 |  |  |  |  |  |  |  |
Crunchie, can you help me?
 |
•
•
Join Date: May 2004
Posts: 66
Reputation: 
Solved Threads: 0
Junior Poster in Training
Hi, I saw how you helped someone else in the forums and it seems like you'd be able to help me too!!
I downloaded Spybot and Ad-Aware and I have Norton and ran them all, but they can't get rid of my computer problems! First it started off with just annoying pop-ups, then it got worse. The first thing that went wrong was my windows media player stopped working. I'd click to open it up, and it just wouldn't open. Now my Adobe Photoshop doesn't work. It goes through it's startup process, then as it's about to open, it just crashes. I've even tried uninstalling/reinstalling twice. However, when I reinstall WMP, it works for a while before it stops.
So, I did the Trend Micro scan like you suggested to the other person you helped in the forums, and it came up with this:
(Oh, also, I have Norton Anti-Virus and it didn't detect or remove these. And I've also run Norton and Ad-Aware and Spybot in Safe Mode, and that didn't get rid of the problem either)
JS INOR.M
CHM Psyme.Y
JS IESTART.PS
TROJ REVOP.A
TROJ ISTBAR.DW
TROJ BRISS.H (This appears twice after the scan)
TROJ SMALL.GO
BKDR SANDBOX.A
TROJ STILEN.A (This appears twice after the scan)
Do I have to buy the Trend software to get rid of these, or can you help me? Or can anyone on this forum help? I'd *greatly* appreciate any help!!!
Thanks for reading,
SH
I downloaded Spybot and Ad-Aware and I have Norton and ran them all, but they can't get rid of my computer problems! First it started off with just annoying pop-ups, then it got worse. The first thing that went wrong was my windows media player stopped working. I'd click to open it up, and it just wouldn't open. Now my Adobe Photoshop doesn't work. It goes through it's startup process, then as it's about to open, it just crashes. I've even tried uninstalling/reinstalling twice. However, when I reinstall WMP, it works for a while before it stops.
So, I did the Trend Micro scan like you suggested to the other person you helped in the forums, and it came up with this:
(Oh, also, I have Norton Anti-Virus and it didn't detect or remove these. And I've also run Norton and Ad-Aware and Spybot in Safe Mode, and that didn't get rid of the problem either)
JS INOR.M
CHM Psyme.Y
JS IESTART.PS
TROJ REVOP.A
TROJ ISTBAR.DW
TROJ BRISS.H (This appears twice after the scan)
TROJ SMALL.GO
BKDR SANDBOX.A
TROJ STILEN.A (This appears twice after the scan)
Do I have to buy the Trend software to get rid of these, or can you help me? Or can anyone on this forum help? I'd *greatly* appreciate any help!!!
Thanks for reading,
SH
•
•
Join Date: May 2004
Posts: 66
Reputation:
Solved Threads: 0
Junior Poster in Training
Oh, sorry, forgot something else it does too. When I try to reboot, it says that the cmd prompt is running and it won't restart unless I close the program. Most of the time it won't let me close the cmd prompt (even though it's not visible) and I just have to manually hit the restart button.
And before Adobe crashed it was randomly changing the icons for the photoshop files I had on my desktop, and as of right now, I can't even click on my desktop until I restart my computer. It's like there is a wall preventing me from clicking on my desktop
.
SOrry for the extra post, just remembered those few things!
SH
And before Adobe crashed it was randomly changing the icons for the photoshop files I had on my desktop, and as of right now, I can't even click on my desktop until I restart my computer. It's like there is a wall preventing me from clicking on my desktop
.SOrry for the extra post, just remembered those few things!
SH
•
•
Join Date: Feb 2004
Posts: 9,982
Reputation: 
Solved Threads: 754
Go here for an on-line scan & set it to autoclean for you. Make SURE that you set it to clean.
Download HijackThis from here & unzip it into it's own, permanent folder, (not a temporary folder & not on the desktop). Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is harmless & even necessary to the running of your system.
Download HijackThis from here & unzip it into it's own, permanent folder, (not a temporary folder & not on the desktop). Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is harmless & even necessary to the running of your system.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: May 2004
Posts: 66
Reputation:
Solved Threads: 0
Junior Poster in Training
I did the scan you linked to again, and it only came up with 9 viruses this time, but they were all non-cleanable or could not be accessed.
Here are the results of the Hijack this scan, I didn't delete anything like you said:
Logfile of HijackThis v1.97.7
Scan saved at 10:11:48 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\temp\9R.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\BRD\Application Data\ahso.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijack This\HijackThis.exe
Here are the results of the Hijack this scan, I didn't delete anything like you said:
Logfile of HijackThis v1.97.7
Scan saved at 10:11:48 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\temp\9R.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\BRD\Application Data\ahso.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijack This\HijackThis.exe
•
•
Join Date: May 2004
Posts: 66
Reputation:
Solved Threads: 0
Junior Poster in Training
I just downloaded and installed Zone Alert Firewall and did the free scan. Here is what it came up with:
found the following tracking cookies on your computer.
2o7 - 3rd Party Cookie
URL - Cookie:brd@2o7.net/
Ad-logics - 3rd Party Cookie
URL - Cookie:brd@ad-logics.com/
Addfreestats - 3rd Party Cookie
URL - Cookie:brd@www2.addfreestats.com/cgi-bin
Adserver - 3rd Party Cookie
URL - Cookie:brd@z1.adserver.com/
Advertising - 3rd Party Cookie
URL - Cookie:brd@servedby.advertising.com/
URL - Cookie:brd@advertising.com/
Atdmt - 3rd Party Cookie
URL - Cookie:brd@atdmt.com/
Bluestreak - 3rd Party Cookie
URL - Cookie:brd@bluestreak.com/
Bravenet - 3rd Party Cookie
URL - Cookie:brd@mercury.bravenet.com/rover/
Com - 3rd Party Cookie
URL - Cookie:brd@com.com/
URL - Cookie:brd@msn-cnet.com.com/
URL - Cookie:brd@download.com.com/
Doubleclick - 3rd Party Cookie
URL - Cookie:brd@doubleclick.net/
Edge - 3rd Party Cookie
URL - Cookie:brd@edge.ru4.com/
Euniverseads - 3rd Party Cookie
URL - Cookie:brd@euniverseads.com/
Exitfuel - 3rd Party Cookie
URL - Cookie:brd@exitfuel.com/
Geocities - 3rd Party Cookie
URL - Cookie:brd@geocities.com/
Gorillanation - 3rd Party Cookie
URL - Cookie:brd@ads.gorillanation.com/
Hitbox - 3rd Party Cookie
URL - Cookie:brd@ehg-gigex.hitbox.com/
URL - Cookie:brd@hitbox.com/
Maxserving - 3rd Party Cookie
URL - Cookie:brd@maxserving.com/
Overture - 3rd Party Cookie
URL - Cookie:brd@perf.overture.com/
Questionmarket - 3rd Party Cookie
URL - Cookie:brd@questionmarket.com/
Qksrv - 3rd Party Cookie
URL - Cookie:brd@qksrv.net/
Realmedia - 3rd Party Cookie
URL - Cookie:brd@realmedia.com/
Revenue - 3rd Party Cookie
URL - Cookie:brd@revenue.net/
Serving-sys - 3rd Party Cookie
URL - Cookie:brd@serving-sys.com/
URL - Cookie:brd@bs.serving-sys.com/
Statcounter - 3rd Party Cookie
URL - Cookie:brd@statcounter.com/
Trafficmp - 3rd Party Cookie
URL - Cookie:brd@trafficmp.com/
URL - Cookie:brd@ad.trafficmp.com/tmpad
Zedo - 3rd Party Cookie
found the following tracking cookies on your computer.
