0

Okay, a lot of crap got downloaded on my computer that is giving me so much trouble...

1) Spyware Avenger - I did not download it.
2) Virus Hunter Security -- I did not download this either.
3) There is a desk top icon called Sex and when I right click on it, it tells me to uninstall it, I need to go to Program Add/remove, but none of them show up there though! When I went to the directory and deleted the exe file of this Sex program, it came back
3)There is a very small searchbar on the right bottom corner.

Also, my IE craps out, and when I am online, every 20 minutes or so, it tells me that it is trying to open some webcam, but it cannot since I have blocked all the Active X download, and then my IE craps out on me and I get disconnected. When I try to re-dial, it doesnot find my modem, and I have to reboot the computer. It has become a real pain in the ass..

I have already run Spybot,Spyblaster,Addware,CWshredder.


Here is the hijackthis log..Please help!! Any help would be greatly appreciated.

Logfile of HijackThis v1.99.0
Scan saved at 9:33:44 PM, on 4/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\msoffice.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\isrvs\desktop.exe
C:\winnt\system32\zyibtc.exe
C:\winnt\system32\calc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
F3 - REG:win.ini: run=C:\WINNT\system32\msoffice.exe
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: (no name) - {860CE847-8298-4114-B142-14043C2942B1} - C:\WINNT\drexinit.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Service Scheduler] scheduler.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [zyibtc] c:\winnt\system32\zyibtc.exe
O4 - HKLM\..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKLM\..\RunServices: [Service Scheduler] scheduler.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {166AB7E0-5E62-4F7A-B199-07124C06AA51} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {166AB7E0-5E62-4F7A-B199-07124C06AA51} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Service Scheduler - Unknown - C:\WINNT\system32\scheduler.exe (file missing)
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


This is your silentrunner file..

"Silent Runners.vbs", revision 32, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"AIM" = "C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"IgfxTray" = "C:\WINNT\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINNT\system32\hkcmd.exe" ["Intel Corporation"]
"LoadQM" = "loadqm.exe" [MS]
"CARPService" = "carpserv.exe" ["Conexant Systems"]
"HPDJ Taskbar Utility" = "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb05.exe" ["HP"]
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" ["Analog Devices, Inc."]
"Service Scheduler" = "scheduler.exe" [file not found]
"Desktop Search" = "C:\WINNT\isrvs\desktop.exe" [empty string]
"ffis" = "C:\WINNT\isrvs\ffisearch.exe" [null data]
"zyibtc" = "c:\winnt\system32\zyibtc.exe" ["TODO: <Company name>"]
"farmmext" = "C:\WINNT\farmmext.exe" ["FarmMext"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00000049-8F91-4D9C-9573-F016E7626484}\(Default) = "CeresObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\ceres.dll" ["Ceres"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{2E246FAE-8420-11D9-870D-000C2917DE7F}\(Default) = "Loader Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Loader.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}\(Default) = "IE Update Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\isrvs\sysupd.dll" [null data]
{860CE847-8298-4114-B142-14043C2942B1}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\drexinit.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\YAHOO!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "run" = "C:\WINNT\system32\msoffice.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/html\CLSID = "{950238FB-C706-4791-8674-4D429F85897E}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\isrvs\mfiltis.dll" [null data]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\ssstars.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVSync Manager, AvSynMgr, ""C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"" ["Network Associates, Inc."]
McShield, McShield, ""C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"" ["Network Associates, Inc."]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINNT\system32\CSLSP.DLL ["Networks Associates Technologies, Inc."], 01 - 13, 27
%SystemRoot%\system32\msafd.dll [MS], 14 - 16, 19 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 17 - 18


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

3
Contributors
11
Replies
12
Views
12 Years
Discussion Span
Last Post by DMR
0

1. You are running a slightly older version of HijackThis. The current version is 1.99.1; please download that version from the link in my sig below and use it from now on.


2. You've got signs of infections by a couple of the more persistent nasties that are making the rounds. Before posting a log from the new version of HJT, please run the following free detection and removal programs.

You should temporarilly disable your McAfee program(s) before performing these scans to avoid any possible conflicts:

- KAV and Microsoft AntiSpyware; step-by-step instructions for using both can be found here. Follow the instructions exactly.

- http://housecall.trendmicro.com/

- http://www.ravantivirus.com/scan/

- http://www.bitdefender.com/scan/licence.php


3. When you've completed the above scans:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.


4. Reboot normally, run the new version of HJT, and post teh log it generates.

0

Thanks for replying. I'll go and do what you asked, and post a new log. I couldn't get back on here sooner...

0

I couldn't get back on here sooner...

No problem. I'm sure one of us will be around when you get a chance to repost. :)

0

Okay, I ran the KAV and found so many trojans that I felt like I was married to Helen of Troy. :evil:

Deleted everything under the Temp folder and the folrders you suggested. It seems like some of the things are running smoother, and some of the things are gone, but I am still not so sure.

Here is the HJT 1.99.1 logfile...

Logfile of HijackThis v1.99.1
Scan saved at 2:15:26 PM, on 4/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\WINNT\isrvs\desktop.exe
C:\hijackthis199\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.cyber.net.pk:8080;http=proxy.cyber.net.pk:8080
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINNT\system32\msoffice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Service Scheduler] scheduler.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunServices: [Service Scheduler] scheduler.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [mioq] C:\PROGRA~1\COMMON~1\mioq\mioqm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {166AB7E0-5E62-4F7A-B199-07124C06AA51} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {166AB7E0-5E62-4F7A-B199-07124C06AA51} - (no file) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Service Scheduler - Unknown owner - C:\WINNT\system32\scheduler.exe" -service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

0

Please go here and have this file scanned.
C:\WINNT\system32\msoffice.exe

Delete if bad and fix the F3 entry in hijackthis.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Desktop Search

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINNT\isrvs\desktop.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u mfiltis.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKLM\..\Run: [Service Scheduler] scheduler.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\RunServices: [Service Scheduler] scheduler.exe
O4 - HKCU\..\Run: [mioq] C:\PROGRA~1\COMMON~1\mioq\mioqm.exe

O9 - Extra button: Microsoft AntiSpyware helper - {166AB7E0-5E62-4F7A-B199-07124C06AA51} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {166AB7E0-5E62-4F7A-B199-07124C06AA51} - (no file) (HKCU)

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

O23 - Service: Service Scheduler - Unknown owner - C:\WINNT\system32\scheduler.exe" -service (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"

folders...

C:\WINNT\isrvs
C:\PROGRA~1\COMMON~1\mioq

Search for...

scheduler.exe

...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting your PC post back a new log, and let me know how everything goes.

-

crunchie.

0

First of all THANK YOU to you, Crunchie, and DMR. You guys have been AWESOME!!

Okay, I did everything what you and DMR suggested.

When I did the scan yesterday, Kapersky told me that msoffice.exe was infected, and it deleted it, and when I went to the site you listed to do the scan, it was not in the system32 folder, so now I am wondering where and what you saw in my log to know that it was infected.

When I tried to unregister mfiltis.dll, it gave me an error, but when I looked into C:\WINNT\isrvs as you suggested, it was there, so I deleted it. There is also an application in that directory called FFSearch, desktop, an XPI file called isearch.xpi, and msdbhk.dll. Do I need to delete any of these?

Other than that everything you two suggested went smooth. Here is a new log, and please, let me know if I need to fix anything else. Again, no matter how many times I say this, it will not be enough, but THANK YOU, you two. You guys have been great on this forum!!!

Logfile of HijackThis v1.99.1
Scan saved at 3:17:37 AM, on 4/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\carpserv.exe
C:\hijackthis199\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.cyber.net.pk:8080;http=proxy.cyber.net.pk:8080
F3 - REG:win.ini: run=C:\WINNT\system32\msoffice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

0

First of all THANK YOU to you, Crunchie, and DMR. You guys have been AWESOME!!

Thanks to you as welll. As volunteers here, appreciation of our efforts counts a lot; glad we could help. :)

I am wondering where and what you saw in my log to know that it was infected.

[Yoda]
Anti-spyware force very strong it is in this "crunchie" one. Question not do we what he knows and what he does; if speak It he does, true then It does be.
[/Yoda]


Seriously though:

- Your latest log looks infection-free.
- You should delete the entire C:\WINNT\isrvs folder. It, and any contents within it, were created by one of the infections you had. If you can't delete the folder while booted into Windows normally, try it while booted into Safe Mode as I described earlier.


Let us know if you hve any further problems...

-

0

Not wanting to contradict our young padawan :), you should delete the F3 entry in your log. As you stated the file itself is not on your PC anymore, this is just an orphaned entry leftover.
Just be certain it is not there by making sure you can see all hidden files and folders.

0

Not wanting to contradict our young padawan :), you should delete the F3 entry in your log.

D-oh! No contradiction at all- I totally missed that F3 entry. Thanks for the catch. :)

0

Oh okay, I see what you guys mean!

Thanks guys! I did everything you suggested, and it is running so smooth! Once again thanks, and the next time I have a problem, I know where to come to for help!!

0

Great, glad we could help! :)

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as ever two or three days.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.