pls check hijack log

greenstrat · Feb 4, 2005

Logfile of HijackThis v1.99.0
Scan saved at 9:55:06 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Visual IP InSight\TDS\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ntwa.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\d3cl.exe
C:\Program Files\Windows AdStatus\WinStat.exe
C:\temp\salm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Visual IP InSight\TDS\ARUpld32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pendragon\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cbcra.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cbcra.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cbcra.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cbcra.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cbcra.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cbcra.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cbcra.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TDS Internet Services
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3C71515D-BD4E-2600-3366-5E88EB58BB2D} - C:\WINDOWS\apiwh32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VHorse] C:\Program Files\VisualHorse\vhorse.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TDSSETUP] "C:\Program Files\TDS Telecom\TDS Internet Services\runfile.exe" "C:\Program Files\TDS Telecom\TDS Internet Services" splash.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d3cl.exe] C:\WINDOWS\system32\d3cl.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\PENDRA~1\LOCALS~1\Temp\SAHAGE~1.EXE run
O4 - HKLM\..\Run: [277.tmp] C:\DOCUME~1\PENDRA~1\LOCALS~1\Temp\277.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9B6676C-399A-45BE-AC58-74B7C9F2C75F}: NameServer = 216.165.129.157 216.170.153.146
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Visual IP InSight Client (TDS) - Visual Networks - C:\Program Files\Visual IP InSight\TDS\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntwa.exe

thanks
Todd

crushbone · Feb 4, 2005

Hello greenstrat!

Open Task Manager (ctrl+alt+delete) and choose the "Processes" tab.
Find and "End Process" the following processes:
d3cl.exe
WinStat.exe
salm.exe
bargains.exe
WinStatKeep.exe

Turn off System Restore by right-clicking on My Computer and choosing "Properties". Click on the "System Restore" tab and put a tick next to "Turn System Restore off". Click "OK".

Go to My Computer and click on "Tools" then "Folder Options. Click on the "View" tab and make sure that "Show hidden files and folders" is enabled. Click "OK".

Find and delete the following files and folders hilighted in RED:
C:\WINDOWS\system32\d3cl.exe
C:\Program Files\Windows AdStatus
C:\temp\salm.exe
C:\Program Files\BullsEye Network

Run HijackThis and fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cbcra.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cbcra.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cbcra.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cbcra.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cbcra.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cbcra.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cbcra.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {3C71515D-BD4E-2600-3366-5E88EB58BB2D} - C:\WINDOWS\apiwh32.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)

O4 - HKLM\..\Run: [d3cl.exe] C:\WINDOWS\system32\d3cl.exe

O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\PENDRA~1\LOCALS~1\Temp\SAHAGE~1.EXE run

O4 - HKLM\..\Run: [277.tmp] C:\DOCUME~1\PENDRA~1\LOCALS~1\Temp\277.tmp.exe 0 28129

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c46.cab

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw.../0006_adult.cab

O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

Open Internet Explorer and at the top click on "Tools" and choose "Internet Options". Click on the "Advanced" tab and untick "Enable third-party browser extensions". Click on "Apply" then "OK".

Download DelDomains from here:
http://www.mvps.org/winhelp2002/DelDomains.inf

Right-Click and select "Install". This will remove the O15 entries in HijackThis.

Download CWShredder from here:
http://cwshredder.net/bin/CWSInstall.exe

Install and run CWShredder. Click on "Check for Update" and download the latest updates. Next, click on "Fix". Exit out of CWShredder.

Restart your computer and post a fresh HijackThis log back on this thread.

greenstrat · Feb 4, 2005

Thanks for the reply
did as you recommended but had problem deleting
winstat.exe
winstatkeep.exe
winstatcomm.dll
all parts of
C:\Program Files\Windows AdStatus
error msg says object is in use but if I try to end the running process
winstat.exe
winstatkeep.exe
they automatically reappear as running processes?
AVG virus also tells me that "Trojan Horse Dialer" is present in C:\Windows\system32\_t.exe
I ran AVG twice but I still get this message.

heres the updated hijack scan.

Logfile of HijackThis v1.99.0
Scan saved at 11:41:15 PM, on 2/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\d3cl.exe
C:\WINDOWS\System32\tibs5.exe
C:\Program Files\Windows AdStatus\WinStat.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\ACT\SideACT.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Visual IP InSight\TDS\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\ntwa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Visual IP InSight\TDS\ARUpld32.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\Documents and Settings\Pendragon\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TDS Internet Services
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {04D84A7E-AF1A-27B3-7174-33D2BABA7210} - C:\WINDOWS\apikc32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VHorse] C:\Program Files\VisualHorse\vhorse.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TDSSETUP] "C:\Program Files\TDS Telecom\TDS Internet Services\runfile.exe" "C:\Program Files\TDS Telecom\TDS Internet Services" splash.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d3cl.exe] C:\WINDOWS\system32\d3cl.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9B6676C-399A-45BE-AC58-74B7C9F2C75F}: NameServer = 216.165.129.157 216.170.153.146
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Visual IP InSight Client (TDS) - Visual Networks - C:\Program Files\Visual IP InSight\TDS\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntwa.exe

thanks again
Todd

crushbone · Feb 4, 2005

Print out this page and do exactly everything in my previous post in Safe Mode.

How to start your computer in Safe Mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Restart your computer and post a fresh HijackThis log back on this thread.

greenstrat · Feb 4, 2005

Ok, did everything in safemode
AVG is still warning me of the trojan horse dialer in "C:\Windows\system32\_t.exe"
unfortunately I cannot find this file and if I run AVG on "C:\Windows\system32"
it finds nothing. I think everything else is good, heres the latest scan.

Logfile of HijackThis v1.99.0
Scan saved at 12:20:37 AM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\d3cl.exe
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\System32\gah95on6.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\ACT\SideACT.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Visual IP InSight\TDS\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ntwa.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Visual IP InSight\TDS\ARUpld32.exe
C:\Documents and Settings\Pendragon\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TDS Internet Services
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {04D84A7E-AF1A-27B3-7174-33D2BABA7210} - C:\WINDOWS\apikc32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VHorse] C:\Program Files\VisualHorse\vhorse.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TDSSETUP] "C:\Program Files\TDS Telecom\TDS Internet Services\runfile.exe" "C:\Program Files\TDS Telecom\TDS Internet Services" splash.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d3cl.exe] C:\WINDOWS\system32\d3cl.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9B6676C-399A-45BE-AC58-74B7C9F2C75F}: NameServer = 216.165.129.157 216.170.153.146
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Visual IP InSight Client (TDS) - Visual Networks - C:\Program Files\Visual IP InSight\TDS\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntwa.exe

Thanks
Todd

greenstrat · Feb 4, 2005

I just noticedI forgot to delete
O4 - HKLM\..\Run: [d3cl.exe] C:\WINDOWS\system32\d3cl.exe
got it now

Todd

crushbone · Feb 4, 2005

Find and delete the following file:
C:\Windows\system32\_t.exe

If you cannot delete it, it may be a "Running Process", so "End Process" it in Task Manager and then delete the file. If you are unable to delete it, try deleting it in Safe Mode.

Make sure you fix those entries in my first response aswell.

Restart your computer and post a fresh HijackThis log back on this thread.

greenstrat · Feb 4, 2005

Actually the problem is I cant find the file (nor can AVG)
same as this post
http://forums.techguy.org/t301810&highlight=trojan+horse+dialer.html
tried spybot like the reply to this question suggested and I still get the msg every 5 min.
(fixed the entries from your 1st resp)
Thanks again
Todd

crushbone · Feb 4, 2005

Post a fresh HijackThis log back on this thread.

greenstrat · Feb 4, 2005

heres the latest,
I have deleted
"R3 - Default URLSearchHook is missing"
several times but it continues to appear in subsequent scans
Thanks
Todd

Logfile of HijackThis v1.99.0
Scan saved at 1:20:27 AM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\tibs5.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\ACT\SideACT.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Visual IP InSight\TDS\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ntwa.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Visual IP InSight\TDS\ARUpld32.exe
C:\Documents and Settings\Pendragon\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TDS Internet Services
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {04D84A7E-AF1A-27B3-7174-33D2BABA7210} - C:\WINDOWS\apikc32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VHorse] C:\Program Files\VisualHorse\vhorse.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TDSSETUP] "C:\Program Files\TDS Telecom\TDS Internet Services\runfile.exe" "C:\Program Files\TDS Telecom\TDS Internet Services" splash.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [d3cl.exe] C:\WINDOWS\system32\d3cl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9B6676C-399A-45BE-AC58-74B7C9F2C75F}: NameServer = 216.165.129.157 216.170.153.146
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Visual IP InSight Client (TDS) - Visual Networks - C:\Program Files\Visual IP InSight\TDS\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntwa.exe

crushbone · Feb 4, 2005

Open Task Manager (ctrl+alt+delete) and choose the "Processes" tab.
Find and "End Process" the following processs:
tibs5.exe

Find and delete the following file:
C:\WINDOWS\System32\tibs5.exe

Run HijackThis and fix the following entries:

O2 - BHO: (no name) - {04D84A7E-AF1A-27B3-7174-33D2BABA7210} - C:\WINDOWS\apikc32.dll

O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe

O4 - HKLM\..\Run: [d3cl.exe] C:\WINDOWS\system32\d3cl.exe

Read this on how to keep your computer clean:
http://department.monm.edu/is/fac-staff/keep-clean.htm

Restart your computer and post a fresh HijackThis log back on this thread.

greenstrat · Feb 4, 2005

heres the lataest scan

Thanks again

Logfile of HijackThis v1.99.0
Scan saved at 10:02:22 AM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gah95on6.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\ACT\SideACT.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Visual IP InSight\TDS\ARUpld32.exe
C:\Program Files\Visual IP InSight\TDS\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ntwa.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Visual IP InSight\TDS\ARUpld32.exe
C:\Documents and Settings\Pendragon\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TDS Internet Services
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B27B24CE-13ED-6759-8453-561804F509FD} - C:\WINDOWS\atlcd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VHorse] C:\Program Files\VisualHorse\vhorse.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TDSSETUP] "C:\Program Files\TDS Telecom\TDS Internet Services\runfile.exe" "C:\Program Files\TDS Telecom\TDS Internet Services" splash.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9B6676C-399A-45BE-AC58-74B7C9F2C75F}: NameServer = 216.165.129.157 216.170.153.146
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Visual IP InSight Client (TDS) - Visual Networks - C:\Program Files\Visual IP InSight\TDS\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntwa.exe

crushbone · Feb 4, 2005

Make sure that you are NOT connected to the Internet while doing the following (Print out this page):

Open Task Manager (ctrl+alt+delete) and choose the "Processes" tab.
Find and "End Process" the following process:
gah95on6.exe

Find and delete the following file:
C:\WINDOWS\System32\gah95on6.exe

Run HijackThis and fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qybgb.dll/sp.html#28129

O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe

Right-click Internet Explorer and choose "Properties". Click on "Delete files" and tick "Delete all offline content" and click "OK" and "OK" again.

Restart your computer and post a fresh HijackThis log back on this thread.

greenstrat · Feb 4, 2005

OK here we go again
I had to go into safe mode to delete "C:\Windowssystem32\gah95on6.exe"
also I never found it as a running process?

Thanks again

Logfile of HijackThis v1.99.0
Scan saved at 5:13:57 PM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\ACT\SideACT.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Visual IP InSight\TDS\ARUpld32.exe
C:\Program Files\Visual IP InSight\TDS\ARMon32a.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ntwa.exe
C:\Program Files\Visual IP InSight\TDS\ARUpld32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Pendragon\Desktop\utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TDS Internet Services
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B27B24CE-13ED-6759-8453-561804F509FD} - C:\WINDOWS\atlcd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VHorse] C:\Program Files\VisualHorse\vhorse.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TDSSETUP] "C:\Program Files\TDS Telecom\TDS Internet Services\runfile.exe" "C:\Program Files\TDS Telecom\TDS Internet Services" splash.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9B6676C-399A-45BE-AC58-74B7C9F2C75F}: NameServer = 216.165.129.157 216.170.153.146
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Visual IP InSight Client (TDS) - Visual Networks - C:\Program Files\Visual IP InSight\TDS\LaunchIPI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\ntwa.exe

crushbone · Feb 5, 2005

Run HijackThis and fix the following entry:

O2 - BHO: (no name) - {B27B24CE-13ED-6759-8453-561804F509FD} - C:\WINDOWS\atlcd.dll

Find and delete the following file (if there):
C:\WINDOWS\atlcd.dll

Restart your computer and post a fresh HijackThis log back on this thread.

Log in or Sign up

pls check hijack log

greenstrat Thread Starter

crushbone

greenstrat Thread Starter

crushbone

greenstrat Thread Starter

greenstrat Thread Starter

crushbone

greenstrat Thread Starter

crushbone

greenstrat Thread Starter

crushbone

greenstrat Thread Starter

crushbone

greenstrat Thread Starter

crushbone

Sponsor

Welcome to Tech Support Guy!

In Progress The famous StartupCheckLibrary.dll and winscomrssrv.dll

New StartupCheckLibrary.dll, winscomrssrv.dll and Win Defender

In Progress StartupCheckLibrary.dll &winscomrssrv.dll Missing, help!

Solved StartupCheckLibrary.dll and winscomrssrv.dll issue

In Progress StartupCheckLibrary.dll Issue

pls check hijack log

greenstrat Thread Starter

greenstrat Thread Starter

greenstrat Thread Starter

greenstrat Thread Starter

greenstrat Thread Starter

greenstrat Thread Starter

greenstrat Thread Starter

greenstrat Thread Starter

Sponsor

Welcome to Tech Support Guy!

In Progress The famous StartupCheckLibrary.dll and winscomrssrv.dll

New StartupCheckLibrary.dll, winscomrssrv.dll and Win Defender

In Progress StartupCheckLibrary.dll &winscomrssrv.dll Missing, help!

Solved StartupCheckLibrary.dll and winscomrssrv.dll issue

In Progress StartupCheckLibrary.dll Issue

Useful Searches