2o7 - 3rd Party Cookie
URL - Cookie:brd@2o7.net/
Ad-logics - 3rd Party Cookie
URL - Cookie:brd@ad-logics.com/
Addfreestats - 3rd Party Cookie
URL - Cookie:brd@www2.addfreestats.com/cgi-bin
Adserver - 3rd Party Cookie
URL - Cookie:brd@z1.adserver.com/
Advertising - 3rd Party Cookie
URL - Cookie:brd@servedby.advertising.com/
URL - Cookie:brd@advertising.com/
Atdmt - 3rd Party Cookie
URL - Cookie:brd@atdmt.com/
Bluestreak - 3rd Party Cookie
URL - Cookie:brd@bluestreak.com/
Bravenet - 3rd Party Cookie
URL - Cookie:brd@mercury.bravenet.com/rover/
Com - 3rd Party Cookie
URL - Cookie:brd@com.com/
URL - Cookie:brd@msn-cnet.com.com/
URL - Cookie:brd@download.com.com/
Doubleclick - 3rd Party Cookie
URL - Cookie:brd@doubleclick.net/
Edge - 3rd Party Cookie
URL - Cookie:brd@edge.ru4.com/
Euniverseads - 3rd Party Cookie
URL - Cookie:brd@euniverseads.com/
Exitfuel - 3rd Party Cookie
URL - Cookie:brd@exitfuel.com/
Geocities - 3rd Party Cookie
URL - Cookie:brd@geocities.com/
Gorillanation - 3rd Party Cookie
URL - Cookie:brd@ads.gorillanation.com/
Hitbox - 3rd Party Cookie
URL - Cookie:brd@ehg-gigex.hitbox.com/
URL - Cookie:brd@hitbox.com/
Maxserving - 3rd Party Cookie
URL - Cookie:brd@maxserving.com/
Overture - 3rd Party Cookie
URL - Cookie:brd@perf.overture.com/
Questionmarket - 3rd Party Cookie
URL - Cookie:brd@questionmarket.com/
Qksrv - 3rd Party Cookie
URL - Cookie:brd@qksrv.net/
Realmedia - 3rd Party Cookie
URL - Cookie:brd@realmedia.com/
Revenue - 3rd Party Cookie
URL - Cookie:brd@revenue.net/
Serving-sys - 3rd Party Cookie
URL - Cookie:brd@serving-sys.com/
URL - Cookie:brd@bs.serving-sys.com/
Statcounter - 3rd Party Cookie
URL - Cookie:brd@statcounter.com/
Trafficmp - 3rd Party Cookie
URL - Cookie:brd@trafficmp.com/
URL - Cookie:brd@ad.trafficmp.com/tmpad
Zedo - 3rd Party Cookie
•
•
Join Date: Feb 2004
Posts: 9,982
Reputation:
Solved Threads: 754
•
•
•
•
Originally Posted by SarahH
I did the scan you linked to again, and it only came up with 9 viruses this time, but they were all non-cleanable or could not be accessed.
Here are the results of the Hijack this scan, I didn't delete anything like you said:
Logfile of HijackThis v1.97.7
Scan saved at 10:11:48 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\temp\9R.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\BRD\Application Data\ahso.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijack This\HijackThis.exe
Do this first though:
Reboot into safe mode following the instructions here & navigate to & delete
C:\windows\temp< entire contents of folder
C:\WINDOWS\system32\pcs< folder
C:\Program Files\Common Files\Dpi< folder
C:\Documents and Settings\BRD\Application Data\ahso.exe< file
C:\WINDOWS\System32\wapisvsu.exe< file
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Reboot normally after doing the above then post a fresh log plz. Please make sure it has the entire log. Check other threads here if you are unsure what it should look like.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: May 2004
Posts: 66
Reputation:
Solved Threads: 0
Junior Poster in Training
Sorry about that! I removed what you said and did the scan again, here is all of it this time :rolleyes: Stupid me!!!
Logfile of HijackThis v1.97.7
Scan saved at 11:50:04 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [9R] C:\windows\temp\9R.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\BRD\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [Eitt] C:\Documents and Settings\BRD\Application Data\ahso.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a32242...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
Thanks again SO MUCH for your help!!!!!
Logfile of HijackThis v1.97.7
Scan saved at 11:50:04 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [9R] C:\windows\temp\9R.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\BRD\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [Eitt] C:\Documents and Settings\BRD\Application Data\ahso.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a32242...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
Thanks again SO MUCH for your help!!!!!
•
•
Join Date: Feb 2004
Posts: 9,982
Reputation:
Solved Threads: 754
Aha. You have a CWS infection too. More downloading to do. You may want to print this out. Sorry it's quite a bit, but you have a few problems there.
--------------------------------------------------------------------------
Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
--------------------------------------------------------------------------
R3 fix.
Launch Notepad, and copy/paste the bold below into a new text file. Save it as URLRepair.reg (Change the 'Save As Type' to 'All Files'). Save it in C:\ (or on the desktop)
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
Locate it (in C:\) and double-click on it (launch it). You'll recieve a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".
--------------------------------------------------------------------------
Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe
Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.
Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
In the pane on the right are the values associated with that key.
We want to remove these>
{4FC95EDD-4796-4966-9049-29649C80111D}_ {5D60FF48-95BE-4956-B4C6-6BB168A70310}_
Notice the underscore at the end.
Right click on each, (not sure if you can do them as one, or if you need to do it one at a time) and select delete.
If you get a confirmation question, respond OK then close out of the program.
--------------------------------------------------------------------------
Once done Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' : (Very important that no other windows are open or they will NOT get fixed)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O4 - HKLM\..\Run: [9R] C:\windows\temp\9R.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\BRD\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Eitt] C:\Documents and Settings\BRD\Application Data\ahso.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a3224...ip/RdxIE601.cab
Reboot into safe mode following the instructions here & navigate to & delete
C:\Program Files\TV Media< folder
C:\PROGRA~1\Lycos< folder
C:\PROGRA~1\INCRED~1< folder
C:\DOCUME~1\BRD\LOCALS~1\Temp< entire contents of this folder
C:\WINDOWS\system32\pcs< folder
C:\Program Files\Common Files\Dpi< folder
C:\Program Files\LiveUpdate< folder
C:\WINDOWS\alchem.exe< file
C:\Documents and Settings\BRD\Application Data\ahso.exe< file
C:\WINDOWS\System32\wapisvsu.exe< file
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Be certain to follow these instructions exactly. If you're not sure, get back here.
Reboot normally after doing the above then post a fresh log plz.
--------------------------------------------------------------------------
Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
--------------------------------------------------------------------------
R3 fix.
Launch Notepad, and copy/paste the bold below into a new text file. Save it as URLRepair.reg (Change the 'Save As Type' to 'All Files'). Save it in C:\ (or on the desktop)
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
Locate it (in C:\) and double-click on it (launch it). You'll recieve a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".
--------------------------------------------------------------------------
Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe
Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.
Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
In the pane on the right are the values associated with that key.
We want to remove these>
{4FC95EDD-4796-4966-9049-29649C80111D}_ {5D60FF48-95BE-4956-B4C6-6BB168A70310}_
Notice the underscore at the end.
Right click on each, (not sure if you can do them as one, or if you need to do it one at a time) and select delete.
If you get a confirmation question, respond OK then close out of the program.
--------------------------------------------------------------------------
Once done Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' : (Very important that no other windows are open or they will NOT get fixed)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O4 - HKLM\..\Run: [9R] C:\windows\temp\9R.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\BRD\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Eitt] C:\Documents and Settings\BRD\Application Data\ahso.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a3224...ip/RdxIE601.cab
Reboot into safe mode following the instructions here & navigate to & delete
C:\Program Files\TV Media< folder
C:\PROGRA~1\Lycos< folder
C:\PROGRA~1\INCRED~1< folder
C:\DOCUME~1\BRD\LOCALS~1\Temp< entire contents of this folder
C:\WINDOWS\system32\pcs< folder
C:\Program Files\Common Files\Dpi< folder
C:\Program Files\LiveUpdate< folder
C:\WINDOWS\alchem.exe< file
C:\Documents and Settings\BRD\Application Data\ahso.exe< file
C:\WINDOWS\System32\wapisvsu.exe< file
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Be certain to follow these instructions exactly. If you're not sure, get back here.
Reboot normally after doing the above then post a fresh log plz.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: May 2004
Posts: 66
Reputation:
Solved Threads: 0
Junior Poster in Training
I ran virus scan again from that link you gave me, and I'm posting the name and path here for you. The information you gave me above may fix these, but I just wanted to make sure:
TROJ REVOP.A C:/Documents and settings/BRD/Local settings/Temporary Internet Files/content.IE5/PR7BLHWE/bdl14025(1).exe
TROJ ISTBAR.DW C:/Windows/Downloaded Program Files/ISTactivex.dll
TROJ REVOP.A C:/Windows/System32/0021-bdl94126.EXE
TROJ BRISS.H C:/Windws/System32/a.exe
TROJ BRISS.H C:/Windows/System32/bridge.dll
TROJ SMALL.GO C:/Windows/System32/CS4P028.exe
BKDR SANDBOX.A C:/Windows/System32/Lkyqfy.exe
TROJ STILEN.A C:/Windows/System32/silent.exe
These were all NonCleanable by the scan. I'll get right on fixing those other things!!!
TROJ REVOP.A C:/Documents and settings/BRD/Local settings/Temporary Internet Files/content.IE5/PR7BLHWE/bdl14025(1).exe
TROJ ISTBAR.DW C:/Windows/Downloaded Program Files/ISTactivex.dll
TROJ REVOP.A C:/Windows/System32/0021-bdl94126.EXE
TROJ BRISS.H C:/Windws/System32/a.exe
TROJ BRISS.H C:/Windows/System32/bridge.dll
TROJ SMALL.GO C:/Windows/System32/CS4P028.exe
BKDR SANDBOX.A C:/Windows/System32/Lkyqfy.exe
TROJ STILEN.A C:/Windows/System32/silent.exe
These were all NonCleanable by the scan. I'll get right on fixing those other things!!!
|
Similar Threads
- Trojan Problem (Viruses, Spyware and other Nasties)
- Followed Crunchie's suggestion... still need help! (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: DSO Exploit
- Next Thread: bridge.dll problem
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
