virus/trogan

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.
N

nocure4evil

Thread Starter
Joined
Apr 16, 2004
Messages
7
I have a virus/trogan C:\progra~1\1winmx\winmx.exe.~m

It also creates a folder sysdll that contains about 300 programs. I have deleted the folder with no problem. My "cleaner" found the virus and deletes it but everytime I reboot both come back.

Any help?
-dan
 
N

nocure4evil

Thread Starter
Joined
Apr 16, 2004
Messages
7
buckaroo said:
Hi Dan, Welcome to TSG.

Go here and download Hijack This:

http://www.spywareinfo.com/~merijn/downloads.html

Read the instructions for scaning your system and generating a log then post your log here. Don't fix anything yourself, most entries are legit.

:)
Click to expand...
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\windows\taskmgr.com
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Daniel Hilton\Local Settings\Temporary Internet Files\Content.IE5\OT6VKH6Z\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchwww.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchwww.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchwww.com/bar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwww.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6-D5FEBB655D10} - C:\WINDOWS\SYSTEM32\IEMsg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {794A0870-CD17-4545-AE9E-E53780DF2271} - (no file)
O3 - Toolbar: Toolbar - {BC97B254-B2B9-4D40-971D-78E0978F5F26}} - (no file)
O3 - Toolbar: (no name) - {BC97B254-B2B9-4D40-971D-78E0978F5F26} - (no file)
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Search.vbs
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Canasta - http://download.yahoo.com/games/clients/y/yr2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.yahoo.com/games/clients/y/por9_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37368.1390162037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4024.cab
O16 - DPF: {F4C8D591-CC23-4FC6-A152-9CD02BD017B8} - http://www.searchwww.com/toolbar/toolbar.cab
O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - http://www.searchwww.com/toolbar/toolbar.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D299DF8-2D49-4956-B1C1-1BC63B804A9F}: NameServer = 205.188.146.146
 
buckaroo

buckaroo

Joined
Mar 25, 2001
Messages
3,334
Close your browser and check the following entries in HJT and click Fix. REBOOT afterwards.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchwww.com/bar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwww.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchwww.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchwww.com/bar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwww.com/bar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s

O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6-D5FEBB655D10} - C:\WINDOWS\SYSTEM32\IEMsg.dll

O3 - Toolbar: (no name) - {794A0870-CD17-4545-AE9E-E53780DF2271} - (no file)

O3 - Toolbar: Toolbar - {BC97B254-B2B9-4D40-971D-78E0978F5F26}} - (no file)

O3 - Toolbar: (no name) - {BC97B254-B2B9-4D40-971D-78E0978F5F26} - (


O4 - Global Startup: Search.vbs


O16 - DPF: {F4C8D591-CC23-4FC6-A152-9CD02BD017B8} - http://www.searchwww.com/toolbar/toolbar.cab

O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - http://www.searchwww.com/toolbar/toolbar.cab

See if that helps.

:)
 
N

nocure4evil

Thread Starter
Joined
Apr 16, 2004
Messages
7
I did as you said, rebooted and the the folder and the virus were back like before. I did another scan to see if u could take another look. Thanks, in advance
- daniel

Logfile of HijackThis v1.97.7
Scan saved at 4:53:02 PM, on 4/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\windows\taskmgr.com
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Daniel Hilton\Local Settings\Temporary Internet Files\Content.IE5\OT6VKH6Z\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [WinMX] C:\Progra~1\WinMX\WinMX.exe -m
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Canasta - http://download.yahoo.com/games/clients/y/yr2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.yahoo.com/games/clients/y/por9_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37368.1390162037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4024.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D299DF8-2D49-4956-B1C1-1BC63B804A9F}: NameServer = 205.188.146.146
 
buckaroo

buckaroo

Joined
Mar 25, 2001
Messages
3,334
This appeared in your second log:

O4 - HKCU\..\Run: [WinMX] C:\Progra~1\WinMX\WinMX.exe -m

Fix it with HJT. After rebooting, find and delete this file:

C:\Progra~1\WinMX\WinMX.exe -m

:)
 
N

nocure4evil

Thread Starter
Joined
Apr 16, 2004
Messages
7
once again, did what u said, rebooted, virus and folder are back like before. When I deleted the O4 - HKCU\..\Run: [WinMX] C:\Progra~1\WinMX\WinMX.exe -m with HJT a very loud alarm went off and it said except changes or edit changes I hit except changes should I edit changes? It has a note not 2 unless u know what u r doing and thats defently not me.

- dumba$$
 
buckaroo

buckaroo

Joined
Mar 25, 2001
Messages
3,334
I would do as you did.......accept changes.

Post a current log, just to see what's on there.
 
N

nocure4evil

Thread Starter
Joined
Apr 16, 2004
Messages
7
Logfile of HijackThis v1.97.7
Scan saved at 9:43:03 AM, on 4/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\windows\taskmgr.com
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHT~1\eanthtutor.exe
C:\Program Files\AOL Companion\companion.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Daniel Hilton\Local Settings\Temporary Internet Files\Content.IE5\49KV8FGF\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal
O4 - HKLM\..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\velozsys.exe runstart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Block This Page (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O16 - DPF: Yahoo! Canasta - http://download.yahoo.com/games/clients/y/yr2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.yahoo.com/games/clients/y/por9_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37368.1390162037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4024.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D299DF8-2D49-4956-B1C1-1BC63B804A9F}: NameServer = 205.188.146.146
 
buckaroo

buckaroo

Joined
Mar 25, 2001
Messages
3,334
:confused:

Got some new stuff there. Let's remove these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redi...=ie&ar=iesearch

O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll


O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com


After rebooting, find and delete this file:

c:\windows\taskmgr.com


....Did you download the application Stop Sign? These two entries:

O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup

O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal

....just so you know, though it used to stop spy and malware, the application itself is considered spyware. Remove via add/remove or use HJT to fix and delete those files.

Here's two applications that are much better:

http://www.javacoolsoftware.com/spywareblaster.html

http://www.javacoolsoftware.com/spywareguard.html
 
buckaroo

buckaroo

Joined
Mar 25, 2001
Messages
3,334
oops, almost missed these:

O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\asiclayer.dll


To fix these entries (curtesy of Stop Sign), go here and download LSP Fix:

http://www.cexx.org/lspfix.htm

:)
 
N

nocure4evil

Thread Starter
Joined
Apr 16, 2004
Messages
7
Think its starting to come together, downloaded stop sign to see if it could help looks like it did. The virus seems to be gone and the sysdll folder isn't there. I have deleted Stopsign also. Please scan through this and see if anything is off. Thanks,
dan :)

Logfile of HijackThis v1.97.7
Scan saved at 6:17:50 AM, on 4/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Daniel Hilton\Local Settings\Temporary Internet Files\Content.IE5\31HRAE9A\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37368.1390162037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4024.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D299DF8-2D49-4956-B1C1-1BC63B804A9F}: NameServer = 205.188.146.146
 
N

nocure4evil

Thread Starter
Joined
Apr 16, 2004
Messages
7
I have uninstalled it like u said, there wasn't anything left of it on the last log was there?

- daniel
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Total: 281 (members: 4, guests: 277)
Top