954,255 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
5 Years Ago
0

Hijack This Log Attached

I was advised from the Tech Talk Forum to post my "Hijack This" in this Forum. I've had quite a few viruses and trojans in my system. I've run Ad-Aware, NoAdware, Spybot, PCBug Doctor, Scan & Repair Utilities and I ran my AVG Virus scan several times. My system is still infected with "System32ssec.exe, and "Trojan horse Generic UGR".

I'm running Windows 2000 Pro. Have constant pop-ups and had to install Pop-Up Stopper Pro. I have Zone Alarm running and Webroot Spy Sweeper, but without the Pop-up Stopper Pro running, I have uncontrollable pop-ups.

The problems originally started with the Task Manager being disabled when hitting Alt+Ctrl+Delete. I then discovered that most of my Administrative Tools are missing. The only tools I have are Internet Services Manager, Personal Web Manager, and Server Extensions Administrator, and Sis Utility Tray. I need help cleaning up the viruses/trojans/spam and recovering the Administrative Tools files that are missing.

Here's the Hijack This:
Logfile of HijackThis v1.97.7
Scan saved at 1:30:21 AM, on 7/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\mqsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\thiselt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Linda Beres\Local Settings\Temp\wz502e\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20073&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20073&k=
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06D99B28-F33D-4E7F-AFE2-180BDE182540} - (no file)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {214B804F-7C16-4762-BE13-83ED51DFCFA5} - (no file)
O2 - BHO: (no name) - {2ADF7B9A-3C74-4C64-BBB5-1D1B062E2948} - (no file)
O2 - BHO: (no name) - {2D8ED8F1-7E54-44F1-A72F-DB798610CF7F} - (no file)
O2 - BHO: (no name) - {3052E7F9-685F-491B-9285-892D7657C8D5} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {32110540-5D44-4784-A6D5-E25C916F3CC1} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {385D17D9-B51D-D33B-695E-5C41DB1BCDBB} - (no file)
O2 - BHO: (no name) - {3D13C454-720F-4CEA-8BED-485B8FEFC401} - (no file)
O2 - BHO: (no name) - {3E0BD2B4-CD77-4173-980E-70CF86E92D35} - (no file)
O2 - BHO: (no name) - {420A7A1A-2B14-47A2-A84B-CD6630433B58} - (no file)
O2 - BHO: (no name) - {42C73763-6E85-480B-81AF-BC379CA5DB92} - \
O2 - BHO: (no name) - {52CD403A-4E70-455D-A93A-ACC877EB05AB} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {559727B9-61CA-42A1-8293-09F6A9FA91EF} - (no file)
O2 - BHO: (no name) - {59259AE4-C55E-4FA5-8687-E7D85CC76582} - (no file)
O2 - BHO: (no name) - {64E76C39-D2BA-47A5-B40B-EE4C883D583A} - (no file)
O2 - BHO: (no name) - {65585EF4-7D08-4A6A-A956-F7F2EDA2B6DE} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {732F0C99-F427-41D4-A741-B54F69404078} - (no file)
O2 - BHO: (no name) - {734A7701-E859-46B9-930A-FD8079B4B06C} - \
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {84FD810B-FA7D-4B09-8C38-06E9C685CF05} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {8C77204D-4C2B-4497-ABE0-8F7752CBF4D3} - \
O2 - BHO: (no name) - {958C2803-DAB8-4388-A43E-69442B1099B3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {9843AEA8-0C52-472E-89CA-96EA9384236B} - \
O2 - BHO: (no name) - {99C1D1C5-BFC9-43BD-998D-2E625F91645A} - (no file)
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll
O2 - BHO: (no name) - {A32E6C94-AD91-465C-900C-2B94E4EE9A53} - \
O2 - BHO: (no name) - {A51BF0F2-C65A-4C6F-BB66-7E4DFA532DDB} - (no file)
O2 - BHO: (no name) - {AF76883D-FB6C-4366-BF14-08C5E9D0ADC4} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {B4F14F3C-27A2-4920-BB9F-8752240D5032} - (no file)
O2 - BHO: (no name) - {B6053E7A-BE0A-4722-AB73-9599FCC77550} - \
O2 - BHO: (no name) - {C12925C5-B63A-45FE-BF65-D9E1D20C0C14} - (no file)
O2 - BHO: (no name) - {C6E467B4-FCF4-4407-8C3C-8C244FC49283} - (no file)
O2 - BHO: (no name) - {C82F2718-E958-4244-9735-57E8B18C1574} - \
O2 - BHO: (no name) - {DAA29E8C-370D-4F75-A152-E97AC2BC13A3} - (no file)
O2 - BHO: (no name) - {DFE7D27E-C021-4C72-80F3-254B776E0992} - C:\WINNT\system32\ubbv.dll
O2 - BHO: (no name) - {E57C8438-DFEA-46C8-A920-E25A4BA64B3C} - (no file)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {EC1B360D-2B60-4011-BFAD-FAF5E31C25F9} - (no file)
O2 - BHO: (no name) - {FB112B9D-9CFC-41C0-A5F3-659DE8E138CD} - (no file)
O2 - BHO: (no name) - {FBC4ACF6-D539-485F-B64E-D4B2B4781FB9} - (no file)
O2 - BHO: (no name) - {FCD1E220-7EB4-4F88-93FD-472AE9573870} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {FE18E734-E17C-465B-A92A-629ED66F6BDB} - \
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [w0fc46dd.dll] RUNDLL32.EXE w0fc46dd.dll,I2 000c8a6200fc46dd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tSdURg2] "C:\WINNT\system32\fhsxc.exe"
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [faxvie] C:\WINNT\system32\faxvie.exe
O4 - HKCU\..\Run: [wallp2.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\wallp2.exe
O4 - HKCU\..\Run: [VSL13.exe] C:\WINNT\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\1201.exe
O4 - HKCU\..\Run: [VSL07.exe] C:\WINNT\system32\VSL07.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Reboot.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin8.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} (Malicious Software Removal Tool) - http://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/21bef264df00ae6ab906/netzip/RdxIE601.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Any help would be greatly appreciated. Thanks!

labber
Light Poster
29 posts since Apr 2005
Reputation Points: 10
Solved Threads: 1
 
5 Years Ago
0

Can you please do the following.

===============

Download, then unzip to "C:\HJT", the newest version of HiJackThis ; version 1.99.1. Then repost your log, either now, or after following the steps in the solution (if provided in this post). This version has features that might be more helpful in 'cleaning' up your system.
Make sure that you unzip it to a permanent folder.

===============

Scan with HiJackThis, then check(tick) the following, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20073&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20073&k=

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: (no name) - {06D99B28-F33D-4E7F-AFE2-180BDE182540} - (no file)
O2 - BHO: (no name) - {214B804F-7C16-4762-BE13-83ED51DFCFA5} - (no file)
O2 - BHO: (no name) - {2ADF7B9A-3C74-4C64-BBB5-1D1B062E2948} - (no file)
O2 - BHO: (no name) - {2D8ED8F1-7E54-44F1-A72F-DB798610CF7F} - (no file)
O2 - BHO: (no name) - {3052E7F9-685F-491B-9285-892D7657C8D5} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {32110540-5D44-4784-A6D5-E25C916F3CC1} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {385D17D9-B51D-D33B-695E-5C41DB1BCDBB} - (no file)
O2 - BHO: (no name) - {3D13C454-720F-4CEA-8BED-485B8FEFC401} - (no file)
O2 - BHO: (no name) - {3E0BD2B4-CD77-4173-980E-70CF86E92D35} - (no file)
O2 - BHO: (no name) - {420A7A1A-2B14-47A2-A84B-CD6630433B58} - (no file)
O2 - BHO: (no name) - {42C73763-6E85-480B-81AF-BC379CA5DB92} - \
O2 - BHO: (no name) - {52CD403A-4E70-455D-A93A-ACC877EB05AB} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {559727B9-61CA-42A1-8293-09F6A9FA91EF} - (no file)
O2 - BHO: (no name) - {59259AE4-C55E-4FA5-8687-E7D85CC76582} - (no file)
O2 - BHO: (no name) - {64E76C39-D2BA-47A5-B40B-EE4C883D583A} - (no file)
O2 - BHO: (no name) - {65585EF4-7D08-4A6A-A956-F7F2EDA2B6DE} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {732F0C99-F427-41D4-A741-B54F69404078} - (no file)
O2 - BHO: (no name) - {734A7701-E859-46B9-930A-FD8079B4B06C} - \
O2 - BHO: (no name) - {84FD810B-FA7D-4B09-8C38-06E9C685CF05} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {8C77204D-4C2B-4497-ABE0-8F7752CBF4D3} - \
O2 - BHO: (no name) - {958C2803-DAB8-4388-A43E-69442B1099B3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {9843AEA8-0C52-472E-89CA-96EA9384236B} - \
O2 - BHO: (no name) - {99C1D1C5-BFC9-43BD-998D-2E625F91645A} - (no file)
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll
O2 - BHO: (no name) - {A32E6C94-AD91-465C-900C-2B94E4EE9A53} - \
O2 - BHO: (no name) - {A51BF0F2-C65A-4C6F-BB66-7E4DFA532DDB} - (no file)
O2 - BHO: (no name) - {AF76883D-FB6C-4366-BF14-08C5E9D0ADC4} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {B4F14F3C-27A2-4920-BB9F-8752240D5032} - (no file)
O2 - BHO: (no name) - {B6053E7A-BE0A-4722-AB73-9599FCC77550} - \
O2 - BHO: (no name) - {C12925C5-B63A-45FE-BF65-D9E1D20C0C14} - (no file)
O2 - BHO: (no name) - {C6E467B4-FCF4-4407-8C3C-8C244FC49283} - (no file)
O2 - BHO: (no name) - {C82F2718-E958-4244-9735-57E8B18C1574} - \
O2 - BHO: (no name) - {DAA29E8C-370D-4F75-A152-E97AC2BC13A3} - (no file)
O2 - BHO: (no name) - {DFE7D27E-C021-4C72-80F3-254B776E0992} - C:\WINNT\system32\ubbv.dll
O2 - BHO: (no name) - {E57C8438-DFEA-46C8-A920-E25A4BA64B3C} - (no file)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {EC1B360D-2B60-4011-BFAD-FAF5E31C25F9} - (no file)
O2 - BHO: (no name) - {FB112B9D-9CFC-41C0-A5F3-659DE8E138CD} - (no file)
O2 - BHO: (no name) - {FBC4ACF6-D539-485F-B64E-D4B2B4781FB9} - (no file)
O2 - BHO: (no name) - {FCD1E220-7EB4-4F88-93FD-472AE9573870} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {FE18E734-E17C-465B-A92A-629ED66F6BDB} - \

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll

O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com

O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/21bef264...p/RdxIE601.cab


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINNT\system32\WinNB57.dll
C:\WINNT\system32\ubbv.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in " Safe Mode ".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster . If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

Please download and install ewido anti-spyware tool Close all other Applications Select language click Ok
Click I Agree
Click next
Click Install
Click Finish
Wait and Ewido will open to the main screen automatically.
Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
This in very important to get updates
When updating has finished. Close Ewido.
If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear use arrow up to highlight
Select the first option, to run Windows in Safe Mode hit enter.
For additional help in booting into Safe Mode, see the following site: HERE

You MUST manage to get into Safe Mode for the fix to work.
Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!Open Ewido
Click on scanner top of Ewido sceen
Click on Settings
Under How to Act click on Recommended Action choose Quarantine
Under How to scan all boxes should be selected
Under Possibly unwanted software all boxes should be selected
On right side under Reports: click on Automatically generate report after every scan.
Under What to scan select scan every file
Click On scan Tab
Click on Complete system scan
Let the program scan the machine It can take awhile give it time.
When scan has finished At bottom of screen click Apply all Actions
Click Save report
Click Save Report as (Save as window's screen should pop up.)
Click desktop
Click Save
Exit ewido
Reboot back to normal mode

After rebooting, rescan with hijackthis and post back a new log. Please post the Ewido log also.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
5 Years Ago
0

Thank you for all your help, but do you or anyone know how I can restore the "Administrative Tools" files that were deleted by the viruses/trojans I had? I'm running Win2000 Pro SP4, but my Win2000 CD is SP2...so when I tried to repair, it will not let me do it because I now have SP4 running on my system and the the Win2000 CD is SP2???? Thanks!

labber
Light Poster
29 posts since Apr 2005
Reputation Points: 10
Solved Threads: 1
 
5 Years Ago
0

I think we need to get rid of all the malware on your PC before we try to rectify that problem :). You are still badly infected as the steps I asked you to do were preliminary.
Please do all that I asked and post the logs please.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
5 Years Ago
0

Will do as you asked and thank you for your help. I will work on my system in the next several days :)

labber
Light Poster
29 posts since Apr 2005
Reputation Points: 10
Solved Threads: 1
 
5 Years Ago
0

Here's the results of HijackThis and also Ewido Scan Report. Your help is so appreciated. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:49:44 PM, on 8/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\system32\khooker.exe
C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Linda Beres\Local Settings\Temp\wz1a89\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09F0C717-6ACF-44CC-87A3-856898069F75} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {3E12C92F-5204-4EFD-A1CA-BB811E0D2E55} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {40F3C07B-A69D-42C9-943E-F44B51027D6C} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {47F55CFE-3E3B-426C-9CE9-4ADD348029D3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {6F8736C8-70CE-4620-81CA-21AAAA56D67E} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8385FDDC-3FBD-409A-AD71-6B3BA622F373} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {917634C0-5CDD-4CB6-A78A-A2647B3EE871} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {943C98C0-3587-4194-B368-4C32B01DB701} - \
O2 - BHO: (no name) - {C4B91D3F-0962-4B62-B536-AC2EB25F7F81} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {CD65EC13-9212-4200-B99F-80F3963EF3C2} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {DDF9195D-3372-4C40-A24E-AE17863E73B1} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {EAAF6E3A-15D6-4FA5-B610-A09944A940FF} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [w0fc46dd.dll] RUNDLL32.EXE w0fc46dd.dll,I2 000c8a6200fc46dd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [faxvie] C:\WINNT\system32\faxvie.exe
O4 - HKCU\..\Run: [wallp2.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\wallp2.exe
O4 - HKCU\..\Run: [VSL13.exe] C:\WINNT\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\1201.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT2Net.lnk = C:\Program Files\BT2Net\bt2net.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin8.dll
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O18 - Filter: text/html - {F8D76886-FA88-4DF6-8FBD-C02CF8C91C94} - C:\WINNT\system32\ubbv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:37:10 PM 8/10/2006

+ Scan result:

C:\WINNT\Downloaded Program Files\APInstall_Tiny.dll -> Adware.AccessMedia : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.1\APInstall_Tiny.dll -> Adware.AccessMedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Local Settings\Temp\mitA.tmp.cab/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Local Settings\Temp\mitA.tmp/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Program Files\Accessories\horejoruj.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\UERS_0001_N82M1105NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.5\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@247realmedia[1].txt[/email] -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@2o7[2].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@2o7[3].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@2o7[6].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@rotator.adjuggler[1].txt[/email] -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@advertising[2].txt[/email] -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@mediaplex[2].txt[/email] -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@www.myaffiliateprogram[2].txt[/email] -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@ads.pointroll[2].txt[/email] -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@questionmarket[2].txt[/email] -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@anad.tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@trafficmp[1].txt[/email] -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@ad.yieldmanager[1].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end

labber
Light Poster
29 posts since Apr 2005
Reputation Points: 10
Solved Threads: 1
 
5 Years Ago
0

Can you please do the following.

-

Please go to Jotti's and have this file scanned. Post the results back here.

C:\WINNT\system32\ubbv.dll

===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

Scan with HiJackThis, then check(tick) the following, if present:

O2 - BHO: (no name) - {09F0C717-6ACF-44CC-87A3-856898069F75} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {3E12C92F-5204-4EFD-A1CA-BB811E0D2E55} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {40F3C07B-A69D-42C9-943E-F44B51027D6C} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {47F55CFE-3E3B-426C-9CE9-4ADD348029D3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {6F8736C8-70CE-4620-81CA-21AAAA56D67E} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {8385FDDC-3FBD-409A-AD71-6B3BA622F373} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {917634C0-5CDD-4CB6-A78A-A2647B3EE871} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {943C98C0-3587-4194-B368-4C32B01DB701} - \
O2 - BHO: (no name) - {C4B91D3F-0962-4B62-B536-AC2EB25F7F81} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {CD65EC13-9212-4200-B99F-80F3963EF3C2} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {DDF9195D-3372-4C40-A24E-AE17863E73B1} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {EAAF6E3A-15D6-4FA5-B610-A09944A940FF} - C:\Program Files\Accessories\horejoruj.dll (file missing)

O4 - HKLM\..\Run: [w0fc46dd.dll] RUNDLL32.EXE w0fc46dd.dll,I2 000c8a6200fc46dd
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKCU\..\Run: [faxvie] C:\WINNT\system32\faxvie.exe
O4 - HKCU\..\Run: [wallp2.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\wallp2.exe
O4 - HKCU\..\Run: [VSL13.exe] C:\WINNT\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\1201.exe

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINNT\system32\faxvie.exe
C:\Documents and Settings\Linda Beres\Application Data\System Restore\wallp2.exe
C:\WINNT\system32\VSL13.exe
C:\Documents and Settings\Linda Beres\Application Data\System Restore\1201.exe

Search for...

w0fc46dd.dll

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following: Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear use arrow up to highlight
Select the first option, to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
5 Years Ago
0

well I'm unable to do anything now.....the comp boots up and then shuts down completely by itself. It actually powers down (turns off) and then I can't turn it back on for several minutes. I did have the power supply replaced several months ago. I opened up the comp and it looks like the fan on the power supply may not be running???

labber
Light Poster
29 posts since Apr 2005
Reputation Points: 10
Solved Threads: 1
 
5 Years Ago
0

Doesn't sound good. You may have to get your hands on another PSU and try it.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
5 Years Ago
0

so you don't think any virus or spyware would physically turn off the computer? I think it does have something to do with the PSU. Thanks!

labber
Light Poster
29 posts since Apr 2005
Reputation Points: 10
Solved Threads: 1
 
5 Years Ago
0

They certainly can cause crashes etc., but if the fan is not turning on your psu, I would have to suspect that first :).

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
5 Years Ago
0

Well I needed a new power supply. Here's the results of everything you advised. ( Now how do I restore the Administrative Tools missing?)
Results of Jottis and HijackThis:
Online Malware scanJottis Malwarescan 2.99-TRANSITION_TO_3.00-R1

Datei, die hochgeladen und gescannt werden soll:
Dienst
Auslastung: 0% 100%

Status: Bitte warten...
Powered by

Disclaimer
Durch das Hochladen von Dateien auf diesen Server stimmen Sie zu, dass
ihre Dateien lokal gespeichert werden.

Ferner: Dieser Dienst ist keineswegs hundertprozentig sicher. Falls der
Scanner ein 'OK' gibt, bedeutet das nicht notwendigerweise, dass die Datei
sauber ist. Es könnte ein völlig neuer Virus auf freiem Fuß sein!
Verlassen Sie sich niemals auf ein einzelnes Produkt alleine, selbst auf
diesen Dienst nicht, obwohl er mehrere Produkte einsetzt. Für Schäden, die
durch diesen nichtkommerziellen Online-Dienst verursacht wurden, bin ich
daher nicht verantwortlich, noch kann ich dafür verantwortlich gemacht
werden.

Ich bin mir auch über die Folgen einer Einrichtung wie dieser im klaren.
Ich bin mir sicher, dass diese ganze Geschichte keinesfalls
wissenschaftlich korrekt ist, da dies ein vollautomatischer Dienst ist
(obwohl eine manuelle Korrektur möglich ist). Ich bin mir zum Beispiel
bewußt, dass "False Positives" (ein Fehlalarm, bei dem eine saubere Datei
irrtümlich als Virus detektiert wird) auftreten könnten, trotz der
Anstrengungen, diesen proaktiv zu begegnen. Ich halte das nicht für eine
große Sache, also schicken Sie mir bitte keine Emails über solche
Vorkommnisse. Dies ist ein einfacher Onlinescanner, und nicht die
Universität von Magdeburg.

Die Virensignaturen werden jede Stunde aktualisiert. Das Dateigrößenlimit
beträgt 15 MB pro Datei.
DIE MISSBRÄUCHLICHE NUTZUNG DIESES DIENSTES (EINSCHLIESSLICH DES
HOCHLADENS ABSICHTLICH MODIFIZIERTER
-GEPACKTER/VERSCHLÜSSELTER/BYTESWAPPED- VERSIONEN DER GLEICHEN DATEI) HAT
ZUR FOLGE, DASS IHRE IP GESPERRT WIRD.

Bitte fordern Sie keine dieser Viren an, wenn Sie nicht für Hersteller von
Anti-Viren-Software arbeiten. Viren sind nicht zum Tauschen da.

Das Scannen kann eine Weile dauern, da mehrere Scanner benutzt werden.
Zudem nutzen einige Scanner eine sehr hohe Heuristikstufe (was
zeitaufwendig ist). Die benutzten Scanner sind Linuxversionen, und es
können sich (oder auch nicht) Unterschiede zu Windowsscannern ergeben.
Noch eine Anmerkung: manche Scanner detektieren nur einen Virus, wenn
Archive mit mehreren Malwaredateien gescannt werden.

Gefördert durch Spenden (in willkürlicher Reihenfolge) von: Stormbyte
Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm
Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark
Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders
Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks,
und einigen Leuten, die es vorziehen, anonym zu bleiben... Vielen Dank an
alle!

Statistik
Zuletzt gefundene Malware war SearchBar.dll, gefunden von:

Scanner Name der Malware
AntiVir Adware-Spyware/Eztrack.C adware
ArcaVir X
Avast Win32:Spyware-gen.
AVG Antivirus Generic.KDL
BitDefender X
ClamAV X
Dr.Web Adware.Softomate
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus not-a-virus:AdWare.Win32.Eztracks.b
NOD32 X
Norman Virus Control X
UNA Adware.Eztracks
VirusBuster X
VBA32 X


Es steht Ihnen frei, diese automatisch generierten, ungültigen Statistiken
(falsch) zu interpretieren. Für Vergleichstests von Anti-Viren Software,
besuchen Sie AV comparatives.

Häufig gestellte Fragen (FAQ) - Feedback/Kommentare/Fragen/Fehlalarme (bitte
ausschließlich auf Englisch)

Logfile of HijackThis v1.99.1
Scan saved at 11:53:31 PM, on 8/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\khooker.exe
C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\mqsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Linda Beres\Local Settings\Temp\wzcbb1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {3895E11E-CE70-4177-8748-744999544856} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {3B24C46B-5E6A-49D6-97C7-82CF8AF7A244} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {40A30527-56E4-4187-A60A-6E64FBC3A660} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {4FC26B6B-9FE8-4FFB-85E6-A3C44D65AA2D} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {54B3101D-8128-4FA3-8C78-5FBE8C68C0E3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {621C0B59-885F-44CB-B663-96815DBF6722} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {75BBAF6C-83D3-4DCC-BE70-8C57A0100C14} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7B6E631B-CE92-4353-BA92-74F8C65D49D2} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {A3778469-65F2-4512-8C27-5EB8882174B5} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {AF22A86B-58C7-48EC-8B10-28C5B59862FE} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {C5912007-7F7D-4C63-89E9-8AE32A2B9DF3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {C9E1BFED-F228-460A-9398-6532325FD4A7} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D170BD9E-5D5B-4DDA-A869-F9B25AFB3710} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D24E9E89-EB57-45E4-B971-93303F1A16FD} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D531A7CE-A0D5-43AD-88C3-80264EA73B8C} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin8.dll
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O18 - Filter: text/html - {F8D76886-FA88-4DF6-8FBD-C02CF8C91C94} - C:\WINNT\system32\ubbv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

labber
Light Poster
29 posts since Apr 2005
Reputation Points: 10
Solved Threads: 1
 
5 Years Ago
0

Please disable Ewido before going on with the following. Open Task Manager to make certain it has stopped.

Can you please do the following.

===============

You are still running hijackthis from a temp folder. so let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

Scan with HijackThis and then place a check next to all the following, if present:

O2 - BHO: (no name) - {3895E11E-CE70-4177-8748-744999544856} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {3B24C46B-5E6A-49D6-97C7-82CF8AF7A244} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {40A30527-56E4-4187-A60A-6E64FBC3A660} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {4FC26B6B-9FE8-4FFB-85E6-A3C44D65AA2D} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {54B3101D-8128-4FA3-8C78-5FBE8C68C0E3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {621C0B59-885F-44CB-B663-96815DBF6722} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {75BBAF6C-83D3-4DCC-BE70-8C57A0100C14} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {7B6E631B-CE92-4353-BA92-74F8C65D49D2} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {A3778469-65F2-4512-8C27-5EB8882174B5} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {AF22A86B-58C7-48EC-8B10-28C5B59862FE} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {C5912007-7F7D-4C63-89E9-8AE32A2B9DF3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {C9E1BFED-F228-460A-9398-6532325FD4A7} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D170BD9E-5D5B-4DDA-A869-F9B25AFB3710} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D24E9E89-EB57-45E4-B971-93303F1A16FD} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D531A7CE-A0D5-43AD-88C3-80264EA73B8C} - C:\Program Files\Accessories\horejoruj.dll (file missing)

O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL (file missing)
O18 - Filter: text/html - {F8D76886-FA88-4DF6-8FBD-C02CF8C91C94} - C:\WINNT\system32\ubbv.dll


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINNT\system32\ubbv.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following: Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear.
Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

Download VirtumundoBeGone by secured2k Save the file to your desktop
Close all running programs (including your Internet Browser)
Double-click VirtumundoBeGone.exe on the desktop
Read the introductory information, and then click Continue
Click Start
When asked if you want to continue, click Yes to run the fix
Click "Save Log"

==

Please post that log and a log from Hijackthis.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
5 Years Ago
0

Here's the logs for VirtumundoBeGone and HijackThis.


[08/22/2006, 20:14:02] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Linda Beres\Desktop\VirtumundoBeGone.exe" )
[08/22/2006, 20:14:04] - Detected System Information:
[08/22/2006, 20:14:04] - Windows Version: 5.0.2195, Service Pack 4
[08/22/2006, 20:14:04] - Current Username: Linda Beres (Admin)
[08/22/2006, 20:14:04] - Windows is in NORMAL mode.
[08/22/2006, 20:14:04] - Searching for Browser Helper Objects:
[08/22/2006, 20:14:04] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/22/2006, 20:14:04] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[08/22/2006, 20:14:04] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/22/2006, 20:14:04] - Finished Searching Browser Helper Objects
[08/22/2006, 20:14:04] - Finishing up...
[08/22/2006, 20:14:04] - Nothing found! Exiting...

Logfile of HijackThis v1.99.1
Scan saved at 8:17:18 PM, on 8/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\khooker.exe
C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\mqsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Linda Beres\Local Settings\Temp\wz46f9\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin8.dll
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

labber
Light Poster
29 posts since Apr 2005
Reputation Points: 10
Solved Threads: 1
 
5 Years Ago
0

Try this please.

Right-click the Start button, and then click Properties. On the Start Menu tab, click Customize. On the Advanced tab, under Start menu items, click System Administrative Tools. Click to select either the Display on the All Programs menu or the Display on the All Programs menu and the Start menu option. Click OK , and OK again to save the change.

If that does not work and if you have your installation disc available, put the CD in the drive then go to Start|Run and type in sfc /scannow and hit ok. This will replace any corrupt files.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
5 Years Ago
0

When I right click the Start button there is no Properties selection???
I tried your 2nd option by inserting my installation CD and click start/run and typed in sfc/scannow and i get the following error: Cannot find the file sfc/scannow (or one of its components). Make sure the path and filename are correct and that all required libraries are available.

Now what do you think? Thanks!!!

labber
Light Poster
29 posts since Apr 2005
Reputation Points: 10
Solved Threads: 1
 
5 Years Ago
0

I'm not sure if you saw my latest post from about a week ago, but here it is again. Any help you can give is always appreciated. I did get a suggestion to do a Slip Stream to restore any corrupt files, but I was hoping there was an easier solution. Any suggestions?

When I right click the Start button there is no Properties selection???
I tried your 2nd option by inserting my installation CD and click start/run and typed in sfc/scannow and i get the following error: Cannot find the file sfc/scannow (or one of its components). Make sure the path and filename are correct and that all required libraries are available.

Now what do you think? Thanks!!!

labber
Light Poster
29 posts since Apr 2005
Reputation Points: 10
Solved Threads: 1
 
5 Years Ago
0

Did you include the space before the switch? Like this; sfc /scannow not this; sfc/scannow how you showed it above.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed