Solved: Problems that need fixing

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

timchilli

Thread Starter
Joined
Jan 10, 2006
Messages
9
Hi, I'd be grateful if anyone could help me with the following problems I'm experiencing on WinXP Home Edition.

Problem 1
Explorer.EXE - No Disk
There is no disk in the drive. Please insert a disk into drive A


Problem 2
Internet Explorer keeps shutting down with the following details:
AppName: iexplore.exe AppVer: 6.0.2900.2180 ModName: ntdll.dll

I have used SmitRem and run all kinds of diagnostics but can't rid my system of these bloody things.

Here is a HijackThis! logfile:

Logfile of HijackThis v1.99.1
Scan saved at 21:41:29, on 10/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\ELAN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\vjiqyaaa.exe
C:\WINDOWS\system32\combo.exe
C:\WINDOWS\system32\srshost.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4662
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2393BDA8-9CE9-E51F-7B44-9B6338FD3C65} - C:\WINDOWS\System32\loyakuj.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} - (no file)
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\holdapi.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\System32\ELAN.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB004" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft Windows System] vjiqyaaa.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] vjiqyaaa.exe
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - Startup: Free WebSite Tools.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &All by FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with &FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://rmt.mms.co.uk/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1092957168328
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://install.serviceurl.de/StarInstall.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31531FEE-C301-4E6F-981A-13EE81E574BE}: NameServer = 62.24.228.9 62.24.228.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: holdapi - C:\WINDOWS\SYSTEM32\holdapi.dll
O21 - SSODL: IEFilter - {087677A1-7977-4C2E-8945-72644DAAC6C4} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

If anyone could help I would be eternally thankful.

Many thanks for hearing me out.

Tim
 

timchilli

Thread Starter
Joined
Jan 10, 2006
Messages
9
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\vjiqyaaa.exe
C:\WINDOWS\system32\combo.exe
C:\WINDOWS\system32\srshost.exe

are these trojans?
 
Joined
Sep 7, 2004
Messages
49,014
Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
 

timchilli

Thread Starter
Joined
Jan 10, 2006
Messages
9
MFDnSC, thanks for your reply.

Below is the eWido log. The next post will contain the HiJackThis log.

Is everything ok?

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 19:56:57, 11/01/2006
+ Report-Checksum: AA90FCCB

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{B0CE21C5-6A79-45B7-AB9C-0008E75F2DBF} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{CD6B926C-903F-46A4-9C7D-F3839F081788} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D273D427-57C6-4B12-860F-BBB8195F6E2A} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\GMSoft -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\GMSoft\Dialers -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\IntexusDial -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E0B795B4-FD95-4ABD-A375-27962EFCE8CF} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1844237615-2000478354-725345543-1004\Software\GMSoft -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-1844237615-2000478354-725345543-1004\Software\GMSoft\Dialers -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-1844237615-2000478354-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Cleaned with backup
HKU\S-1-5-21-1844237615-2000478354-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][1].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Lucy\Cookies\[email protected][2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Lucy\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Lucy\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Lucy\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lucy\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lucy\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Phil\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\1CBSGEKL\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\9S2U4WX7\14500[1].exe -> Dropper.Small.na : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Tim\Local Settings\Temporary Internet Files\Content.IE5\E905MVKF\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Program Files\SpyHunter\Backup\BDERastDx6_30002.dll.bak -> Adware.BrilliantDigital : Cleaned with backup
C:\Program Files\SpyHunter\Backup\bdesecureinstall.exe.bak -> Adware.BrilliantDigital : Cleaned with backup
C:\Program Files\SpyHunter\Backup\bdeverify.dll.bak -> Adware.BrilliantDigital : Cleaned with backup
C:\Program Files\SpyHunter\Backup\bdeverify.exe.bak -> Adware.BrilliantDigital : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected]k[1].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Offshoreclicks : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Weborama : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Weborama : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0022756.exe -> Dropper.Small.na : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0022757.exe -> Proxy.Agent.ig : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0022763.exe -> Dropper.Small.na : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0022764.exe -> Proxy.Agent.ig : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0022771.exe -> Dropper.Small.na : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0022781.exe -> Dropper.Small.na : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0022787.exe -> Dropper.Small.na : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0022810.exe -> Dropper.Small.na : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0023802.exe -> Dropper.Small.na : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0023808.exe -> Dropper.Small.na : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP136\A0023813.exe -> Dropper.Small.na : Cleaned with backup
C:\System Volume Information\_restore{B3FF13EE-92C2-46CF-A694-2E7DECC4B5DA}\RP137\A0023873.exe -> Proxy.Agent.bz : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\sportnet.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\installer[p2p-10110,de].exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\holdapi.dll -> Trojan.Agent.cs : Cleaned with backup
C:\WINDOWS\system32\loyakuj.dll -> Spyware.AdultIt : Cleaned with backup
C:\WINDOWS\system32\srshost.exe -> Proxy.Agent.ig : Cleaned with backup
C:\WINDOWS\system32\sxdswaaa.exe -> Downloader.Tiny.ao : Cleaned with backup
C:\WINDOWS\system32\vjiqyaaa.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\winl0gon.exe -> Dropper.Small.na : Cleaned with backup


::Report End
 

timchilli

Thread Starter
Joined
Jan 10, 2006
Messages
9
HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 19:57:36, on 11/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4662
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2393BDA8-9CE9-E51F-7B44-9B6338FD3C65} - C:\WINDOWS\System32\loyakuj.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\holdapi.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\System32\ELAN.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB004" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - Startup: Free WebSite Tools.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &All by FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with &FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://rmt.mms.co.uk/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1092957168328
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: holdapi - C:\WINDOWS\SYSTEM32\holdapi.dll
O21 - SSODL: IEFilter - {087677A1-7977-4C2E-8945-72644DAAC6C4} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Joined
Sep 7, 2004
Messages
49,014
Fix these with HJT – mark them, close IE, click fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,

R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,

O2 - BHO: (no name) - {2393BDA8-9CE9-E51F-7B44-9B6338FD3C65} - C:\WINDOWS\System32\loyakuj.dll (file missing)

O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\holdapi.dll

O4 - Startup: PowerReg Scheduler V3.exe

O20 - Winlogon Notify: holdapi - C:\WINDOWS\SYSTEM32\holdapi.dll

O21 - SSODL: IEFilter - {087677A1-7977-4C2E-8945-72644DAAC6C4} - C:\WINDOWS\system32\IEFilter.dll

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM32\holdapi.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
 

timchilli

Thread Starter
Joined
Jan 10, 2006
Messages
9
Hi again!

I followed your instructions exaclty, however I could not delete the C:\WINDOWS\SYSTEM32\holdapi.dll file. The computer wouldn't let me delete it, despite numerous attempts. Any idea what I can do to fix this?

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 19:08:52, on 12/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\ELAN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4662
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\holdapi.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\System32\ELAN.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB004" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &All by FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with &FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://rmt.mms.co.uk/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1092957168328
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31531FEE-C301-4E6F-981A-13EE81E574BE}: NameServer = 62.24.228.9 62.24.228.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: holdapi - C:\WINDOWS\SYSTEM32\holdapi.dll
O21 - SSODL: IEFilter - {E7D75D2C-18D0-425C-8688-514768C5F97E} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Joined
Sep 7, 2004
Messages
49,014
My fault - I wasn't pating attention

Please print these instructions out for use in Safe Mode.

Vundo normally gets installed via a security hole in Sun Java so do this please

go to www.java.com & download the latest version of java 1.5.0.6

install it & then go to add/remove programs and UNINSTALL ALL previous versions of sun java


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this
    VundoFix V2.15 by Atri
    By pressing enter you agree that you are using this at your own risk
  • At this point press enter one time.
  • Next you will see:
    Type in the filepath as instructed by the forum staff
    Then Press Enter
  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\holdapi.dll
  • Press Enter,
  • Next you will see:
    Please type in the second filepath as instructed by the forum staff
    Then Press Enter,
  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\ipadloh.*
    If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.

  • The fix will run then HijackThis will open.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:

    • O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\holdapi.dll

      O20 - Winlogon Notify: holdapi - C:\WINDOWS\SYSTEM32\holdapi.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
 

timchilli

Thread Starter
Joined
Jan 10, 2006
Messages
9
Hi again. Thanks for all your help with this.

I followed your instructions as stated. Unfortunately the Internet Explorer error precludes me from running a full ActiveScan (IE shuts down after about 5 minutes into the scan). As such, I can only post the VundoFix log, together with the latest HJT log.

Any idea why IE keeps shutting down? It's REALLY annoying.



VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\holdapi.dll

The second filepath entered was C:\WINDOWS\system32\ipadloh.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 128 'smss.exe'

Killing PID 976 'explorer.exe'


Killing PID 204 'winlogon.exe'
Killing PID 204 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\holdapi.dll Deleted sucessfully.
C:\WINDOWS\system32\ipadloh.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 23:38:04, on 12/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\ELAN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\holdapi.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\System32\ELAN.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB004" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://rmt.mms.co.uk/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1092957168328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137108599328
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31531FEE-C301-4E6F-981A-13EE81E574BE}: NameServer = 62.24.228.9 62.24.228.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: holdapi - holdapi.dll (file missing)
O21 - SSODL: IEFilter - {E7D75D2C-18D0-425C-8688-514768C5F97E} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

timchilli

Thread Starter
Joined
Jan 10, 2006
Messages
9
Would it be advisable to download the latest version of Internet Explorer, then simply uninstall my existing version? Would this resolve the problem?
 
Joined
Sep 7, 2004
Messages
49,014
Fix these with HJT – mark them, close IE, click fix checked

O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\holdapi.dll (file missing)

O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe

O20 - Winlogon Notify: holdapi - holdapi.dll (file missing)

O21 - SSODL: IEFilter - {E7D75D2C-18D0-425C-8688-514768C5F97E} - C:\WINDOWS\system32\IEFilter.dll

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\IEFilter.dll
C:\WINDOWS\system32\srshost.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
 

timchilli

Thread Starter
Joined
Jan 10, 2006
Messages
9
Here's the latest HJT log.

IE still keeps shutting down. Sorry for the continued hassle, but any ideas?

Logfile of HijackThis v1.99.1
Scan saved at 19:52:18, on 13/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\Service.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\ELAN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpyHunter\SpyHunter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\Winamp.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4662
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\System32\ELAN.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB004" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &All by FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with &FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://rmt.mms.co.uk/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1092957168328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137108599328
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31531FEE-C301-4E6F-981A-13EE81E574BE}: NameServer = 62.24.228.9 62.24.228.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: IEFilter - {D5E4095C-64FB-4D09-9670-80EE6569F694} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Joined
Sep 7, 2004
Messages
49,014
Not done yet – Make sure MS Anti allows these changes

Fix these with HJT – mark them, close IE, click fix checked

O2 - BHO: (no name) - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - (no file)

O21 - SSODL: IEFilter - {D5E4095C-64FB-4D09-9670-80EE6569F694} - C:\WINDOWS\system32\IEFilter.dll (file missing)



Please give feedback on what worked/didn’t work and the current status of your system
 

timchilli

Thread Starter
Joined
Jan 10, 2006
Messages
9
Done!

Hopefully this will be it!

Many thanks for your continued help. I'll make a donation for all your kindness.

Thanks, Tim.

Logfile of HijackThis v1.99.1
Scan saved at 00:26:59, on 14/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\ELAN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4662
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINDOWS\System32\ELAN.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB004" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &All by FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with &FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://rmt.mms.co.uk/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1092957168328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137108599328
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31531FEE-C301-4E6F-981A-13EE81E574BE}: NameServer = 62.24.228.9 62.24.228.10
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Joined
Sep 7, 2004
Messages
49,014
Clean
- If you feel it is fixed, mark it solved via thread tools above - if not what is the current situation?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top