Can't delete virus

Question

Larry H 0 Newbie Poster

19 Years Ago

This is my first visit to this site and I need some help.
When you open Internet Explorer the following virus notice comes onto the screen
VIRUS DETECTED
C:\WINDOWS\TEMP\SE.DLL
Trojan Horse Startpage.19J
When you press the heal button it heals it and then comes up with a box in the bottom of the screen which says RUNDLL. However, every time you open internet explorer this same virus comes up again.
We have AVG Version 7 and AD-AWARE SE on our computer but we can't get rid of the virus.
Can anyone help me please? I'm new to this.
Thanks

I, too, am new to this site & have the exact same problem coming up sincelast week.

Larry H

windows-virus

4 Contributors
29 Replies
771 Views
4 Months Discussion Span
Latest Post 19 Years Ago Latest Post by dlh6213

dlh6213 27 Posting Maven

19 Years Ago

Hi Larry, welcome to DaniWeb :D

I've split your post into it's own thread per forum rules (http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules)

Download, install, update, and run these tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html

Please get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread.

DMR 152 Wombat At Large

19 Years Ago

Hi Larry,

Please do as dlh6213 suggested and we'll go from there:

Please get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html
Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread.

dlh6213 27 Posting Maven

19 Years Ago

Need help with all the above. Have tried to download CW and Buster and hasving no luck and the Hijack This I need more detailed stp by step help. Nothing seems to be working to get this problem out of my system.
larry H

What kind of problem are you having getting CWShredder and about:Buster?

DMR 152 Wombat At Large

19 Years Ago

Hi, I think I properly installed and ran the Hijack this program, then copie& pasted the log and sent it to you. That was on Friday. It's Tues. morn and I've had no reply-- [I understand your time is limited but just want to make sure it was rec'd.
larry H

Sorry to leave you hanging Larry,

My birthday was on the 10th, I had relatives visiting from then until the 17th, I took a much-needed trip to Yosemite National Park somewhere in there, and also lost my Internet service for a few days too boot... a long week & 1/2.

You definitely have a version of the About:Blank infection at the very least.

1. Download, install, and run the MS AntiSpyware program that buddylee614 linked to; let it fix everything it finds.

2. Try these alternate download links for About:Buster and CWShredder:

about:buster
CWShredder

3. Also download this "about:blank" removal tool.

4. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Run the three removal utilities I linked to above consecutively.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

5. Run HijackTHis again and post a new log.

dlh6213 27 Posting Maven

19 Years Ago

Happy (belated) birthday, Dave!

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Larry H 0 Newbie Poster · Answer 1 · 2005-06-10T00:52:44+00:00

Hi Larry, welcome to DaniWeb :D
I've split your post into it's own thread per forum rules (http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules)
Download, install, update, and run these tools:
CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
Please get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html
Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread.

Need help with all the above. Have tried to download CW and Buster and hasving no luck and the Hijack This I need more detailed stp by step help. Nothing seems to be working to get this problem out of my system.
larry H

Larry H 0 Newbie Poster · Answer 2 · 2005-06-11T03:28:03+00:00

Hi Larry,
Please do as dlh6213 suggested and we'll go from there:

Hope I've correctly downloaded the malware prog. & copied & pasted the scanlog [even I see a bunch of aboutblank things in it].

Logfile of HijackThis v1.99.1
Scan saved at 5:21:49 PM, on 6/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN PRO\AUTOLAUNCH.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\PICASA2\PICASAMEDIADETECTOR.EXE
C:\WINDOWS\SYSTEM\SRSYSTEMTRAY.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Juno Online Services, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: BHOPopupSmasher Class - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - C:\WINDOWS\SYSTEM\BLOCKACTIVEX.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: (no name) - {BCDCF4B9-D8CE-11D9-9DB5-F3B7069DB654} - C:\WINDOWS\SYSTEM\AGDH.DLL
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\JUNO\QSACC\X1IEBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SystemTraySR] C:\WINDOWS\SYSTEM\SRSystemTray.exe
O4 - HKLM\..\Run: [MonitorSR] C:\WINDOWS\SYSTEM\SRMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: Juno - {53ACB2E0-8D4F-11D9-9DB5-E232C24C1E74} - juno.exe (file missing) (HKCU)
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livesc02.custhelp.com/6030-b463h-iomega/rnl/java/RntX.cab
O18 - Filter: text/html - {BCDCF4B8-D8CE-11D9-9DB5-F3B769D113CF} - C:\WINDOWS\SYSTEM\AGDH.DLL
O18 - Filter: text/plain - {BCDCF4B8-D8CE-11D9-9DB5-F3B769D113CF} - C:\WINDOWS\SYSTEM\AGDH.DLL

Larry H 0 Newbie Poster · Answer 3 · 2005-06-14T20:06:47+00:00

Hi, I think I properly installed and ran the Hijack this program, then copie& pasted the log and sent it to you. That was on Friday. It's Tues. morn and I've had no reply-- [I understand your time is limited but just want to make sure it was rec'd.

larry H

buddylee614 0 Newbie Poster · Answer 4 · 2005-06-15T07:34:57+00:00

use the microsoft antispyware, i bet its gonna get it out
download it for http://www.download.com/Microsoft-Windows-AntiSpyware/3000-8022_4-10353596.html?tag=lst-0-4 or get it from microsoft's website and search for it....

hope that helps.....

buddylee614,viz ex!!

DMR 152 Wombat At Large Team Colleague · Answer 5 · 2005-06-20T04:33:54+00:00

DMR 152 Wombat At Large

19 Years Ago

Happy (belated) birthday, Dave!

Thanks Danny :)

Larry H 0 Newbie Poster · Answer 6 · 2005-06-27T22:57:57+00:00

Thanks to you & your sugestions I think that I--a definite non-techie--have managed to rid my computer of the trojan, the about blank virus, and find and restore my internet explorer.exe [which i found in the recycle bin when i followed your directions to empty the bin. I went ahead and clicked on restore for the explorer, which had been absent from my computer. Just in case, i've gone ahead and run the hijack this again, as you suggested & am sending it along. It APPEARS that everything is back to normal, but can you verify it for me after checking my log?

Thanks so much, Larry H

Logfile of HijackThis v1.99.1
Scan saved at 12:54:55 PM, on 6/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN PRO\AUTOLAUNCH.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\PICASA2\PICASAMEDIADETECTOR.EXE
C:\WINDOWS\SYSTEM\SRSYSTEMTRAY.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Juno Online Services, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: BHOPopupSmasher Class - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - C:\WINDOWS\SYSTEM\BLOCKACTIVEX.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\JUNO\QSACC\X1IEBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SystemTraySR] C:\WINDOWS\SYSTEM\SRSystemTray.exe
O4 - HKLM\..\Run: [MonitorSR] C:\WINDOWS\SYSTEM\SRMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: Juno - {53ACB2E0-8D4F-11D9-9DB5-E232C24C1E74} - juno.exe (file missing) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livesc02.custhelp.com/6030-b463h-iomega/rnl/java/RntX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

DMR 152 Wombat At Large Team Colleague · Answer 7 · 2005-06-27T23:55:54+00:00

You've still got a bit of spyware stuck between your teeth. :mrgreen:

1. Uninstall WeatherBug through your Add/Remove Programs control panel; the program comes bundled with "unwanted guests".

2. Run HJT again and have it fix:

O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1

3. Delete the entire C:\PROGRAM FILES\AWS folder, emty your Recycle Bin, and reboot.

4. Post a (hopefully) final log for us to review.

Larry H 0 Newbie Poster · Answer 8 · 2005-06-28T02:42:19+00:00

O.K.--did everything [yeah, sometimes that weathwerbug interfered & I hardly used it anyway], here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 4:35:51 PM, on 6/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN PRO\AUTOLAUNCH.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\PICASA2\PICASAMEDIADETECTOR.EXE
C:\WINDOWS\SYSTEM\SRSYSTEMTRAY.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Juno Online Services, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: BHOPopupSmasher Class - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - C:\WINDOWS\SYSTEM\BLOCKACTIVEX.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\JUNO\QSACC\X1IEBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SystemTraySR] C:\WINDOWS\SYSTEM\SRSystemTray.exe
O4 - HKLM\..\Run: [MonitorSR] C:\WINDOWS\SYSTEM\SRMonitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: Juno - {53ACB2E0-8D4F-11D9-9DB5-E232C24C1E74} - juno.exe (file missing) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livesc02.custhelp.com/6030-b463h-iomega/rnl/java/RntX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

If all O.K., advise me on how to avoid getting this kind of mess again--even suggest a few links. What I'd been running previous were the following free editions: Grisoft AVG; Spybot S&D; Ad aware; Zone Alarm. Since the problem, I've downloaded all the following--any you'd suggest getting rid of? : Spyware Dr; Xoft spy; About Buster; Spysubtract; Stop It Block It;NoAdaware; CWShedder; HijackThis; Sp.html-Se.dll--hijack fix . . . .which do recommend keeping??

again, thanks so much for your help!

DMR 152 Wombat At Large Team Colleague · Answer 9 · 2005-06-28T04:15:44+00:00

1. That latest log looks good, except I'm curious about these entries:

O4 - HKLM\..\Run: [SystemTraySR] C:\WINDOWS\SYSTEM\SRSystemTray.exe
O4 - HKLM\..\Run: [MonitorSR] C:\WINDOWS\SYSTEM\SRMonitor.exe

Any idea what program they belong to? I've never seen them before, and I can't find any info on them at all.

2. In terms of future protection and what programs you should have:

For one thing, you should have a look at this site; it is pretty much the definitive list of reputable vs "bogus" anti-spyware programs. For example, on that site you can read a bit about the shady past of XsoftSpy and NoAdAware. ;)

Detection and removal tools break down into two categories: general anti-spyware programs, and programs which are targeted at a certain type of infection.

- Of the general programs, the following are probably the most often recommended:

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
Ad Aware SE Personal - http://www.lavasoftusa.com/
SpyBot Search & Destroy - http://www.safer-networking.org/
Spyware Doctor - http://www.pctools.com/spyware-doctor
SpySubtract - http://www.intermute.com/products/spysubtract.html

Given the rate at which new threats are discovered (and old threats "morph" into nastier versions) it's a good idea to keep at least three of the above programs in your toolbox. One of those utilities will often catch something that another missed.

- On the other hand, About:Buster, CWShredder, Sp.html-Se.dll--hijack fix, and the numerous tools like those have been written to eradicate specific and particularly nasty infections that the general tools don't/can't fully deal with; you don't necessarilly need to keep local copies of such tools installed. For one thing, they don't usually have any preventative features, and chances are that you (hopefully) won't need them very often. Additionally, if it turns out that you do need them, chances are that by the time you do, newer versions will have been released, so you'd just have to download the updated versions anyway.

Overall, here's my standard "canned answer" on the whole thing:

Now that your system is clean, here are a few things you can/should do to minimize your chances of future virus/malware infections:

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many (mostly ActiveX) security loopholes, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder.

These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can b e downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as every two or three days.

Larry H 0 Newbie Poster · Answer 10 · 2005-07-01T01:23:02+00:00

I don't know what to tell you about those 2 entries below [starting with "HKLM\. .Run:"} as my system was loaded and set up by a tech consultant. I am running WIn 98, 2nd ed., if that helps {which is also why the suggestion in an earlier thread to run MS anti-virus/spyware didn't help as it won't work with my version . . . .

SInce I e-mailed you the last log I somehowhave a worse problem! The computer freezes within one minute or so of the desktop icons popping up. (I'm e-mailing from the library & will have to check back here for your reply over next several days). I've only been able to start some of the programs for about a minute. Before it froze, the first item when I ran my anti-virus said "partition table (MBR)" and under "results/infection" it said "changed"--any thoughts on this?

I was able to access HiJack This but the system freezes before I can copy and send it to you, so I've written out the 5 entries that appear after my first one, which looks like something to do with Windows. Tell me if any of these should be deleted--if I can do it before computer freezes:

02-BHO (No name) {53707962-6F74-2D53-2644-206 D7942484F}--C:\Progra~1\SDHELPER.DLL

02-BHO: BHOP PopUpSmasher class{702EA91C-1ACF-4772-8078-18F28 2EE1031} C:\Windows|System|Blockactivex.DLL

02-BHO: PCToolsBrowser Monitor{B5GA7D7D-6927-48C8-A975-17DF 180C71AC}-C:\Progra~1\Spywar~1\Tools\IESDPB.DLL

02--BHO PC Tools Site Guard {5C8B2A36-3DB1-42A4-A3CB-D426709 BBFEB}-C:|Progra~1\Spywar~1\Tools\IESDSG.DLL

02-BHO X1 IE Hook CLass--{52706EF7-D7A2-49AD-A615-E903858CF284--C:\Program Files\Juno\QSACC\X1IEBHO.DLL

I suspect the last one has to do with my ISP, which is Juno. After after these has a word in it that I recognize as some program, so I'm guessing it's one or more of the above (I know last time you told me to use HiJack to get rid of a "no name" program. . . .

As I said, I'll check at the library computer , starting tomorrow and look for your replyh. . . . Wish I knew why this is suddenly happening, though a clue might be that I learned yesterday that after downloading a Zone Alrm update, I need to then open the file I've saved and click on an installation wizard, and I don't think I'd been doing that.

Any way to get around the computer freezing up after 1" ??

Thanks again, Larry

DMR 152 Wombat At Large Team Colleague · Answer 11 · 2005-07-01T02:55:38+00:00

1. Since we don't have any info on the programs mentioned in the "040" log entries, let's leave them alone for the moment.

2. Does the system freeze while you're booted into Safe Mode? (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

3. The MBR/partition table change sounds abnormal; regular programs (except partitioning tools like Partitoin Magic) don't make changes to that area of your hadr drive. Does AVG give you any more specific inforamtion on that message?

4. The 02-BHO entries you listed are all legit. The fist (the "no name") entry is a compnent of the SpyBot utility, and yes- the last entry is related to your ISP's software.

Larry H 0 Newbie Poster · Answer 12 · 2005-07-07T02:26:57+00:00

1. Since we don't have any info on the programs mentioned in the "040" log entries, let's leave them alone for the moment.
2. Does the system freeze while you're booted into Safe Mode? (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)
3. The MBR/partition table change sounds abnormal; regular programs (except partitioning tools like Partitoin Magic) don't make changes to that area of your hadr drive. Does AVG give you any more specific inforamtion on that message?
4. The 02-BHO entries you listed are all legit. The fist (the "no name") entry is a compnent of the SpyBot utility, and yes- the last entry is related to your ISP's software.

--------------------------------------------------
Every time I think the problems are fixed, a new one comes back. Just before receiving your last reply [June 30th] I tried to boot with F 8. It took several tries to time it right but eventually i got into Safe Mode. I was able to run all the safegurards--Grisoft found no viruses. Jijack This looked like the same log I'd last sent you. I cleaned out the few things Spybot S&D found--mostly cookies and temp files. I ran adaware and whatever I had. It seemed like there were no problems found but when I booted up regular way suddenly computer no longer froze and everything work. Now today everything's working except when I try to get on the Internet--computer freezes half way through the log on. When I hit contol/alt/del I see "Glba 233" not repsonding, followed by same letters and different numbers, also [not responding]--any idea what that is?
In F 8 mode I ran everything and don't see anything suspicious except for these: I clicked on "config" in HiJackThis box and found: URL that will be used when fixing hijacked/unwanted MSIE pages: Default Start page: : about:blank . . . .I'm sure I have to get rid of that and put in something else, but not sure what it should be--does just erasing that and putting in MSN sound right??

Also some long strings of letters/numbers under "Temp" and "Temp Int Files" Unsure whether to delete these. For instance, if I click on this one [of half dozen similar ones uner Temp Int] /8zk7g7qp/ I get icon saying "desktop ini" then if i clcik delete , I get message that it's a system file and am I sure I want to delete. About a half dozen of these under temp Int Files and half dozen other thiongs like /df8d9a.temp/ under Temp.

Thanks again for your continued help!

Larry H.

DMR 152 Wombat At Large Team Colleague · Answer 13 · 2005-07-07T03:57:29+00:00

1. I honestly don't know what the "glba" files are. Locate one or more of the files in Windows Explorer, right-click on it, and choose Properties. See if there is any identifying informatio sucha company name, creation/modification date, or the like which might help us determine if the files are legit or not.

2. In terms of the Temp folders, you should delete everything that lives under those main folders. As to the "desktop.ini" files, choose "Yes to all" the first time that you're prompted to delete one. Here's the explanation from one of my earlier posts:

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

3. For the "URL that will be used when fixing hijacked/unwanted MSIE pages..." question: yes- you can change that to whatever URL you want.

Larry H 0 Newbie Poster · Answer 14 · 2005-07-14T03:36:21+00:00

Thanks for your prompt reply . Here's the latest weirdness: after my last post, when I told you I was still getting the computer locked up when i tried to log onto the 'net, I decided to reboot using F8 key again. Once i did that , i ran the Grisoft anti-virus, and all the anti-spyware, programs we've talked about. Nothing came up as a problem except some cookies and temp internet files that Spybot S&D cleaned out, but when I rebooted in regular mode everything's been fine. I haven't shuit off the computer since. I still get "change" in MBR partition when my Grisoft runs, and they don't provide any help with that. . .next experiment is to shut off the computer and then reboot normally and see if it locks up [at least I know i can get things working by rebooting in F8] . . . before that, let me run HijackTHis again and send you a copy of the log for you to check and tell me if there's anything weird.

Thanks a lot once again, Larry

Logfile of HijackThis v1.99.1
Scan saved at 5:31:52 PM, on 7/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN PRO\AUTOLAUNCH.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\PICASA2\PICASAMEDIADETECTOR.EXE
C:\WINDOWS\SYSTEM\SRSYSTEMTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
D:\CARDFILE\cardfile.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Juno Online Services, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*update.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\PROGRAM FILES\JUNO\QSACC\X1IEBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SystemTraySR] C:\WINDOWS\SYSTEM\SRSystemTray.exe
O4 - HKLM\..\Run: [MonitorSR] C:\WINDOWS\SYSTEM\SRMonitor.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [HijackThis startup scan] C:\WINDOWS\DESKTOP\HijackThis.exe /startupscan
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [HijackThis startup scan] C:\WINDOWS\DESKTOP\HijackThis.exe /startupscan
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: Juno - {53ACB2E0-8D4F-11D9-9DB5-E232C24C1E74} - juno.exe (file missing) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livesc02.custhelp.com/6030-b463h-iomega/rnl/java/RntX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

Larry H 0 Newbie Poster · Answer 15 · 2005-07-20T21:46:07+00:00

Looks like my last post--a week ago [7-13 dated entry]--didn't get out to you, so I'm re-sending it. We'll see if it works this time. Nothing has changed from last week's post.

Larry H

DMR 152 Wombat At Large Team Colleague · Answer 16 · 2005-07-21T07:24:19+00:00

No, unfortunately it didn't. This forum usually sends me an auto-notification email whenever someone responds to a thread I'm working on, but that feature stopped working for me about a week and a half ago. Since then I've had to track my threads manually, meaning that some have slipped through the cracks. :(

1. I honestly don't see anything obviously problematic in your log; it all looks normal as far as I can tell.

2. Concerning AVG's alerts about changes in the Partition Table:
* That isn't something that a HijackThis log would give any direct clues on, but judging from what the log does show in regard to the programs you're running, I don't see any possible suspects there.
* Certain types of legit programs such as third-party boot managers or "drive overlay" utilities will alter info in the MBR, but I don't get the feeling that you're using any such tools.
* A Boot Record virus is definitely a possibility. As we can't seem to get the exact name of the possible virus from AVG, look into the info on, and suggested fixes for, boot record viruses in general given in the links of the following Google search:
http://www.google.com/search?hl=en&lr=&q=%22boot+record%22+virus+remove+&btnG=Search

Larry H 0 Newbie Poster · Answer 17 · 2005-07-22T01:31:47+00:00

O.K., thanks again. Glad yesterday's post got to you. THings seem O.K. at this point. At least I now have a place to come if similar problems come up. Also intend to check this site, so I can learn a little more.

Larry

DMR 152 Wombat At Large Team Colleague · Answer 18 · 2005-07-25T06:06:28+00:00

Feel free to let us know if anything else crops up; we'll be around. :)

Larry H 0 Newbie Poster · Answer 19 · 2005-08-01T08:53:03+00:00

I assume you deal with the kinds of problems I had: viruses, the trojan horse, etc. BUT, in the likelihood that you can help me out on this weird one. . . .I have a DVD player that was already installed when i received the system. It's a Dell "Software CineMaster 98". The weird thing is that some days it plays and some days I put in a DVD and the little green light keeps blinking and nothing happens. The same movie will play fine one day and then not the next. The only thing that I can do is keep shutting down, then rebooting and hoping this'll be the reboot that works.

Any clues??

larry H :rolleyes:

DMR 152 Wombat At Large Team Colleague · Answer 20 · 2005-08-04T04:25:25+00:00

Hi Larry,

There could be a few different reasons for that problem, but the cause is almost certainly not related to spyware. Given that, you should start a new thread for this particular problem in one of our forums under the Hardware category; one of those sub-forums would be more suited to that type of problem.

Larry H 0 Newbie Poster · Answer 21 · 2005-10-12T08:57:31+00:00

Hi, folks,

It's been a couple of months since i've contacted you but i gues this thread is still active.
Over the summer you'd help me get rid of a Trojan Horse that brought in with it the aboutblank virus. Recently when i happened to click on my pull down box at the top center of the page when I'm on the Internet and looked at at all the addresses of the recent Internet sites i'd been on i saw on one line that dreaded [aboutblank] with no http or www infront of it like all the sites i know i visited, just those two words with no space between them. What does this mean/ How do i know for sure whether or not I have this cleared out of my system?? :eek:

Larry H

DMR 152 Wombat At Large Team Colleague · Answer 22 · 2005-10-12T12:18:03+00:00

"about:blank" can be a valid Internet Explorer home page; it doesn't necessarilly indicate that you have the dreaded "About:Blank" infection. If, in your Internet Options control panel, you set your IE home page to a blank page by clicking the "use blank" button, your home page's address will display as simply "about:blank".

The definitive test would be to run HijackThis and look at the log. If you see log entries similar to the following, you have the infection; if not, you most likely don't:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Larry H 0 Newbie Poster · Answer 23 · 2005-10-26T19:32:49+00:00

Sorry, meant to get back to you right away. Don't see anything resembling the things in your last response, but just in case I'm going to send you the last hijack this log & see what you say--maybe I'm not catching something.
Thanks again for your help, larry

Actually-- i can't figure out what I did in the past when i was able to send you the log--help! It looks like I have to hit "Save log", but ave it where & then how to attach/send it to you :?: :?:

dlh6213 27 Posting Maven Team Colleague · Answer 24 · 2005-10-27T15:46:25+00:00

The log should be saved in the same folder HijackThis is in, but since you didn't have it in its own folder (C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE), it should be on your desktop somewhere. It would be best to move HJT into a folder of its own (you can do this by right-clicking in an open area of your desktop, and select New, Folder; give the folder a name, like HJT or HijackThis, and then drag the hijackthis.exe icon that is on your desktop into the new folder). Then rescan and the log will be in the same folder.

Once you locate the log, simply copy it and then paste it into the reply box here.