Crunchie, can you help me?
 

Hi, I saw how you helped someone else in the forums and it seems like you'd be able to help me too!!

I downloaded Spybot and Ad-Aware and I have Norton and ran them all, but they can't get rid of my computer problems! First it started off with just annoying pop-ups, then it got worse. The first thing that went wrong was my windows media player stopped working. I'd click to open it up, and it just wouldn't open. Now my Adobe Photoshop doesn't work. It goes through it's startup process, then as it's about to open, it just crashes. I've even tried uninstalling/reinstalling twice. However, when I reinstall WMP, it works for a while before it stops.

So, I did the Trend Micro scan like you suggested to the other person you helped in the forums, and it came up with this:

(Oh, also, I have Norton Anti-Virus and it didn't detect or remove these. And I've also run Norton and Ad-Aware and Spybot in Safe Mode, and that didn't get rid of the problem either)

JS INOR.M
CHM Psyme.Y
JS IESTART.PS
TROJ REVOP.A
TROJ ISTBAR.DW
TROJ BRISS.H (This appears twice after the scan)
TROJ SMALL.GO
BKDR SANDBOX.A
TROJ STILEN.A (This appears twice after the scan)

Do I have to buy the Trend software to get rid of these, or can you help me? Or can anyone on this forum help? I'd *greatly* appreciate any help!!!

Thanks for reading,
SH

Re: Crunchie, can you help me?
 

Oh, sorry, forgot something else it does too. When I try to reboot, it says that the cmd prompt is running and it won't restart unless I close the program. Most of the time it won't let me close the cmd prompt (even though it's not visible) and I just have to manually hit the restart button.

And before Adobe crashed it was randomly changing the icons for the photoshop files I had on my desktop, and as of right now, I can't even click on my desktop until I restart my computer. It's like there is a wall preventing me from clicking on my desktop :(.

SOrry for the extra post, just remembered those few things!

SH

Re: Crunchie, can you help me?
 

Really i suggest that you reformat ur pc and then install windows again
it is better:(

Re: Crunchie, can you help me?
 

Go here for an on-line scan & set it to autoclean for you. Make SURE that you set it to clean.

Download HijackThis from here & unzip it into it's own, permanent folder, (not a temporary folder & not on the desktop). Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is harmless & even necessary to the running of your system.

Re: Crunchie, can you help me?
 

I did the scan you linked to again, and it only came up with 9 viruses this time, but they were all non-cleanable or could not be accessed.

Here are the results of the Hijack this scan, I didn't delete anything like you said:

Logfile of HijackThis v1.97.7
Scan saved at 10:11:48 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\temp\9R.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\BRD\Application Data\ahso.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijack This\HijackThis.exe

Re: Crunchie, can you help me?
 

I just downloaded and installed Zone Alert Firewall and did the free scan. Here is what it came up with:

found the following tracking cookies on your computer.



2o7 - 3rd Party Cookie

URL - Cookie:brd@2o7.net/



Ad-logics - 3rd Party Cookie

URL - Cookie:brd@ad-logics.com/



Addfreestats - 3rd Party Cookie

URL - Cookie:brd@www2.addfreestats.com/cgi-bin



Adserver - 3rd Party Cookie

URL - Cookie:brd@z1.adserver.com/



Advertising - 3rd Party Cookie

URL - Cookie:brd@servedby.advertising.com/

URL - Cookie:brd@advertising.com/



Atdmt - 3rd Party Cookie

URL - Cookie:brd@atdmt.com/



Bluestreak - 3rd Party Cookie

URL - Cookie:brd@bluestreak.com/



Bravenet - 3rd Party Cookie

URL - Cookie:brd@mercury.bravenet.com/rover/



Com - 3rd Party Cookie

URL - Cookie:brd@com.com/

URL - Cookie:brd@msn-cnet.com.com/

URL - Cookie:brd@download.com.com/



Doubleclick - 3rd Party Cookie

URL - Cookie:brd@doubleclick.net/



Edge - 3rd Party Cookie

URL - Cookie:brd@edge.ru4.com/



Euniverseads - 3rd Party Cookie

URL - Cookie:brd@euniverseads.com/



Exitfuel - 3rd Party Cookie

URL - Cookie:brd@exitfuel.com/



Geocities - 3rd Party Cookie

URL - Cookie:brd@geocities.com/



Gorillanation - 3rd Party Cookie

URL - Cookie:brd@ads.gorillanation.com/



Hitbox - 3rd Party Cookie

URL - Cookie:brd@ehg-gigex.hitbox.com/

URL - Cookie:brd@hitbox.com/



Maxserving - 3rd Party Cookie

URL - Cookie:brd@maxserving.com/



Overture - 3rd Party Cookie

URL - Cookie:brd@perf.overture.com/



Questionmarket - 3rd Party Cookie

URL - Cookie:brd@questionmarket.com/



Qksrv - 3rd Party Cookie

URL - Cookie:brd@qksrv.net/



Realmedia - 3rd Party Cookie

URL - Cookie:brd@realmedia.com/



Revenue - 3rd Party Cookie

URL - Cookie:brd@revenue.net/



Serving-sys - 3rd Party Cookie

URL - Cookie:brd@serving-sys.com/

URL - Cookie:brd@bs.serving-sys.com/



Statcounter - 3rd Party Cookie

URL - Cookie:brd@statcounter.com/



Trafficmp - 3rd Party Cookie

URL - Cookie:brd@trafficmp.com/

URL - Cookie:brd@ad.trafficmp.com/tmpad



Zedo - 3rd Party Cookie

Re: Crunchie, can you help me?
 

That is only half the log. Under what you have here there should also be entries that include R1, RO,01,02,03,04 etc

Do this first though:
Reboot into safe mode following the instructions here & navigate to & delete

C:\windows\temp< entire contents of folder
C:\WINDOWS\system32\pcs< folder
C:\Program Files\Common Files\Dpi< folder
C:\Documents and Settings\BRD\Application Data\ahso.exe< file
C:\WINDOWS\System32\wapisvsu.exe< file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally after doing the above then post a fresh log plz. Please make sure it has the entire log. Check other threads here if you are unsure what it should look like.

Re: Crunchie, can you help me?
 

Sorry about that! I removed what you said and did the scan again, here is all of it this time :rolleyes: Stupid me!!!

Logfile of HijackThis v1.97.7
Scan saved at 11:50:04 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [9R] C:\windows\temp\9R.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\BRD\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [Eitt] C:\Documents and Settings\BRD\Application Data\ahso.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a32242...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Thanks again SO MUCH for your help!!!!!

Re: Crunchie, can you help me?
 

Aha. You have a CWS infection too. More downloading to do. You may want to print this out. Sorry it's quite a bit, but you have a few problems there.
--------------------------------------------------------------------------
Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
--------------------------------------------------------------------------
R3 fix.
Launch Notepad, and copy/paste the bold below into a new text file. Save it as URLRepair.reg (Change the 'Save As Type' to 'All Files'). Save it in C:\ (or on the desktop)

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Locate it (in C:\) and double-click on it (launch it). You'll recieve a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".
--------------------------------------------------------------------------
Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove these>
{4FC95EDD-4796-4966-9049-29649C80111D}_ {5D60FF48-95BE-4956-B4C6-6BB168A70310}_
Notice the underscore at the end.

Right click on each, (not sure if you can do them as one, or if you need to do it one at a time) and select delete.
If you get a confirmation question, respond OK then close out of the program.
--------------------------------------------------------------------------
Once done Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' : (Very important that no other windows are open or they will NOT get fixed)

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O4 - HKLM\..\Run: [9R] C:\windows\temp\9R.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\BRD\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Eitt] C:\Documents and Settings\BRD\Application Data\ahso.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a3224...ip/RdxIE601.cab

Reboot into safe mode following the instructions here & navigate to & delete

C:\Program Files\TV Media< folder
C:\PROGRA~1\Lycos< folder
C:\PROGRA~1\INCRED~1< folder
C:\DOCUME~1\BRD\LOCALS~1\Temp< entire contents of this folder
C:\WINDOWS\system32\pcs< folder
C:\Program Files\Common Files\Dpi< folder
C:\Program Files\LiveUpdate< folder

C:\WINDOWS\alchem.exe< file
C:\Documents and Settings\BRD\Application Data\ahso.exe< file
C:\WINDOWS\System32\wapisvsu.exe< file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Be certain to follow these instructions exactly. If you're not sure, get back here.

Reboot normally after doing the above then post a fresh log plz.

Re: Crunchie, can you help me?
 

I ran virus scan again from that link you gave me, and I'm posting the name and path here for you. The information you gave me above may fix these, but I just wanted to make sure:

TROJ REVOP.A C:/Documents and settings/BRD/Local settings/Temporary Internet Files/content.IE5/PR7BLHWE/bdl14025(1).exe

TROJ ISTBAR.DW C:/Windows/Downloaded Program Files/ISTactivex.dll

TROJ REVOP.A C:/Windows/System32/0021-bdl94126.EXE

TROJ BRISS.H C:/Windws/System32/a.exe

TROJ BRISS.H C:/Windows/System32/bridge.dll

TROJ SMALL.GO C:/Windows/System32/CS4P028.exe

BKDR SANDBOX.A C:/Windows/System32/Lkyqfy.exe

TROJ STILEN.A C:/Windows/System32/silent.exe

These were all NonCleanable by the scan. I'll get right on fixing those other things!!!