I cant get rid of these programs they keep coming back.
I did what swatkat said
Open NotePad, and copy the contents of the below "Quote" box:-

Quote:
cd %windir%
attrib -s -r -h ALCMTR.EXE
del ALCMTR.EXE
cd system32
attrib -s -r -h install32m.exe
attrib -s -r -h intel32.exe
attrib -s -r -h msnethlp32.exe
attrib -s -r -h Oeoepi32.exe
attrib -s -r -h paytime.exe
attrib -s -r -h Lgjopdch.dll
del Lgjopdch.dll
del install32m.exe
del intel32.exe
del Oeoepi32.exe
del msnethlp32.exe
del paytime.exe


Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.
Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update". After the update process, exit from Ewido.

Download CCleaner and CWShredder.

and then this


Double-Click on the file Test.bat, a small DOS type window should open and close immediately.

Delete this folder ( and all the files inside it ):-
C:\Program Files\PSGuard

Search for this file and delete it:-
msnethlp32.dll


Run CCleaner, click "Options" button and here go to "Settings" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and choose "Yes" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.

Next, run CWShredder and click "Fix".

but they keep comeing back everytime I open internet explorer.
I run adaware, spybot s&d, AVG , zone alarm,ewido and spyblaster.
is there something I can do to get rid of these things? it seems like after they open my PC locks up.

Recommended Answers

All 9 Replies

Hi,
Can you perform an online virus scan at Panda ActiveScan, with "Disinfection" option enabled? Please save the log file it gives after the scan and post the contents of the log file.

Also, download HijackThis and extract it to a dedicated folder (like C:\HJT\hijackthis.exe) and run it, and post it's log.

here is my hijack this logLogfile of HijackThis v1.97.7
Scan saved at 11:45:45 PM, on 8/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\pbmp3\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FA93E44F-B026-4E28-89BF-33986035EFAD} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

You are running an older version of HijackThis; You can get the latest version of HijackThis from here:
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, scan with HijackThis, and post a new log please.

here is the new log sorry for the old one.
I also scanned with the panda one online and it deleted the wininet.dll I couldn't use adaware and spybot and internet explorer. but I fixed that already.


Logfile of HijackThis v1.99.1
Scan saved at 2:11:42 PM, on 8/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\pbmp3\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FA93E44F-B026-4E28-89BF-33986035EFAD} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Hi,

Please download WinPFind and extract it to a folder.


Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O2 - BHO: (no name) - {FA93E44F-B026-4E28-89BF-33986035EFAD} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted IP range: 206.161.125.149

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Restart the PC. Run WinPFind.exe and click "Start Scan". This scan will take some time, even if the title bar says "Program not responding", ignore it. After the completion of the scan, post the WinPfind log and a fresh HijackThis log.

ok its long here it is

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.


If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.


»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000    Current Build: Service Pack 4    Current Build Number: 2195
Internet Explorer Version: 5.00.3700.1000


»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»


Checking %SystemDrive% folder...


Checking %ProgramFilesDir% folder...


Checking %WinDir% folder...


Checking %System% folder...
Umonitor             6/19/2003 1:05:04 PM   529168     C:\WINNT\SYSTEM32\RASDLG.DLL
winsync              5/8/2001 8:00:00 AM    1309184    C:\WINNT\SYSTEM32\wbdbase.deu
UPX!                 1/9/2005 1:37:44 AM    65536      C:\WINNT\SYSTEM32\wined.dll


Checking %System%\Drivers folder and sub-folders...
UPX!                 7/24/2005 12:52:54 AM  668704     C:\WINNT\SYSTEM32\drivers\avg7core.sys
FSG!                 7/24/2005 12:52:54 AM  668704     C:\WINNT\SYSTEM32\drivers\avg7core.sys
aspack               7/24/2005 12:52:54 AM  668704     C:\WINNT\SYSTEM32\drivers\avg7core.sys


Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts



Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H                    8/13/2005 2:16:28 PM   920876     C:\WINNT\ShellIconCache
H                    8/7/2005 10:00:58 AM   2015744    C:\WINNT\w74ca5e40.tmp
S                    8/13/2005 5:16:38 PM   64         C:\WINNT\CSC\00000001
S                    8/13/2005 2:08:58 PM   64         C:\WINNT\CSC\00000002
S                    8/13/2005 1:06:36 AM   64         C:\WINNT\CSC\csc1.tmp
SH                   7/30/2005 2:53:36 PM   10022      C:\WINNT\system32\KGyGaAvL.sys
H                    8/13/2005 5:16:40 PM   890        C:\WINNT\system32\vsconfig.xml
H                    7/13/2005 10:35:32 PM  4212       C:\WINNT\system32\zllictbl.dat
H                    8/13/2005 5:18:14 PM   1024       C:\WINNT\system32\config\default.LOG
H                    8/13/2005 5:16:38 PM   1024       C:\WINNT\system32\config\SAM.LOG
H                    8/13/2005 5:17:22 PM   1024       C:\WINNT\system32\config\SECURITY.LOG
H                    8/13/2005 5:21:50 PM   1024       C:\WINNT\system32\config\software.LOG
H                    8/13/2005 5:16:26 PM   6          C:\WINNT\Tasks\SA.DAT


Checking for CPL files...
Microsoft Corporation          5/8/2001 8:00:00 AM    67344      C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation          6/19/2003 1:05:04 PM   301328     C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation          6/19/2003 1:05:04 PM   237328     C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation          5/8/2001 8:00:00 AM    128272     C:\WINNT\SYSTEM32\hdwwiz.cpl
Intel Corporation              9/18/2000 3:19:34 PM   69632      C:\WINNT\SYSTEM32\igfxcpl.cpl
Microsoft Corporation          6/19/2003 1:05:04 PM   257296     C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation          5/8/2001 8:00:00 AM    118032     C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation          5/8/2001 8:00:00 AM    36112      C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation          11/7/2000 3:16:46 PM   76288      C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation          5/8/2001 8:00:00 AM    122128     C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation          5/8/2001 8:00:00 AM    303888     C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation          5/8/2001 8:00:00 AM    17168      C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation          5/8/2001 8:00:00 AM    41232      C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation          6/19/2003 1:05:04 PM   41232      C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation          6/19/2003 1:05:04 PM   90896      C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation          6/19/2003 1:05:04 PM   83216      C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation          6/19/2003 1:05:04 PM   125712     C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation          5/8/2001 8:00:00 AM    5904       C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation          5/8/2001 8:00:00 AM    61200      C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation          6/19/2003 1:05:04 PM   54272      C:\WINNT\SYSTEM32\wuaucpl.cpl
IBM Corporation                9/23/1999 6:44:36 PM   94208      C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation          5/8/2001 8:00:00 AM    41232      C:\WINNT\SYSTEM32\dllcache\nwc.cpl


»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»


Checking files in %ALLUSERSPROFILE%\Startup folder...


Checking files in %ALLUSERSPROFILE%\Application Data folder...


Checking files in %USERPROFILE%\Startup folder...


Checking files in %USERPROFILE%\Application Data folder...


»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7}   =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}   = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7}   =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}   = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}   = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll


[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467}   = @msdxmLC.dll,-1@1033,&Radio  : C:\WINNT\System32\msdxm.ocx


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\browseui.dll


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google    : c:\program files\google\googletoolbar1.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
NeroCheck   C:\WINNT\system32\NeroCheck.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Zone Labs Client    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpybotSD TeaTimer   C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon    1



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun  145


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray          {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit    = C:\WINNT\system32\userinit.exe,
Shell       = Explorer.exe
System      =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs



»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/13/2005 5:26:12 PM

Hi,
Open NotePad, and copy the contents of the below "Quote" box:-

cd %windir%
attrib -s -r -h w74ca5e40.tmp
del w74ca5e40.tmp
cd SYSTEM32
attrib -s -r -h wined.dll
del wined.dll

Go to File Menu > Save As, and save the file with the name Remove.bat and exit from NotePad.


Boot in safe mode, and double-click on the file created earlier, a DOS type window should open and close immediately.

Next, run Ewido, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.

Reboot back to normal mode, and post a fresh HijackThis log along with Ewido log.

new hijackthis log after above fixes you gave me

Logfile of HijackThis v1.99.1
Scan saved at 12:17:29 AM, on 8/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\pbmp3\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FA93E44F-B026-4E28-89BF-33986035EFAD} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Scan with HJT and have it fix:

O2 - BHO: (no name) - {FA93E44F-B026-4E28-89BF-33986035EFAD} - (no file)

Other then that, your log looks clean to me, but please post the Ewido log to make sure.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.