meabed
Junior Poster
Team Colleague
139 posts since May 2004
Reputation Points: 55
Solved Threads: 3
Hardware and Software
>
Microsoft Windows
>
Viruses, Spyware and other Nasties
>
Crunchie, can you help me?
Have something to say? Contribute New Article Reply to this Article Crunchie, can you help me?
Hi, I saw how you helped someone else in the forums and it seems like you'd be able to help me too!!
I downloaded Spybot and Ad-Aware and I have Norton and ran them all, but they can't get rid of my computer problems! First it started off with just annoying pop-ups, then it got worse. The first thing that went wrong was my windows media player stopped working. I'd click to open it up, and it just wouldn't open. Now my Adobe Photoshop doesn't work. It goes through it's startup process, then as it's about to open, it just crashes. I've even tried uninstalling/reinstalling twice. However, when I reinstall WMP, it works for a while before it stops.
So, I did the Trend Micro scan like you suggested to the other person you helped in the forums, and it came up with this:
(Oh, also, I have Norton Anti-Virus and it didn't detect or remove these. And I've also run Norton and Ad-Aware and Spybot in Safe Mode, and that didn't get rid of the problem either)
JS INOR.M
CHM Psyme.Y
JS IESTART.PS
TROJ REVOP.A
TROJ ISTBAR.DW
TROJ BRISS.H (This appears twice after the scan)
TROJ SMALL.GO
BKDR SANDBOX.A
TROJ STILEN.A (This appears twice after the scan)
Do I have to buy the Trend software to get rid of these, or can you help me? Or can anyone on this forum help? I'd *greatly* appreciate any help!!!
Thanks for reading,
SH
Oh, sorry, forgot something else it does too. When I try to reboot, it says that the cmd prompt is running and it won't restart unless I close the program. Most of the time it won't let me close the cmd prompt (even though it's not visible) and I just have to manually hit the restart button.
And before Adobe crashed it was randomly changing the icons for the photoshop files I had on my desktop, and as of right now, I can't even click on my desktop until I restart my computer. It's like there is a wall preventing me from clicking on my desktop :(.
SOrry for the extra post, just remembered those few things!
SH
Go here for an on-line scan & set it to autoclean for you. Make SURE that you set it to clean.
Download HijackThis from here & unzip it into it's own, permanent folder, (not a temporary folder & not on the desktop). Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is harmless & even necessary to the running of your system.
crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
I did the scan you linked to again, and it only came up with 9 viruses this time, but they were all non-cleanable or could not be accessed.
Here are the results of the Hijack this scan, I didn't delete anything like you said:
Logfile of HijackThis v1.97.7
Scan saved at 10:11:48 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\temp\9R.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\BRD\Application Data\ahso.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijack This\HijackThis.exe
I just downloaded and installed Zone Alert Firewall and did the free scan. Here is what it came up with:
found the following tracking cookies on your computer.
2o7 - 3rd Party Cookie
URL - Cookie:brd@2o7.net/
Ad-logics - 3rd Party Cookie
URL - Cookie:brd@ad-logics.com/
Addfreestats - 3rd Party Cookie
URL - Cookie:brd@www2.addfreestats.com/cgi-bin
Adserver - 3rd Party Cookie
URL - Cookie:brd@z1.adserver.com/
Advertising - 3rd Party Cookie
URL - Cookie:brd@servedby.advertising.com/
URL - Cookie:brd@advertising.com/
Atdmt - 3rd Party Cookie
URL - Cookie:brd@atdmt.com/
Bluestreak - 3rd Party Cookie
URL - Cookie:brd@bluestreak.com/
Bravenet - 3rd Party Cookie
URL - Cookie:brd@mercury.bravenet.com/rover/
Com - 3rd Party Cookie
URL - Cookie:brd@com.com/
URL - Cookie:brd@msn-cnet.com.com/
URL - Cookie:brd@download.com.com/
Doubleclick - 3rd Party Cookie
URL - Cookie:brd@doubleclick.net/
Edge - 3rd Party Cookie
URL - Cookie:brd@edge.ru4.com/
Euniverseads - 3rd Party Cookie
URL - Cookie:brd@euniverseads.com/
Exitfuel - 3rd Party Cookie
URL - Cookie:brd@exitfuel.com/
Geocities - 3rd Party Cookie
URL - Cookie:brd@geocities.com/
Gorillanation - 3rd Party Cookie
URL - Cookie:brd@ads.gorillanation.com/
Hitbox - 3rd Party Cookie
URL - Cookie:brd@ehg-gigex.hitbox.com/
URL - Cookie:brd@hitbox.com/
Maxserving - 3rd Party Cookie
URL - Cookie:brd@maxserving.com/
Overture - 3rd Party Cookie
URL - Cookie:brd@perf.overture.com/
Questionmarket - 3rd Party Cookie
URL - Cookie:brd@questionmarket.com/
Qksrv - 3rd Party Cookie
URL - Cookie:brd@qksrv.net/
Realmedia - 3rd Party Cookie
URL - Cookie:brd@realmedia.com/
Revenue - 3rd Party Cookie
URL - Cookie:brd@revenue.net/
Serving-sys - 3rd Party Cookie
URL - Cookie:brd@serving-sys.com/
URL - Cookie:brd@bs.serving-sys.com/
Statcounter - 3rd Party Cookie
URL - Cookie:brd@statcounter.com/
Trafficmp - 3rd Party Cookie
URL - Cookie:brd@trafficmp.com/
URL - Cookie:brd@ad.trafficmp.com/tmpad
Zedo - 3rd Party Cookie
I did the scan you linked to again, and it only came up with 9 viruses this time, but they were all non-cleanable or could not be accessed.
Here are the results of the Hijack this scan, I didn't delete anything like you said:
Logfile of HijackThis v1.97.7
Scan saved at 10:11:48 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\temp\9R.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\BRD\Application Data\ahso.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijack This\HijackThis.exe
That is only half the log. Under what you have here there should also be entries that include R1, RO,01,02,03,04 etc
Do this first though:
Reboot into safe mode following the instructions here & navigate to & delete
C:\windows\temp< entire contents of folder
C:\WINDOWS\system32\pcs< folder
C:\Program Files\Common Files\Dpi< folder
C:\Documents and Settings\BRD\Application Data\ahso.exe< file
C:\WINDOWS\System32\wapisvsu.exe< file
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Reboot normally after doing the above then post a fresh log plz. Please make sure it has the entire log. Check other threads here if you are unsure what it should look like.
crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
Sorry about that! I removed what you said and did the scan again, here is all of it this time :rolleyes: Stupid me!!!
Logfile of HijackThis v1.97.7
Scan saved at 11:50:04 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [9R] C:\windows\temp\9R.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\BRD\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [Eitt] C:\Documents and Settings\BRD\Application Data\ahso.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a3224205185c5ce406/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Thanks again SO MUCH for your help!!!!!
Aha. You have a CWS infection too. More downloading to do. You may want to print this out. Sorry it's quite a bit, but you have a few problems there.
--------------------------------------------------------------------------
Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
--------------------------------------------------------------------------
R3 fix.
Launch Notepad, and copy/paste the bold below into a new text file. Save it as URLRepair.reg (Change the 'Save As Type' to 'All Files'). Save it in C:\ (or on the desktop)
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
Locate it (in C:\) and double-click on it (launch it). You'll recieve a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".
--------------------------------------------------------------------------
Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe
Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.
Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
In the pane on the right are the values associated with that key.
We want to remove these>
{4FC95EDD-4796-4966-9049-29649C80111D}_ {5D60FF48-95BE-4956-B4C6-6BB168A70310}_
Notice the underscore at the end.
Right click on each, (not sure if you can do them as one, or if you need to do it one at a time) and select delete.
If you get a confirmation question, respond OK then close out of the program.
--------------------------------------------------------------------------
Once done Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' : (Very important that no other windows are open or they will NOT get fixed)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O4 - HKLM\..\Run: [9R] C:\windows\temp\9R.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\BRD\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Eitt] C:\Documents and Settings\BRD\Application Data\ahso.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a3224...ip/RdxIE601.cab
Reboot into safe mode following the instructions here & navigate to & delete
C:\Program Files\TV Media< folder
C:\PROGRA~1\Lycos< folder
C:\PROGRA~1\INCRED~1< folder
C:\DOCUME~1\BRD\LOCALS~1\Temp< entire contents of this folder
C:\WINDOWS\system32\pcs< folder
C:\Program Files\Common Files\Dpi< folder
C:\Program Files\LiveUpdate< folder
C:\WINDOWS\alchem.exe< file
C:\Documents and Settings\BRD\Application Data\ahso.exe< file
C:\WINDOWS\System32\wapisvsu.exe< file
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Be certain to follow these instructions exactly. If you're not sure, get back here.
Reboot normally after doing the above then post a fresh log plz.
crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
I ran virus scan again from that link you gave me, and I'm posting the name and path here for you. The information you gave me above may fix these, but I just wanted to make sure:
TROJ REVOP.A C:/Documents and settings/BRD/Local settings/Temporary Internet Files/content.IE5/PR7BLHWE/bdl14025(1).exe
TROJ ISTBAR.DW C:/Windows/Downloaded Program Files/ISTactivex.dll
TROJ REVOP.A C:/Windows/System32/0021-bdl94126.EXE
TROJ BRISS.H C:/Windws/System32/a.exe
TROJ BRISS.H C:/Windows/System32/bridge.dll
TROJ SMALL.GO C:/Windows/System32/CS4P028.exe
BKDR SANDBOX.A C:/Windows/System32/Lkyqfy.exe
TROJ STILEN.A C:/Windows/System32/silent.exe
These were all NonCleanable by the scan. I'll get right on fixing those other things!!!
--------------------------------------------------------------------------
--------------------------------------------------------------------------
R3 fix.
Launch Notepad, and copy/paste the bold below into a new text file. Save it as URLRepair.reg (Change the 'Save As Type' to 'All Files'). Save it in C:\ (or on the desktop)
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
Locate it (in C:\) and double-click on it (launch it). You'll recieve a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".
I must be doing something wrong on this part, because I can't get it to ask me the Merge question. I created the Text Document, copied everything above into it, then clicked save as All files. When I clicked save as All Files, it asked me if I wanted to replace the existing one, so I said yes. However, when I moved the URLRepair.reg file to C:\ and opened it, nothing happened. It just opened like any other text document file.
I didn't want to do anything below this, I wasn't sure if all these needed to be done in this specific order. :( So, that's where I am...I made the file, copied the info, opened it, and nothing happened, didn't ask me to merge. What did I do wrong?
SH
I dont know if I can help but I had a problem close to yours and I tried Spybot Search and Destroy and it fixed my computer perfectly.
I dont know if I can help but I had a problem close to yours and I tried Spybot Search and Destroy and it fixed my computer perfectly.
Yes, that and Ad-Aware were the first things I tried, but they couldn't get rid of the problems. A lot of the things that Crunchie has told me have already helped a lot. Thanks anyways, STP72!
SH
meabed
Junior Poster
Team Colleague
139 posts since May 2004
Reputation Points: 55
Solved Threads: 3
I still don't understand about the Merging URLRepair, but I checked the boxes you told me to in the Hijackthis. I deleted the files in Safe Mode, and here is what I have now:
Logfile of HijackThis v1.97.7
Scan saved at 5:16:08 PM, on 5/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Hijack This\HijackThis.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
This any better? Thanks so much again!
SH
Oh, and I still have those 8 viruses when I scan my computer on Trend Micro. Evil buggers :evil:
Thats a lot better. With that R3 entry try this:
Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe
Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.
Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
In the pane on the right are the values associated with that key.
We want to remove this one & any others with that underscore at the end or beginning>
{CFBFAE00-17A6-11D0-99CB-00C04FD64497}_
Notice the underscore at the end.
Right click on each, and select delete.
If you get a confirmation question, respond OK then close out of the program.
Let me know if this fixes it, it should do.
crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
Hey Crunchie, I did what you said and ran Hijack again, here is what it came up with:
Logfile of HijackThis v1.97.7
Scan saved at 9:19:05 AM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Avant Browser\iexplore.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
F:\Program Files\Hijack This\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
However, I ran the free virus scan again from your link, and it says I still have these viruses on my computer:
TROJ REVOP.A C:/Documents and settings/BRD/Local settings/Temporary Internet Files/content.IE5/PR7BLHWE/bdl14025(1).exe
TROJ ISTBAR.DW C:/Windows/Downloaded Program Files/ISTactivex.dll
TROJ REVOP.A C:/Windows/System32/0021-bdl94126.EXE
TROJ BRISS.H C:/Windws/System32/a.exe
TROJ BRISS.H C:/Windows/System32/bridge.dll
TROJ SMALL.GO C:/Windows/System32/CS4P028.exe
BKDR SANDBOX.A C:/Windows/System32/Lkyqfy.exe
TROJ STILEN.A C:/Windows/System32/silent.exe
Thanks so much again! Your help has already fixed my Windows Media Player, and I have a lot less pop ups. The only major problem that I can see is my Photoshop files I have on my desktop keep randomly changing icons, and my Adobe Photoshop still crashes when I try and open it. :o
For those viruses, do I just go in safe mode and find and delete them? I was looking in my System32 folder, and I found silent.exe and a.exe, so I wasn't sure if that's what I'm supposed to do. Thought I'd wait for the expert to tell me!
Thanks again!
SH
Hi. Those virus' that the scan show usually show in the hjt log (or at least some of them do).
Clean out all those in your last post by going into safe mode. Reboot back in to normal mode & then disable system restore temporarily.
Post a new hjt log then we can enable system restore again. Just note that all previous restore points will be lost.
Check how photoshop is after removing those virus', although it may be necessary to uninstall it & then reinstall.
The log you posted looks clean now, but I wnt to be sure after you remove those items.
How to disable system restore: Here.
crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
This article has been dead for over three months
You
© 2012 DaniWeb® LLC
