Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Hjt Log

2K views 28 replies 3 participants last post by  cybertech 
#1 ·
Hi I'm having trouble clearing out my sisters computer. I ran cws shredder and fixed what it came up with. I ran spybot s&d and it said it couldn't fix everything. I'm trying to run adware but it keeps freezing at a sys32 file can't remember the name of the file. So I was wonder what is next should I run online antivirus first or fix the hjt log. Here is the log and as always thank you for your help.

Logfile of HijackThis v1.98.2
Scan saved at 9:06:19 PM, on 9/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Documents and Settings\Owner\Desktop\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-search.info/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O1 - Hosts: arch.msn.com
O1 - Hosts: tElementById('myScript').src = "";
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [cool amen] C:\PROGRA~1\HIDE2D~1\CoalCast.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Fast Second Store Dart] C:\Documents and Settings\All Users\Application Data\boob cash fast second\AntiMp3.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cdlsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
 
See less See more
#2 ·
Ran Rav online antivirus and this is what it came up with!
Scan started at 9/1/2004 9:30:52 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Q230903.exe->(ASPack 1.084) - TrojanDownloader:Win32/WinShow.A -> Infected
C:\Program Files\Hide 2 dog\32.exe - TrojanDropper:Win32/Small.FL -> Infected
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1024\A0034488.exe - TrojanDownloader:Win32/Swizzor.NAB -> Infected
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1057\A0035729.exe->(UPXW) - Tool:pornDialer.gen! -> Suspicious
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1057\A0035730.exe->(UPXW) - Tool:pornDialer.gen! -> Suspicious
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1057\A0035731.exe->(UPXW) - Tool:pornDialer.gen! -> Suspicious
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1057\A0035746.exe - Tool:pornDialer.EA -> Infected
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1057\A0035827.dll - Trojan:Win32/Spy.BiSpy.C -> Infected
C:\WINDOWS\Downloaded Program Files\UGO20.exe - TrojanDownloader:Win32/Small.FE -> Infected
C:\WINDOWS\SYSTEM\Sleep.exe - Trojan:Win32/VB.AA -> Infected
C:\WINDOWS\SYSTEM32\TFTP260 - Win32/Msblast.A.dam#2 -> Infected
C:\WINDOWS\Temp\THI4BA1.tmp\twaintec.cab->twaintec.dll - Trojan:Win32/Spy.BiSpy.C -> Infected
C:\WINDOWS\Temp\THI4BA1.tmp\twaintec.dll - Trojan:Win32/Spy.BiSpy.C -> Infected
C:\WINDOWS\Temp\THI7FFD.tmp\twaintec.cab->twaintec.dll - Trojan:Win32/Spy.BiSpy.C -> Infected
C:\WINDOWS\Temp\THI7FFD.tmp\twaintec.dll - Trojan:Win32/Spy.BiSpy.C -> Infected

Scanned
============================
Objects: 56517
Directories: 3403
Archives: 12172
Size(Kb): -1420768
Infected files: 12

Found
============================
Viruses found: 8
Suspicious files: 3
Disinfected files: 0
Mail files: 114
 
#3 ·
Saw this in another post and thought you guys might need this info too!

Log for VX2.BetterInternet File Finder (msg126)

Files Found---
C:\WINDOWS\System32\6ao4svc.dll
C:\WINDOWS\System32\6ko4svc.dll
C:\WINDOWS\System32\anaamon.dll
C:\WINDOWS\System32\autxprxy.dll
C:\WINDOWS\System32\ayctres.dll
C:\WINDOWS\System32\ayptif.dll

Additional Files---
C:\WINDOWS\System32\wincore.dll
C:\WINDOWS\System32\cidrules.dll
C:\WINDOWS\System32\winupd.dll
C:\WINDOWS\System32\inetadpt
C:\WINDOWS\System32\winhost32.exe

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{6CE8139E-A061-462E-B2EA-44F5EA2F82D7}
 
#5 ·
Before you proceed with those instructions, please move Hijack This into its own folder in program files or my documents but not in the temporary files or on the desktop, so it can create proper back-ups and restore them if necessary.

Download the LPS Fix:

http://cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of lspak.dll and cdlsp.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

Now start your computer in Safe Mode and delete:

The C:\windows\system32\lspak.dll - file
C:\windows\system32\cdlsp.dll - file

Then Please download and run the following programs:

CWSHREDDER

http://www.majorgeeks.com/download4086.html

Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

Then restart your computer.

IMPORTANT! To help prevent this from happening again, you should install all the Microsoft security patches and critical updates.

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware SE Personal

Install the program and launch it.

First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Restart your computer.

SPYBOT SEARCH & DESTROY

http://majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

Disable your system restore and do a couple of on-line virus scans:

http://www.pchell.com/virus/systemrestore.shtml

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

Then, after rebooting, please post another log and we’ll see what’s left to get rid of.
 
#6 ·
Hi and thank you for your help....I gone thru all parts up to adware. When I run adware it scans up to C:\Windows\System32\MsDtc and stalls out everytime. I was wondering if this is a problem file that can be deleted or something?? I've checked this file out and it's some kind of trace file. If you need more info on it let me know. Thank you
 
#8 ·
Ok I ran both antivirus checks as reccomended. Panda (which I did last) removed 4 viruses they didn't say what they removed. Trend found 2 but could not clean here is what they found.

TROJ VB.AA Non Cleanable C:\Windows\System\Sleep.exe
TROJ WINSHOW.A Non Cleanable C:\Q230903.exe

Here are the programs I've run so far:
CWS shredder
Spybot S&D
LSP fix
Kazzabeggone
And here is the latest HJT Log:

Logfile of HijackThis v1.98.2
Scan saved at 4:29:39 PM, on 9/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-search.info/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bkdjldfprskyaeicvsdwfd.i...7iCLZql4HkaA39jJYmr4nP1MFtOzvG6GhuxlsRRhB.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: arch.msn.com
O1 - Hosts: tElementById('myScript').src = "";
O2 - BHO: (no name) - {194C3A50-3619-CC34-2817-D6B92B2FB086} - C:\PROGRA~1\UPFLAW~1\Datethunk.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [cool amen] C:\PROGRA~1\HIDE2D~1\CoalCast.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Fast Second Store Dart] C:\Documents and Settings\All Users\Application Data\boob cash fast second\AntiMp3.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ElseCoalInternetFile] C:\Documents and Settings\All Users\Application Data\RealBlueElseCoal\Mags Obj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab

Here is my latestest HJT Log......
 
#9 ·
I'm sorry but I made a mistake when I told you to run LSP the first time, one of the files I mentioned was incorrect and that's why this one is still there:

Please run LSP fix again:

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of inetadpt.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

Now start your computer in Safe Mode and delete:

The C:\windows\system32\inetadpt.dll - file

Then, run VX2Finder again. Close ALL running programs and windows except VX2Finder. Sign off and stay off the Internet until the entire procedure is complete.

Run VX2Finder again and check off all those files found and click the Delete these Files button.
(for as many as you have)

Next click the UserAgent$ button (to remove that reg value)

Then click the Import.reg (to repair QuickLaunch Toolbar)

Finally click the Restore Desktop ...to restore the desktop (Explorer.exe will end while doing this fix)

Restart your computer and run VX2 Finder and post another log from it and Hijack This.
 
#10 ·
Ok here is the homework you required...hehe

Vx2 log:
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---
C:\WINDOWS\system32\wincore.dll
C:\WINDOWS\system32\cidrules.dll

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---

HJT Log:
Logfile of HijackThis v1.98.2
Scan saved at 9:42:23 AM, on 9/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-search.info/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.edzedxfoqycntoogi.com/Xb...7iCLZql4HkaA39jJYmr5Lnsfty9kAnqGhuxlsRRhB.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: arch.msn.com
O1 - Hosts: tElementById('myScript').src = "";
O2 - BHO: (no name) - {194C3A50-3619-CC34-2817-D6B92B2FB086} - C:\PROGRA~1\UPFLAW~1\Datethunk.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [cool amen] C:\PROGRA~1\HIDE2D~1\CoalCast.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Fast Second Store Dart] C:\Documents and Settings\All Users\Application Data\boob cash fast second\AntiMp3.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ElseCoalInternetFile] C:\Documents and Settings\All Users\Application Data\RealBlueElseCoal\Mags Obj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
 
#11 ·
Turn off system restore. On the desktop, right-click on My Computer, click properties, click system restore tab, check turn off system restore, click apply and then OK. Restart your computer. Once your system is clean you will turn it back on and create a new restore point.

Go to Control Panel - Add/Remove programs and remove these if there:

VirtualBouncer or VBouncer
WinTools (or WinTools for Internet Explorer V2)


Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-search.info/searchbar

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.edzedxfoqycntoogi.com/Xb...qGhuxlsRRhB.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
localhost

O1 - Hosts: arch.msn.com

O1 - Hosts: tElementById('myScript').src = "";

O2 - BHO: (no name) - {194C3A50-3619-CC34-2817-D6B92B2FB086} - C:\PROGRA~1\UPFLAW~1\Datethunk.exe

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)

O4 - HKLM\..\Run: [cool amen] C:\PROGRA~1\HIDE2D~1\CoalCast.exe

O4 - HKLM\..\Run: [Fast Second Store Dart] C:\Documents and Settings\All Users\Application Data\boob cash fast second\AntiMp3.exe

O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [ElseCoalInternetFile] C:\Documents and Settings\All Users\Application Data\RealBlueElseCoal\Mags Obj.exe

O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v5.cab


Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\PROGRA~1\UPFLAW~1\Datethunk.exe - folder (the name of the folder will start with UPFLAW and it will contain the file Datehunk.exe)
C:\PROGRA~1\HIDE2D~1\CoalCast.exe folder (the name of the folder will start with HIDE2D and it will contain the file CoalCast.exe)
C:\Documents and Settings\All Users\Application Data\boob cash fast second\AntiMp3.exe - folder
C:\Program Files\VBouncer\BundleOuter.EXE - folder
C:\Program Files\Common Files\WinTools\WToolsA.exe - folder
C:\Documents and Settings\All Users\Application Data\RealBlueElseCoal\Mags Obj.exe - folder
C:\PROGRA~1\MYDAILYHOROSCOPE\MYDAIL~1.EXE - folder

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Now do this:
Close Ad-Aware SE Personal and Ad-Watch (if running)
Download the free VX2 Cleaner here : http://www.majorgeeks.com/download4283.html

Install the VX2 Cleaner
Start Ad-Aware 6 build 181
Go to “Plug-ins”
Select the VX2 Cleaner plug-in and click “Run Plugin”
If your computer isn’t infected, click “Close”.

If your computer is infected

Select “Clean system”
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer

Then post a new Hijack This log please.
 
#12 ·
Ok here's the latest.....I've done all those things except adware it still stalls out in the system32 folder I'm not sure why. It does pull up criticals but because it doesn't finish I can't get rid of them. I've tried uninstalling adware and reinstalling both the new version and the 6.181 version I have both stall out. I have not tried installing a fresh copy mabey I'll do that next. Here is my latest HJT log. I also wanted to mention a few programs in the add/remove list that look to be suspect. Some have a little icon that reads SE and there's about 5 of these in there when I try to uninstall them it says I have to be the admin to remove. Another is medialoader not sure what this is. Then theres one called IE toolbar search or helper, this one I try to uninstall it and it brings me to a webpage that says it will remove it and has a little survey to fill out but I click remove and it doesn't remove it from the add/remove list??? I'm not at that computer so I'm trying to recall these by memory.

Logfile of HijackThis v1.98.2
Scan saved at 6:30:14 PM, on 9/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\My Documents\Spyware\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
 
#14 ·
Just a small update I didn't have much time today(I work 12hr shifts on the weekends). I uninstalled adware downloaded a new copy and still had the same results I also tried running adware in safe mode but same results stalls out in the system32 file. It is still finding bad items but because it does not finish(I have to close it out) It doesn't take care of the problems. Panda found nothing and trend was running when I left for work. I will let you know what if anything if found in the morning and also post a new HJT log. Hope your having a great labor day(if your in this neck of the woods that is)!! And thanks again for all your help!! PS Are there any other programs comparable to adware that I could download and run mabey get rid of the baddies that are left?
 
#15 ·
Ok here's what trend found: TROJ_WINSHOW.A C:Q230903.EXE
There's instructions there on how to remove this should I do that or use something else?

Here's the latest HJT log.
Logfile of HijackThis v1.98.2
Scan saved at 9:29:36 AM, on 9/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
 
#17 ·
As far as trend removing that virus it said it was uncleanable but had instructions on how to remove it.

Ok I tried the look2me thing and it kept saying that my security settings would allow the download and I only had 2 chances at downloading. I put all my internet security settings to low and it still said the same now I have to wait till tomorrow to try again...lol. Here is the new vx2 log and I also ran another program cws dll compare. Don't know it that help but I'll throw it on also.

vx2:
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---
C:\WINDOWS\system32\wincore.dll
C:\WINDOWS\system32\cidrules.dll

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
DLL compare:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\ajptif.dll Wed Jun 30 2004 1:01:12p ..SHR 316,776 309.35 K
C:\WINDOWS\SYSTEM32\aktiveds.dll Thu May 6 2004 2:50:34p A.SHR 316,776 309.35 K
C:\WINDOWS\SYSTEM32\alsldp.dll Thu May 6 2004 2:50:34p ..SHR 316,776 309.35 K
C:\WINDOWS\SYSTEM32\amledit.dll Thu May 6 2004 2:50:34p A.SHR 316,776 309.35 K
C:\WINDOWS\SYSTEM32\mfc42.dll Wed Aug 4 2004 3:56:42a ..SH. 1,028,096 1004.00 K
C:\WINDOWS\SYSTEM32\msvcirt.dll Wed Aug 4 2004 3:56:44a A.SH. 54,784 53.50 K
C:\WINDOWS\SYSTEM32\msvcp60.dll Wed Aug 4 2004 3:56:44a A.SH. 413,696 404.00 K
C:\WINDOWS\SYSTEM32\oleaut32.dll Wed Aug 4 2004 3:56:44a ..SH. 553,472 540.50 K
C:\WINDOWS\SYSTEM32\olepro32.dll Wed Aug 4 2004 3:56:44a ..SH. 83,456 81.50 K
________________________________________________

1,385 items found: 1,385 files (9 H/S), 0 directories.
Total of file sizes: 302,976,276 bytes 288.94 M

Administrator Account = True

--------------------End log---------------------
 
#18 ·
IMPORTANT!: Before you run this tool please close ALL running programs. Sign off and stay off the internet until the entire procedure is complete.

Now run VX2Finder again and click on the Find VX2.Betterinternet button. It will display the entries as before. Select all these files

C:\WINDOWS\system32\wincore.dll
C:\WINDOWS\system32\cidrules.dll

Click on the Delete these files button. Restart your computer and run VX2Finder again. This time click on the Make Log button as you did before and also click on the Hosts Log button. Copy and paste both of those logs here in your next reply.
 
#19 ·
Hi when I run vx2 it gives me the list at the top which I posted last but the files you requested me to delete don't show up in the bottom pane. Therefore I can't select them to delete them. Should I try to delete them manually?
C:\WINDOWS\system32\wincore.dll
C:\WINDOWS\system32\cidrules.dll
 
#21 ·
I think deleting them manually worked. Here's the log.
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---

Host log............> 127.0.0.1 localhost

As far as adware goes I've tried everything even the new release and it still stalls out???? I ran zone alarms pest scan and it found lots of stuff left on the computer it wouldn't let me copy the info. I think I may have to buy a different malware remover any reccomendations? Also the look2me download I've tried once tonight and it still says my security settings won't allow the download. I've turned off xp firewall set all ie security setting to low and I can't think of anything else to turn off. I only have one more shot at downloading it so I figured I'd ask before trying again.
 
#22 ·
Update to the above post. I downloaded and ran spyware doctor and it found the following items. If I pay I can get rid of these but I want to make sure this is the best program to get stuck with.

StoolBar (multiple) general malware *
E2Give (HKLM\software\e2g) registry key *
eAcceleration (HKCR\directory\shellex\contextmenuhandlers\eac_virusscanner) registry key *
WildTangent (HKCR\interface\{aa0c96f9-a994-42d7-9543-842cf85e1ba7}) registry key *
WildTangent (HKCR\interface\{b57613b6-ef02-4d96-99c6-70c9a2014a14}) registry key *
WildTangent (HKCR\wt3d.wt) registry key *
WildTangent (HKCR\interface\{bdb9b021-caff-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\clsid\{ecfbe6e0-1ac8-11d4-8501-00a0cc5d1f63}) registry key *
WildTangent (HKCR\wt3d.wt.1) registry key *
WildTangent (HKCR\interface\{bdb9b022-caff-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\interface\{c1da7ab8-54fc-4971-9afb-1bcb9afc3aa2}) registry key *
WildTangent (HKCR\interface\{c3a156d4-503f-4779-a673-657308d94faf}) registry key *
WildTangent (HKCR\clsid\{fa13a9fa-ca9b-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\wtvis.wtvisreceiver) registry key *
WildTangent (HKCR\interface\{d72ac8e7-f41d-11d2-a566-444553540000}) registry key *
WildTangent (HKCR\wtvis.wtvisreceiver.1) registry key *
WildTangent (HKCR\wtvis.wtvissender) registry key *
WildTangent (HKCR\interface\{de3e540a-f0f2-4761-99be-afc6dc427e30}) registry key *
WildTangent (HKCR\wtvis.wtvissender.1) registry key *
WildTangent (HKCR\interface\{ea6f254d-1a8c-4518-8fe0-e9b94fd134ed}) registry key *
WildTangent (HKCR\interface\{ec914a5c-7c4b-4ac8-8c86-c10ff5c0d23d}) registry key *
WildTangent (HKCR\interface\{f10493c1-d0b6-11d2-a566-444553540000}) registry key *
WildTangent (HKCR\clsid\{7f23e6e5-0e79-4aee-b723-b1463805d5a9}) registry key *
WildTangent (HKCR\interface\{fa13aa3a-ca9b-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\interface\{fa13aa3e-ca9b-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\interface\{fa13aa40-ca9b-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\interface\{05ef74a5-e109-11d2-a566-444553540000}) registry key *
WildTangent (HKCR\clsid\{8ecf83a0-1ac9-11d4-8501-00a0cc5d1f63}) registry key *
WildTangent (HKCR\interface\{fa13aa44-ca9b-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\interface\{0e7ae465-ee8d-11d2-a566-444553540000}) registry key *
WildTangent (HKCR\interface\{fa13aa46-ca9b-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\interface\{1113c0b6-5300-4d5d-b2d7-35c14b28341b}) registry key *
WildTangent (HKCR\interface\{fa13aa50-ca9b-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\interface\{111d8b01-96c5-46dd-94d1-c6e8b1f69f44}) registry key *
WildTangent (HKCR\interface\{fa13aafa-ca9b-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\interface\{16410859-886f-4579-bc1f-330a139d0f0f}) registry key *
WildTangent (HKCR\interface\{feca7cfa-1083-4073-a98a-cf3389fcaf6a}) registry key *
WildTangent (HKCR\interface\{35ed7dfb-a8ed-4216-a4bb-bc08c326ef08}) registry key *
WildTangent (HKCR\interface\{399a8818-2000-436c-9a55-0016e5e3d227}) registry key *
WildTangent (HKCR\clsid\{b9ba256a-075b-49ea-b9e2-7dbc2ef021d5}) registry key *
WildTangent (HKCR\interface\{52889e01-cb46-11d2-96bc-00104b242e64}) registry key *
WildTangent (HKCR\interface\{5c49cbd2-8ed7-439b-8668-32149f84a235}) registry key *
WildTangent (HKCR\interface\{6e6cf8e5-d795-11d2-a566-444553540000}) registry key *
WildTangent (HKCR\typelib\{fa13aa2e-ca9b-11d2-9780-00104b242ea3}) registry key *
WildTangent (HKCR\interface\{79884200-3ade-11d3-ac39-00105a2057fa}) registry key *
WildTangent (HKCR\interface\{810e95c2-f908-4e02-9b28-b92c3a778d0d}) registry key *
C-Dilla (HKLM\SOFTWARE\C07ft5Y) registry key *
dialer (HKLM\software\diallerprogram) registry key *
SlimFTP (C:\WINDOWS\system32\msrev21.dll) file *
AdDestroyer (C:\WINDOWS\system32\popoops.dll) file *
AdDestroyer (C:\WINDOWS\system32\popoops2.dll) file *
AdDestroyer (C:\WINDOWS\system32\swlad1.dll) file *
AdDestroyer (C:\WINDOWS\system32\swlad2.dll) file *
WildTangent (C:\WINDOWS\wt\wt3d.dll) file *
WildTangent (C:\WINDOWS\wt\wtvh.dll) file *
StopSign (C:\Documents and Settings\Owner\Local Settings\Temp\EAC00000000\defscan_setup2.exe.chk) file *
StopSign (C:\Documents and Settings\Owner\Local Settings\Temp\EAC00000000\spyware.cnr) file *
StopSign (C:\Documents and Settings\Owner\Local Settings\Temp\EAC00000000\vclnr.cnr) file *
StopSign (C:\Documents and Settings\Owner\Local Settings\Temp\EAC00000000\vclnr2.cnr) file *
2nd-thought.com (C:\WINDOWS\SYSTEM32\msxml3.inf) file *
2nd-thought.com (C:\WINDOWS\SYSTEM32\SWRT01.dll) file *
 
#23 ·
Update.... Ran Stinger found and deleted this:
Hey thanks for the stinger info it removed this one
C:\WINDOWS\SYSTEM32\TFTP260
Found the W32/Blaster.worm.a virus!!!
C:WINDOWS\SYSTEM32\TFTP260 has been deleted.

Also deleted everything in C:\windows\temp except temporary internet files, cookies and history folders. And C:\Documents and Settings\USER NAME\Local Settings\Temp

Still no luck with adware but I'll keep trying.
 
#26 ·
Ok did the ad-aware trick and was able to remove all that was left in the computer. Note: still hangs at c:\windows\system32\microsoft but I was able to skip thatfile and the rest of locations were clean. I think this thread can be marked as solved. I want to say thanks to all who helped this is indeed the best website on the net!!!!! Here's a final HJT just for good measures!

Logfile of HijackThis v1.98.2
Scan saved at 11:50:52 AM, on 9/9/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094070796812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top