1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus - Used Hijackthis and need review

Discussion in 'Virus & Other Malware Removal' started by coastergeekr, Feb 16, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. coastergeekr

    coastergeekr Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    25
    I used hijackthis and made a log because a guy on McAfee Virus Forums told me to. He sent me here to get the log file reviewed. HEre is the post I made in that forum so you know my problem.

     

    Attached Files:

  2. Meangean

    Meangean

    Joined:
    Apr 18, 2004
    Messages:
    216
    http://www.downloads.subratam.org/KillBox.exe and download the the new version of Killbox and save it to your desktop.

    Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    by using the browse feature and searching for dload.exe or putting this in as path.. C:\Windows\system32\dload.exe

    but i would try and make sure that is that path

    then restart and see wat happens

    now i will look at ur hijack this log
     
  3. Meangean

    Meangean

    Joined:
    Apr 18, 2004
    Messages:
    216
    Here is your log:

    Logfile of HijackThis v1.99.0
    Scan saved at 7:03:21 PM, on 2/16/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\LPhal.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Logitech\io2Software\Pen.TrayIcon.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\prvdi.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\rundll32.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Bargain Buddy\bin2\bargains.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\Program Files\iPod\bin\iPodService.exe
    c:\program files\logitech\io2software\Pen.LplsHost.exe
    C:\Program Files\Common Files\Anoto\3.0\DockingEngine.exe
    C:\Program Files\Logitech\io2Software\Pen.Ink.Download.exe
    C:\Program Files\Logitech\io2Software\Loli.FileSystem.AccessManager.Server.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\unzipped\hijackthis-3\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0001_ho
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0001_ho
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage.dll
    O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin2\apuc.dll
    O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
    O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [PSDrvCheck] "c:\program files\pinnacle\liquid edition demo\program\PSDrvCheck.exe" -CheckReg
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [XupiterToolbarLoader] C:\Program Files\Xupiter\\XupiterToolbarLoader.exe
    O4 - HKLM\..\Run: [Pen.TrayIcon] C:\Program Files\Logitech\io2Software\Pen.TrayIcon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
    O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender8\\bdmcon.exe
    O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\\bdnagent.exe
    O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [osmW3se] dmbga13s.exe
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm370XXUS
    O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\Broderbund\The Print Shop Photo Pro\Temp\MGI00000.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
    O15 - Trusted Zone: http://us.mcafee.com
    O15 - Trusted IP range: http://192.168.0.1
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O21 - SSODL: IntegrityChecker - {DA9D80FD-08D4-4B36-83B5-FF8DA7F08B54} - C:\WINDOWS\System32\spnixt40.dll
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Digital Pen rendezvous server - Logitech - C:\WINDOWS\System32\LPhal.exe
    O23 - Service: Digital Pen Socket to USB protocol - Logitech - C:\WINDOWS\System32\LPhal.exe
    O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
     
  4. Meangean

    Meangean

    Joined:
    Apr 18, 2004
    Messages:
    216
    fix these:

    I see you got bargain buddy, get rid of it... i will tell u to get ad-aware and refer to a link

    C:\Program Files\Bargain Buddy\bin2\bargains.exe
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
    O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [osmW3se] dmbga13s.exe
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe

    Go here and download Ad-Aware SE.

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.


    Go here and download Microsoft Antispyware Beta. First press file and check for updates and then run it.

    Let it fix anything that it finds (have it quarantine them rather than delete just in case. It is a beta program and there may be false positives)

    Then post a new hijack this log
     
  5. coastergeekr

    coastergeekr Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    25
    I can't locate the dload.exe file because McAfee deletes it when it detects it. This does nohing though, because it deletes it again within the next 30 minutes. It keeps doing this. I already have Ad-Aware but I have not run it in a few days. After I do this I will post a new log file.

    EDIT: I posted the new log file. The notification that I have a virus on my computer is still coming up when I log on.
     

    Attached Files:

  6. coastergeekr

    coastergeekr Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    25
    Now my AOL Instant Messenger is messing up. Along with the virus notification, it (my buddy list) pops up every 15 minutes (so more often than the dload.exe file). It also says that the user I am sending the message to cannot recieve the message I just sent, but in truth, they do get it but then I can't see what they are saying. I think that this virus, or another virus I don't know about, it the cause of this. What do I do now?
     
  7. coastergeekr

    coastergeekr Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    25
    Is anyone going to help me?
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  9. coastergeekr

    coastergeekr Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    25
    Sorry for not posting ASAP. Here is the log:

     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0001_ho
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0001_ho
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bgtguide.com/~sscoasters/forums
    R3 - Default URLSearchHook is missing
    O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage.dll
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [XupiterToolbarLoader] C:\Program Files\Xupiter\\XupiterToolbarLoader.exe
    O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
    O4 - HKLM\..\Run: [osmW3se] dmbga13s.exe
    O4 - HKLM\..\Run: [Shell] open32.exe
    O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
    O4 - HKCU\..\Run: [ZB56RiKEQ] dbgif11n.exe
    O4 - Startup: winupdate78328980[1].exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O15 - Trusted Zone: http://home.comcast.net
    O15 - Trusted Zone: http://www.mxtabs.net
    O15 - Trusted Zone: *.streamload.com
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
    O21 - SSODL: IntegrityChecker - {DA9D80FD-08D4-4B36-83B5-FF8DA7F08B54} - C:\WINDOWS\System32\spnixt40.dll

    Close all applications and browser windows before you click "fix checked".


    Restart in Safe Mode

    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Go to control panel, add/remove programs and remove Viewpoint

    Delete these folders:
    C:\Program Files\Bargain Buddy
    C:\Program Files\Windows AdStatus
    C:\PROGRA~1\NEWDOT~1
    C:\Program Files\WindUpdates
    C:\Program Files\Viewpoint
    C:\Program Files\STHomePage
    C:\Program Files\Xupiter
    C:\Program Files\System Soap

    Delete these files:
    C:\WINDOWS\System32\prvdi.exe
    dmbga13s.exe
    C:\WINDOWS\System32\open32.exe
    winupdate78328980[1].exe --> This one is going to be in one or more of the c:\documents and settings\Administrator\Start Menu\Programs\Startup You should check every profile on the machine.


    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder.
    Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Reboot and post another log.
     
  11. coastergeekr

    coastergeekr Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    25
    I did all that. The only thing is when I fixed the checked things in HJT, an error window poped up saying:
    Many of the folders were not there (I did delete NewDot Net already) and some files weren't there (dmbga13s.exe). Other than that it was good.

    Here is the HJT Log:

     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download the Pocket KillBox

    Save it to your desktop.

    Run KillBox.exe.

    Select the Delete on Reboot option.
    In the Full Path of File to Delete field paste this path and click the red circle with the white X in it, when it asks you to reboot, click No.

    C:\WINDOWS\System32\snim.dll
    C:\WINDOWS\System32\open32.exe

    You have to find this file: winupdate78328980[1].exe It may exist in one or more profiles. It will be in the C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder. You have to look in each profile.
    When you locate it put the full path and file name into kill box.


    Close killbox.

    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
    O4 - HKLM\..\Run: [Shell] open32.exe
    O4 - Startup: winupdate78328980[1].exe
    O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll

    Close all applications and browser windows before you click "fix checked".

    Reboot.
     
  13. coastergeekr

    coastergeekr Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    25
    Now I have a new problem. I got a desktop spyware that uses all spyware capabilities to advertise anti-spyware software. Also, it came with many viruses in the temp folder and WINDOWS\System32\ folder. Here is the HJT log.

     
  14. Supercompute

    Supercompute

    Joined:
    Apr 3, 2005
    Messages:
    22
    I just quickly looked at all the posts here and if this has not been done yet TERMINATE Macafee Virus scan (uninstall it if possable) becouse a virus must have infected the programes database and has screwed it up. Eather re-install it or download AVG Anti virus system go to www.grisoft.com and download the latest AVG and install it. If you are on the computer or the net and it picks up on a virus the screen will go red and say the locataion of the virus use keybord arrows to go HEAL and close all running applacations and run AVG scan the whole hard disk all folders sub-folders everything as soon as it finds a virus it will probaly go to the Virus volt open the volt an TERMINATE the virus.check to see if it goes in the recyle bin empty it if if it dose if this dosent work you may have to use SYSTEM RESTORE and take your pc back to 2 days before this happend if this doent work back up your hard disk and use the recovery CD-ROM that came with your computer.

    email address removed by cybertech.
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Supercompute It's not a good idea for you to be requesting posters on the board to e-mail you for help.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/331520

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice