1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help please

Discussion in 'Virus & Other Malware Removal' started by HelpMePlz101, Feb 13, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. HelpMePlz101

    HelpMePlz101 Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    32
    Hello, i got this problem with my computer, after i downloaded something a whole bunch of viruses started to install into my computer.. and a bunch of spyware and adware, malware starts to install into my computer also.. so i ran ad-aware and spybot and it found about 400 together.. i deleted it.. (* whatever the virus was it deleted one of my telus scan files so i cant run it anymore*).. anyways there was a bunch of things that was installed on my computer so i deleted all the stuff and removed it from .. install/remove... i go into windows, system32, program file and delete everything that was installed the hour that everything started to malfunction.. after that i ran CWS Shreader and it didnt find anything.. i also ran the following.. spydel, lopremover.. (i dunno if there is newer verison or so.. i got this a few months ago.. ).. anyways there was some files i couldnt delete because it said it was being used by another person or some sort like that.. so i rebooted into safe mode and deleteed the files there.. i ran hijackthis on safemode and tried deleteing some of the stuff but all the stuff just kept coming back.. when i rescan with it.. anwyas.. once i got everything done.. i rebooted my comp into normal mode and everything was perfect.. everything one running perfectly.. nothing was wrong.. but after aobut 20-30 mins of use EVERYTHING yes EVERYTHING got installed again :mad: :mad: so i redid everything again ran spybot adaware all that and deleted everything again.. i also ran virus scan this time it found 5 viruses and then deleted 5 of them it couldnt disinfect it said.. then i did it all in safemode and rebooted into normal mode again.. everyhing was normal perfect.. but after 20-30 mins everything got messed up again.. this kept happening... i deleted and scaned about 4 times doing the same thing over and over.. really need help i spent about 6 hours trying to fix this damn problem... but it just all comes back

    Yes, i have turned off my system restore so idunno how it would come back just liek that.. sometimes i just leave my comp alone and then it just all pops ups and installs byself ontop my desktop...

    Please help me with this problem.. i am very tired of trying to fix it but the same problem just keeps accuring over and over again.. if u have any suggestions please post them and i will do as suggested and hope to get rid of this problem.. thanks again
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, We need you to post a hijackthis log so we can see the problem>

    You need to create a new folder> somewhere in a permanent folder, such as My Documents, create a new folder and name it something you like, and download hijackthis.exe to that new folder and run it from there. This is only a log making tool, it doesn't fix anything on its own, and you will need expert help to use it, so do not fix anything just yet, just post the log.

    If you do not know how to make a new folder in My Docs, simply right click any empty spot of desktop background (wallpaper) and select NEW> Folder, and rename the folder....then, click the link below to download the file, and change the Save In location TO the folder location so it goes to the right place.

    When you have hijackthis.exe in it's folder, run the .exe and use the "Scan and make a log" button, give it minute to finish, and then save the log as hijackthis.txt which Notepad will open....when you have the saved log open, hit the Reply button to post a reply to your thread> then, go back to your open log and at the top of it's window, hit EDIT>Select All, and then EDIT>Copy, come back to your blank reply, click once inside the reply white space and at the top of browser window hit EDIT>Paste....then, hit the Submit button.
     
  3. HelpMePlz101

    HelpMePlz101 Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    32
    Logfile of HijackThis v1.99.0
    Scan saved at 6:49:46 PM, on 2/13/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Steven\Desktop\Scans\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {1A439C04-0108-4DB6-859E-508EC337C319} (Cpclock Control) - http://www.cpuid.org/download/cpclock.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
    O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DvpApi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



    alright here is my hjacklog i try deleting
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)

    but when i d it just comes back when i scan again
     
  4. HelpMePlz101

    HelpMePlz101 Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    32
    Please help guys.. ive been having this problem the whole day.. and it will never go away i dunno why please help
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, You have the right suspect, we are seeing a lot of infections with this lately.

    Get this download, but do not use it just yet, we will a bit later.


    Download ยปwww.mvps.org/winhelp2002/DelDomains.inf


    Run Hijackthis in normal mode first, and fix the items>
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)

    then immediately boot to Safe Mode and DELETE the files associated with Desktop Search:


    Boot to Safe Mode> to do that, when you restart quickly start tapping the F8 key just as you first see text on screen, when you get the startup menu, with your arrow key select Safe Mode (only) and then hit Enter key once. Give it plenty of time to reach the desktop...

    You may need these settings to see hidden/system files:

    You need to navigate to the folders holding the files, use Windows Explorer to do this>


    C:\WINDOWS\isrvs\ffisearch.exe <<this file

    C:\WINDOWS\isrvs\desktop.exe <<this one too

    NEXT> Right-click on the deldomains.inf file and select 'Install'.

    This should clear out those trusted entries that will not be removed. Note: In fact this will clear out all your trusted AND restricted zones entries. If you had any custom entries (like IESPYAD) you will need to re-enter those



    Restart- run AdAware SE/Spybot again. Post new HJT log. If the stuff comes back> we can get tougher!
     
  6. HelpMePlz101

    HelpMePlz101 Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    32
    arg i did all that.. it worked.. well everything was good for about 30 mins.. then when i opened explorer.. for like 2 mins.. it shut down and then all the viruses and other stuff started to all come back.. to my computer.. andwhen i run ad aware i see these CWS stuff. then i just delete it.. that always shows up when i scan it.. and also there is all these ads installed onto my desktop.. like visa cards and other programs.. in my C:\ it shows this porn thing that u cant delete unless u go into safemode.. which i did and deleted about 5 times now...


    Logfile of HijackThis v1.99.0
    Scan saved at 9:42:39 PM, on 2/13/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
    C:\Documents and Settings\Steven\Desktop\Temperature\MBM5.EXE
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\System32\WISPTIS.EXE
    C:\Program Files\SpywareBlaster\spywareblaster.exe
    C:\dddd.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Documents and Settings\Steven\Desktop\Scans\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [MBM 5] "C:\Documents and Settings\Steven\Desktop\Temperature\MBM5.EXE"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {1A439C04-0108-4DB6-859E-508EC337C319} (Cpclock Control) - http://www.cpuid.org/download/cpclock.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
    O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DvpApi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


    this is my hjackthis log.. those 4 that i try to delete just stays there when i scan again.. i instaled that del thing that u sent me.. it just opens my ad aware when i turn it on... i dunno what to do anymore.. please make some more suggestions please
     
  7. HelpMePlz101

    HelpMePlz101 Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    32
  8. HelpMePlz101

    HelpMePlz101 Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    32
    Hi.. im still having the problem .. ive tried so mayn different programs.. but every 30 mins after i delete everything.. all the stuff comes back.. when i run adaware after everything comes back this is what i get in the thing..

    http://img8.exs.cx/img8/1091/untitled6fv.jpg


    and a whole bunch of ads install on my computer and then this porn program turns on my computer... after i delete it its gone till.. 30 misn after.. it comes back..
     
  9. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Without having Service Pack 1 for XP, you are quite an open target to these things.

    During the time it takes to get SP1, you can easily get re-invaded, but it might be worth it to get it anyway...if you are on dialup, it will take a long long time. Possibly a friend could download it to a CD for you...

    Is there any other reason you have not installed SP1? I do not mean Service Pack 2> that is not absolutely needed right now, but the critical updates for IE in SP1 are.
    Could you download Firefox browser and use that to check the posts here...it may save you getting more and more junk> they download each other ya know.

    Get this version of CWShredder>

    http://cwshredder.net/bin/CWShredder.exe

    Download Killbox>

    http://www.downloads.subratam.org/KillBox.zip

    These are to run later===you should however unzip Killbox to have it ready on the desktop.

    Don't play around with the files for it or any settings please.

    Boot to Safe Mode> Tap the F8 key quickly several times as the system restarts, when you get the startup menu select Safe Mode (only) using arrow key, then hit Enter key once, give it plenty of time to get to the desktop.

    Have all Internet Explorer windows CLOSED or it will not work. You should have saved the directions to Notepad text file and save on desktop to refer to, or print them out.

    Press once CTRL+ALT+DEL keys to bring up the Task/Process Manager, if you see Desktop.exe

    or, ffisearch.exe running as Processes, end them: Next>


    Put checks in these and click "Fix checked":



    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)

    Do this again> the settings do not like to stay set sometimes>

    Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run Killbox> Select the Delete on Reboot option.
    In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click NO.):

    C:\WINDOWS\isrvs\desktop.exe

    In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click NO.):

    C:\WINDOWS\isrvs\ffisearch.exe

    In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, this time, click YES after you have this last one>

    C:\dddd.exe

    Your computer will restart and check if the file was deleted.

    Run CWShredder.exe and use the "FIX" button, it will tell you if the system was clean or it removed something.

    Run Hijackthis and check for yourself, if they were not deleted, jump back and run it again....until they are gone.

    Run full scan with what you have, AdAware and SpyBot etc.

    Post a new HJT log please.
     
  10. HelpMePlz101

    HelpMePlz101 Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    32
    Alright.. i did all the things u told me and it still just comes back!!

    Arg..

    So ill tell u everything from
    START
    TO
    END


    So im just working on my computer or whatever then all a sudden these pop up on my screen

    http://img196.exs.cx/img196/5927/error13ra.jpg


    Once i Click OK to all of them this pops up--

    http://img196.exs.cx/img196/5194/error24tz.jpg


    Then i Close that. then like 1 min after this one pops up (Warning Brief Nudity)

    http://img196.exs.cx/img196/4600/error37vt.jpg


    Then when i close that his pops up.

    http://img196.exs.cx/img196/8051/error45id.jpg


    After i close all that THESE things get installed ON my desktop

    http://img196.exs.cx/img196/6859/error54ql.jpg


    When i go into my C: Drive this pops up.. I Go task manager then processor then close dddd.exe on the task manager.. only after i do that i can delete the dddd.exe file

    http://img196.exs.cx/img196/2108/error67uu.jpg

    When i go into c:/windows and go to recent modified these are the things are there

    http://img196.exs.cx/img196/258/error72sf.jpg

    I delete as much as i can from those files.. then i run Adaware and this comes up

    http://img196.exs.cx/img196/381/adawarescan8ce.jpg


    I run spybot... but it found no problem.. same with CWShredder and nothing shows...

    This is my hijackthis log after i did all the stuff above..
    (Red brush = stuff im about to delete)

    http://img196.exs.cx/img196/5839/logbefore3uc.jpg



    This is my Log after i fixed those thigns THREE times... Some of the things dont get off the log...


    http://img196.exs.cx/img196/4359/logafter3tries1gp.jpg



    well there you go thats whats been happening the past 2 days.. this has happened every 30 mins to me.. Please guide me on to fix this problem..

    Having to do this every 30 mins is very frustrating.. :( :( :(

    Ive done all the other stuff u told me ABOVE in ur post.. but none of them seem to work.. all the stuff just installs again..
     
  11. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, OK, try this to replace your HOSTS file with a good default one, this is a common source of hijacks and popups>

    http://members.aol.com/toadbee/hoster.zip

    Unzip the files to a folder.
    Run the Hoster and click *Restore Original Hosts* and press "OK" then Exit the Hoster.

    Try using IE after that. See if the pops still happen. I am going to have someone look at your logs to see what they can spot, hang on.

    Answer this> Are there any other user accounts on the computer?
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    lets try this to see what you have

    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  13. HelpMePlz101

    HelpMePlz101 Thread Starter

    Joined:
    Oct 17, 2004
    Messages:
    32
    L2MFIX find log 1.02b
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\PROGRA~1\\Stardock\\OBJECT~1\\WINDOW~1\\fastload.dll"
    "Startup"="StartSys"
    "Logon"="StartWB"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
    "{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
    "{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
    "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
    "{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
    "{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
    "{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
    "{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
    "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
    "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
    "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
    "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
    "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
    "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
    "{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
    "{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
    "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
    "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
    "{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
    "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
    "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
    "{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
    "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
    "{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
    "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
    "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
    "{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
    "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
    "{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
    "{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
    "{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
    "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
    "{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
    "{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
    "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
    "{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
    "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
    "{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
    "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
    "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
    "{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
    "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
    "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
    "{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
    "{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
    "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
    "{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension"
    "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures"
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    **********************************************************************************
    Files Found are not all bad files:

    C:\WINDOWS\SYSTEM32\
    boln.dll Tue Feb 15 2005 12:24:18p A.... 40,000 39.06 K
    ghhmw.dll Tue Feb 8 2005 1:06:04p A.... 0 0.00 K
    jmjmm.dll Thu Feb 10 2005 10:30:12a A.... 0 0.00 K
    sgcps.dll Thu Jan 20 2005 8:26:58a A.... 0 0.00 K

    4 items found: 4 files, 0 directories.
    Total of file sizes: 40,000 bytes 39.06 K
    Locate .tmp files:

    No matches found.
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C has no label.
    Volume Serial Number is 505F-A05C

    Directory of C:\WINDOWS\System32

    02/12/2005 08:31 PM <DIR> dllcache
    10/16/2004 09:39 PM 10,752 Thumbs.db
    04/03/2004 10:54 AM <DIR> Microsoft
    1 File(s) 10,752 bytes


    So this is the |2mfix Log that was in notepad using option 1

    Question: Any other users on the comp? --- No just me
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    OK no VX2, but it does show a couple of dodgy files so please run HJT again and post a fresh hjt log
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    It looks like you have been infected with the new BUBE virus that is very difficult to cure

    Hopefully we have found a remedy, but I do need to see an updated HJT log before starting

    DO NOT fix anything else until we see the log as I need to check a couple of entries
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330209

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice