/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
    C:\Program Files\America Online 9.0a\waol.exe
    C:\PROGRA~1\COMMON~1\AOL\110078~1\EE\AOLHOS~1.EXE
    C:\PROGRA~1\COMMON~1\AOL\110078~1\EE\AOLServiceHost.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\hijack\hijack2\HijackThis.exe
    C:\hijack\hijack2\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1100787366\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe
    O4 - HKCU\..\Run: [dw49RSj4l] skdutil.exe
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\tmpUpgrade\..\PartyPoker.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.37/holdem/holdem-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.9.4.30/whackdown/whackdown-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108393171187
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DE385F88-91EA-4CF4-8DE5-F770CFAEE6D4}: NameServer = 205.171.3.65
    O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  14. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Thought I had everything off this computer but I am still getting some pop ups. Do you happen to see anything under any of these logs?

    Thanks so much.
     
  15. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, These are still showing in your log:

    As you can see, they are being loaded from the RunOnce key of your Registry-


    Run Hijackthis, put checks next to each of these, and click "Fix checked":


    O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

    O4 - HKLM\..\RunOnce: [OLEDb Service] C:\WINDOWS\System32\runoledb32.exe

    O4 - HKLM\..\RunOnce: [z7tgj4.exe] C:\WINDOWS\System32\z7tgj4.exe /k

    Boot to Safe Mode>

    with settings as below, to see hidden files>

    You may not find these files at all, but look.

    Navigate to the files shown and delete them:


    C:\WINDOWS\System32\spoolsrv32.exe
    C:\WINDOWS\System32\runoledb32.exe
    C:\WINDOWS\System32\z7tgj4.exe

    Empty the Recycle Bin.

    Restart back to normal mode. Run AdAware etc, checking for updates, run a full scan.


    Post a new log, just from this one profile please. The other users do have some things, I will get to them when your log is clean.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330200

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice