0

my antivirus is detecting a "download. trojan" virus, but it cannot be deleted, cleared, or quarantined. its pretty much making it so that i can't get on internet explorer- i'm amazed i was able to get on now...

anyways, i ran htj---- here's the log.... hopefully somebody can help me? bear in mind, when trying to help, that i'm really not that good with computers, so i probably won't understand it unless you make it somewhat easy-sounding ;)

Logfile of HijackThis v1.99.1
Scan saved at 5:17:28 AM, on 4/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Jessica Hortsch\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400011&utm_content=leftnav&utm_source=wdz1&utm_medium=bund&utm_campaign=wdz0605a
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsel.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2006\winpgi.dll
O2 - BHO: DosSpecFolder Object - {4BBFA87E-C6CE-483F-89CD-FBE2A457083D} - C:\WINDOWS\system32\pmnlj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\system32\mljji.dll
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\system32\adsldpbm.dll
O2 - BHO: Bho Class - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - C:\WINDOWS\system32\jfevxrxf.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\Jessica Hortsch\Local Settings\Temporary Internet Files\Content.IE5\9EZF2TII\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" /min
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr321.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll (file missing)
O20 - Winlogon Notify: mljji - C:\WINDOWS\SYSTEM32\mljji.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

4
Contributors
40
Replies
41
Views
11 Years
Discussion Span
Last Post by MAD_COW711
0

Hi, start by going to

Start>Control Panel> Add/Remove Programs uninstall any thing that has to do with.

WinAntiVirus Pro 2006

Then run HJT again, and place a check next to the follwoing items.


R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - C:\WINDOWS\system32\admparsel.dll

O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2006\winpgi.dll

O2 - BHO: DosSpecFolder Object - {4BBFA87E-C6CE-483F-89CD-FBE2A457083D} - C:\WINDOWS\system32\pmnlj.d

O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)

O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\system32\mljji.dll

O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - C:\WINDOWS\system32\adsldpbm.dll

O2 - BHO: Bho Class - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - C:\WINDOWS\system32\jfevxrxf.dll

O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\Jessica Hortsch\Local Settings\Temporary Internet Files\Content.IE5\9EZF2TII\WAS5Scan[1].exe"

O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" /min

O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll (file missing)

O20 - Winlogon Notify: mljji - C:\WINDOWS\SYSTEM32\mljji.dll

O20 - Winlogon Notify: pmnlj - C:\WINDOWS\system32\pmnlj.dll

Close all browsers and click Fix Checked

----------------------------------------------------

Please download VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.

-----------------------------------------------------

Then please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds.

-----------------------------------------------------

Post a new HJT log, and the ewido log

0

Heh sry to add more to that long list, but after fixing this problem, I would strongly recommend changing browsers and using FireFox instead (link can be found below).

FireFox has less security flaws, more timely updates, etc., meaning less spyware on your computer.

Ah well, I think others here will agree with me on this.

Thanks.

0

thanks so much, i'm on a different comp right now since i can't get online on mine, but when i find the time tonight i'll do that and get back

0

everything went smoothly until i did the ewido thing. everytime i try to run the scan it stops and does the whole "program is not responding" thing. i looked at the error report and saw what file it was on but can't find it in my files.... possibly because it had an elipse in the middle of the filename, making it a bit dificult to guess it's location....

oh and also, there was some sort of error when i fixed all the checked items on hjt... it said something about a bad file name i think because for some reason it ended it .exe" with the random quotation marks. it said to report it, but i haven't noticed anything wrong, and i'mm guessing that it shouldn't be much of a problem... correct me if i'm wrong...

so any suggestions for how to get through the whole ewido thing without it crapping out on me?

0

Hmm, have ya tried running it in safe mode?

How to get into safe mode: Repeatedly hit F8 while starting computer.

Try that.

Thanks.

0

i tried it in safe mode and it still didn't work... it gets to a certain point and says that it "encountered a problem and needs to close"usually around 50%, but i just tried it again and it did that after about 15%.... i have no clue what's going on

0

Hmm, if that doesnt work, try uninstalling it, and download it again. There's a possiblity there was an error during that.

Along with that, post a new HJT log.

Thanks.

0

i tried uninstalling and reinstalling ewido, but still to no avail...
it always stops after a certain tracking cookie thing that i have to delete, and the window turns white....

anyways...
here's the new htj log:

Logfile of HijackThis v1.99.1
Scan saved at 11:04:09 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jessica Hortsch\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400011&utm_content=leftnav&utm_source=wdz1&utm_medium=bund&utm_campaign=wdz0605a
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\Jessica Hortsch\Local Settings\Temporary Internet Files\Content.IE5\9EZF2TII\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr321.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

0

Run HJT again, check the following.


O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\Jessica Hortsch\Local Settings\Temporary Internet Files\Content.IE5\9EZF2TII\WAS5Scan[1].exe"

Click Fix Checked.

Then download CCLeaner. www.ccleaner.com - Install it and let it clean.

Then try ewido again.

Post a new HJT log, and the ewido log

0

that's the file that gave me the error! haha... back to haunt me now....

apparently because it ends in .exe" (notice the quotation) it gives me an "unexpected error" and won't do anything... how do i make it work????


edit: at least i think that's why it won't work. it said something about a "bad file name or number"

0

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

File list:

C:\Documents and Settings\Jessica Hortsch\Local Settings\Temporary Internet Files\Content.IE5\9EZF2TII\WAS5Scan[1].exe

---------------------------------------------------------------
Once you have deleted that in killbox (using the above instructions), please try ewido again. Even if it doesnt work post a new HJT log.

0

whenever i try to put the file in it doesn't do anything, and then i just pasted it in without the "paste from clipboard" and tried to check the properties and it said "file not found"....

0

1. If you did not knowingly install it, uninstall the Accoona toolbar using your Add/Remove Programs control panel. It is classified as Adware/Spyware.

2. Since ewido seems to be giving you trouble, download and install:
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Once installed, open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

3. Run HijackThis again and fix the O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\Jessica Hortsch\Local Settings\Temporary Internet Files\Content.IE5\9EZF2TII\WAS5Scan[1].exe" entry.

4. Reboot into Safe Mode and:

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

* Run CCleaner with the following custom (and admittedly paranoid) settings applied:

- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours"
- Go to Options>Custom>Add Folder, navigate to and select the following folders one at a time (they should then appear in the custom folders/files list):
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp
* C:\Documents and Settings\<any other user's Profile>\Local Settings\Temporary Internet Files
* C:\Documents and Settings\<Any other user's Profile>\Local Settings\Temp
* C:\Documents and Settings\<Your Profile>\Cookies
* C:\Documents and Settings\<Any other users Profile>\Cookies
Hit OK

- In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders

- Click on Run Cleaner; close the program when it finishes cleaning.
* Open Spy Sweeper.
- Under the Sweep Options tab, select ALL options under 'What to Sweep'.
- Click the "Sweep" icon and then "Start" to begin scanning.
- When the scan completes, click Next to automatically quarantine all detected items.
- Click the Results icon, select Session Log, and then click Save to File. Save the scan results to your desktop and close Spy Sweeper.

* Open Windows Explorer again, look for the following file, and delete it if found:

C:\Documents and Settings\Jessica Hortsch\Local Settings\Temporary Internet Files\Content.IE5\9EZF2TII\WAS5Scan[1].exe

* Empty your Recycle Bin.

5. Reboot normally, run HijackThis again, and post the new log. Also post the Spy Sweeper log.

0

the only problem i see here is that i still can't fix the file mentioned in hijackthis.... i keep getting an error... how do i make it work in order to go on to the next step?

0

OK, then- Let's try to manually remove the offending Registry entry that HJT is having trouble deleting:

1. Download Mad_Cow711.reg and save it to your desktop. (Yes, the file is a tiny little Registry hack that I cooked up just for you... :mrgreen: )
2. Double-click on the downloaded file to run it.
3. Click Yes in the resulting "Are you sure you want to add..." confirmation dialog box.
4. Clcik OK in the resulting "Information...has been successfully entered..." confirmation dialog.
5. Run another scan with HJT and note whether or not the O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] entry is still listed.
6. Reboot the computer and repeat step #5.
Let us know the results.

0

it's still there...
but i feel special that you made that just for me! haha

0

it's still there...

Well, buggery on the High Seas- persistent little #@$%!

Please continue with the CCleaner and Spy Sweeper scans as outlined in my ealrlier post; Spy Sweeper may be able to kill it.

0

well, i think the virus may be gone now, since i don't keep getting the damn antivirus prompt... but i think i have a new problem...

after running ccleaner and spy sweeper, i restarted my comp. when it started up again i kept getting this blue error screen that said i had to restart again and see if the error came again... and it kept going untill after about 8 tries it stopped. but now i can't do much on my computer....

i can't get online, msn or aim, and i also can't listen to music with any program... i don't know how these are related but when i went to start --> help and support it said that it "cannot run because a system service is not running"....

i have no clue how this happened or how to fix it, so if anybody can lead me in the right direction that would be great ;)

0

Grrr!

1. Please give us the full and exact contents of the blue-screen error if it comes up again. There will probably be what look like cryptic numbers/codes and filenames in the message, but they do mean something and can be helpful in pinpointing the problem.

2. You may be able to regain functionality be booting the computer into its "Last Known Good Configuration". Instructions for doing so can be found here.

3. If you can run Windows' System Restore feature, that may also be able to undo whatever went wrong during the CCleaner/Spy Sweeper scans. Microsoft's instructions for using System Restore can be found here.

0

i don't think the blue screen will come up again.... but i'm pretty sure it didn't have any file names or anything, and when i tried to look it up in help and support it asked about whether or not there was one... but then it told me to restart my computer for some diagnostic or whatever, and after i restarted i couldnt do anything...

i'll try those suggestions, though when i am at my own comp later... and i'll get back here... thanks!

0

ok, i tried both suggestions, but both had absolutely no impact whatsoever on the well-being of my computer...

what i'm wondering is, why is the only system restore point listed like 2 minutes before the time that i restored it? wouldnt you want to restore it to a point previous to when the problems started???? just a thought....

oh and i hope i don't sound like an idiot asking this but, if i'm the owner of the computer, then if i signed on under my name would i be signing in as the administrator? because the only other way that i can think of that would allow me to sign in as admin is under safe mode.... another thought, possibly wrong....

0

why is the only system restore point listed like 2 minutes before the time that i restored it?

?!? I'm honestly not sure. Had System Restore been turned off (before that time) for some reason? Did you receive any messages/prompts to that effect when you first ran the utility?

wouldnt you want to restore it to a point previous to when the problems started????

Yes, exactly- that's what we wanted to accomplish in this case.

i'm the owner of the computer, then if i signed on under my name would i be signing in as the administrator?

Although it's a horrendous idea from a security standpoint, the owner's account (the first account created when Windows was installed) is automatically made a member of the Administrator group. Therefore, the answer to your question is essentially: yes, because the owner's account has the same powers as the built-in "Administrator" account.

* What happens when you boot the computer into Safe Mode? (You access the Safe Mode boot option in the same way you got to the "Last Known Good Configuration" boot option.)

* Open the Event Viewer utility in your Administrative Tools control panel and look through your System and Application logs for entries flagged with "Error" or "Warning". Double-clicking on such an entry will open a properties window with more detailed information on the error; post the details from a representative sample of some of the different error messages (please don't post duplicates or flood us with the entire logs).
To do so:
In the Properties window of a given entry, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard. You can then paste the details into your next post here.

0

Had System Restore been turned off (before that time) for some reason? Did you receive any messages/prompts to that effect when you first ran the utility?
-honestly i have no clue... i dont remember getting any prompts about it before i did it...


What happens when you boot the computer into Safe Mode?
-pretty much the same as in normal, except for the whole every icon and whatnot being bigger than normal... still can't access internet or music (although im not sure i was able to in safe mode before either... are you even supposed to?)


that's all i'm able to answer now, i'll be back after i can do that other crap on my computer

0

ok, i tried the whole task of finding errors and warnings, but didn't even get to the third step before my computer started hating me again...:(

whenever i tried to open the application or system folders i was prompted with "unable to complete the operation on ______. The interferance is unknown."

wtf does that mean? and why does my computer hate me right now????

also, i undid the system restore since it didn't seem to help any, and i was just wondering, could i do the "create restore point" option? and if so, how do i enter the correct time and date? because really, if i could restore it to what it was at sometime from saturday, the 8th, it might help... if it can find whatever status it was in at that point....

0

also another question: if i were to re-install my windows xp ---(assuming that i actually have the cd with me here ;)--- would that help? my guess is that like with any other program it would only install certain files or programs that were deleted or messed with... i.e. whatever got fucked up when i did all the sweeps and clean thingies.....

i dont know i'm probably being rediculous right now... tell me what you think, i need all the advice and suggestions i can get

0

Well, the replacing certain files and such (which ya just mentioned), is available, known more commonly as 'Repair'.

On the other hand, a fresh reinstall of XP would COMPLETLY swipe the hard drive, and everything on it.

NOTE: I intended this post to just be informative. If ya want more information on reformatting and such, just post back and we'll send ya more.

Thanks.

0

well, do i have any other options? dang this is getting frustrating...

if i do the repair, i'm assuming my hard drive would remain the way it is... am i correct?

otherwise--- keep the suggestions coming

0

1. You can't "force" a restore to a point in the past; if no restore snapshot already exists for a given date, there's no way to go back to that date. The "create restore point" option is only for creating a new snapshot at the time that you execute that option.

2. In terms of reinstallling Windows, XP does have a "repair installation" method, as jhay116 mentioned. Instructions and advice on the procedure can be found here. The Repair install will basically "refresh" your current Windows installation, replacing your existing operating system files with copies from the XP CD, but leaving your data and installed programs intact.

Before going that route though, you should run the System File Checker first, as it is a less "drastic" way to repair (at least some of ) the possibly corrupt or missing core Windows components. A visual/graphical walkthough of using the SFC tool can be found here.

3. In terms of the "unable to complete the operation..." error from Event Viewer, there are different causes (and fixes) for that category of errors, but given the state of your system right now I don't think it's a good idea to start randomly trying the different fixes. Try running SFC first and let us know the results.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.