Hijack This Log Attached

Question

labber 0 Light Poster

17 Years Ago

I was advised from the Tech Talk Forum to post my "Hijack This" in this Forum. I've had quite a few viruses and trojans in my system. I've run Ad-Aware, NoAdware, Spybot, PCBug Doctor, Scan & Repair Utilities and I ran my AVG Virus scan several times. My system is still infected with "System32ssec.exe, and "Trojan horse Generic UGR".

I'm running Windows 2000 Pro. Have constant pop-ups and had to install Pop-Up Stopper Pro. I have Zone Alarm running and Webroot Spy Sweeper, but without the Pop-up Stopper Pro running, I have uncontrollable pop-ups.

The problems originally started with the Task Manager being disabled when hitting Alt+Ctrl+Delete. I then discovered that most of my Administrative Tools are missing. The only tools I have are Internet Services Manager, Personal Web Manager, and Server Extensions Administrator, and Sis Utility Tray. I need help cleaning up the viruses/trojans/spam and recovering the Administrative Tools files that are missing.

Here's the Hijack This:
Logfile of HijackThis v1.97.7
Scan saved at 1:30:21 AM, on 7/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\mqsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\thiselt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Linda Beres\Local Settings\Temp\wz502e\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20073&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20073&k=
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06D99B28-F33D-4E7F-AFE2-180BDE182540} - (no file)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {214B804F-7C16-4762-BE13-83ED51DFCFA5} - (no file)
O2 - BHO: (no name) - {2ADF7B9A-3C74-4C64-BBB5-1D1B062E2948} - (no file)
O2 - BHO: (no name) - {2D8ED8F1-7E54-44F1-A72F-DB798610CF7F} - (no file)
O2 - BHO: (no name) - {3052E7F9-685F-491B-9285-892D7657C8D5} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {32110540-5D44-4784-A6D5-E25C916F3CC1} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {385D17D9-B51D-D33B-695E-5C41DB1BCDBB} - (no file)
O2 - BHO: (no name) - {3D13C454-720F-4CEA-8BED-485B8FEFC401} - (no file)
O2 - BHO: (no name) - {3E0BD2B4-CD77-4173-980E-70CF86E92D35} - (no file)
O2 - BHO: (no name) - {420A7A1A-2B14-47A2-A84B-CD6630433B58} - (no file)
O2 - BHO: (no name) - {42C73763-6E85-480B-81AF-BC379CA5DB92} - \
O2 - BHO: (no name) - {52CD403A-4E70-455D-A93A-ACC877EB05AB} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {559727B9-61CA-42A1-8293-09F6A9FA91EF} - (no file)
O2 - BHO: (no name) - {59259AE4-C55E-4FA5-8687-E7D85CC76582} - (no file)
O2 - BHO: (no name) - {64E76C39-D2BA-47A5-B40B-EE4C883D583A} - (no file)
O2 - BHO: (no name) - {65585EF4-7D08-4A6A-A956-F7F2EDA2B6DE} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {732F0C99-F427-41D4-A741-B54F69404078} - (no file)
O2 - BHO: (no name) - {734A7701-E859-46B9-930A-FD8079B4B06C} - \
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {84FD810B-FA7D-4B09-8C38-06E9C685CF05} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {8C77204D-4C2B-4497-ABE0-8F7752CBF4D3} - \
O2 - BHO: (no name) - {958C2803-DAB8-4388-A43E-69442B1099B3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {9843AEA8-0C52-472E-89CA-96EA9384236B} - \
O2 - BHO: (no name) - {99C1D1C5-BFC9-43BD-998D-2E625F91645A} - (no file)
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll
O2 - BHO: (no name) - {A32E6C94-AD91-465C-900C-2B94E4EE9A53} - \
O2 - BHO: (no name) - {A51BF0F2-C65A-4C6F-BB66-7E4DFA532DDB} - (no file)
O2 - BHO: (no name) - {AF76883D-FB6C-4366-BF14-08C5E9D0ADC4} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {B4F14F3C-27A2-4920-BB9F-8752240D5032} - (no file)
O2 - BHO: (no name) - {B6053E7A-BE0A-4722-AB73-9599FCC77550} - \
O2 - BHO: (no name) - {C12925C5-B63A-45FE-BF65-D9E1D20C0C14} - (no file)
O2 - BHO: (no name) - {C6E467B4-FCF4-4407-8C3C-8C244FC49283} - (no file)
O2 - BHO: (no name) - {C82F2718-E958-4244-9735-57E8B18C1574} - \
O2 - BHO: (no name) - {DAA29E8C-370D-4F75-A152-E97AC2BC13A3} - (no file)
O2 - BHO: (no name) - {DFE7D27E-C021-4C72-80F3-254B776E0992} - C:\WINNT\system32\ubbv.dll
O2 - BHO: (no name) - {E57C8438-DFEA-46C8-A920-E25A4BA64B3C} - (no file)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {EC1B360D-2B60-4011-BFAD-FAF5E31C25F9} - (no file)
O2 - BHO: (no name) - {FB112B9D-9CFC-41C0-A5F3-659DE8E138CD} - (no file)
O2 - BHO: (no name) - {FBC4ACF6-D539-485F-B64E-D4B2B4781FB9} - (no file)
O2 - BHO: (no name) - {FCD1E220-7EB4-4F88-93FD-472AE9573870} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {FE18E734-E17C-465B-A92A-629ED66F6BDB} - \
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [w0fc46dd.dll] RUNDLL32.EXE w0fc46dd.dll,I2 000c8a6200fc46dd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tSdURg2] "C:\WINNT\system32\fhsxc.exe"
O4 - HKLM\..\Run: [ftexc] C:\WINNT\system32\mptft.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [faxvie] C:\WINNT\system32\faxvie.exe
O4 - HKCU\..\Run: [wallp2.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\wallp2.exe
O4 - HKCU\..\Run: [VSL13.exe] C:\WINNT\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\1201.exe
O4 - HKCU\..\Run: [VSL07.exe] C:\WINNT\system32\VSL07.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Reboot.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin8.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} (Malicious Software Removal Tool) - http://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/21bef264df00ae6ab906/netzip/RdxIE601.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Any help would be greatly appreciated. Thanks!

windows-virus

2 Contributors
17 Replies
473 Views
1 Month Discussion Span
Latest Post 17 Years Ago Latest Post by crunchie

All 17 Replies

crunchie 990 Most Valuable Poster

17 Years Ago

Can you please do the following.

===============

Download, then unzip to "C:\HJT", the newest version of HiJackThis; version 1.99.1. Then repost your log, either now, or after following the steps in the solution (if provided in this post). This version has features that might be more helpful in 'cleaning' up your system.
Make sure that you unzip it to a permanent folder.

===============

Scan with HiJackThis, then check(tick) the following, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20073&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20073&k=

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: (no name) - {06D99B28-F33D-4E7F-AFE2-180BDE182540} - (no file)
O2 - BHO: (no name) - {214B804F-7C16-4762-BE13-83ED51DFCFA5} - (no file)
O2 - BHO: (no name) - {2ADF7B9A-3C74-4C64-BBB5-1D1B062E2948} - (no file)
O2 - BHO: (no name) - {2D8ED8F1-7E54-44F1-A72F-DB798610CF7F} - (no file)
O2 - BHO: (no name) - {3052E7F9-685F-491B-9285-892D7657C8D5} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {32110540-5D44-4784-A6D5-E25C916F3CC1} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {385D17D9-B51D-D33B-695E-5C41DB1BCDBB} - (no file)
O2 - BHO: (no name) - {3D13C454-720F-4CEA-8BED-485B8FEFC401} - (no file)
O2 - BHO: (no name) - {3E0BD2B4-CD77-4173-980E-70CF86E92D35} - (no file)
O2 - BHO: (no name) - {420A7A1A-2B14-47A2-A84B-CD6630433B58} - (no file)
O2 - BHO: (no name) - {42C73763-6E85-480B-81AF-BC379CA5DB92} - \
O2 - BHO: (no name) - {52CD403A-4E70-455D-A93A-ACC877EB05AB} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {559727B9-61CA-42A1-8293-09F6A9FA91EF} - (no file)
O2 - BHO: (no name) - {59259AE4-C55E-4FA5-8687-E7D85CC76582} - (no file)
O2 - BHO: (no name) - {64E76C39-D2BA-47A5-B40B-EE4C883D583A} - (no file)
O2 - BHO: (no name) - {65585EF4-7D08-4A6A-A956-F7F2EDA2B6DE} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {732F0C99-F427-41D4-A741-B54F69404078} - (no file)
O2 - BHO: (no name) - {734A7701-E859-46B9-930A-FD8079B4B06C} - \
O2 - BHO: (no name) - {84FD810B-FA7D-4B09-8C38-06E9C685CF05} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {8C77204D-4C2B-4497-ABE0-8F7752CBF4D3} - \
O2 - BHO: (no name) - {958C2803-DAB8-4388-A43E-69442B1099B3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {9843AEA8-0C52-472E-89CA-96EA9384236B} - \
O2 - BHO: (no name) - {99C1D1C5-BFC9-43BD-998D-2E625F91645A} - (no file)
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll
O2 - BHO: (no name) - {A32E6C94-AD91-465C-900C-2B94E4EE9A53} - \
O2 - BHO: (no name) - {A51BF0F2-C65A-4C6F-BB66-7E4DFA532DDB} - (no file)
O2 - BHO: (no name) - {AF76883D-FB6C-4366-BF14-08C5E9D0ADC4} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {B4F14F3C-27A2-4920-BB9F-8752240D5032} - (no file)
O2 - BHO: (no name) - {B6053E7A-BE0A-4722-AB73-9599FCC77550} - \
O2 - BHO: (no name) - {C12925C5-B63A-45FE-BF65-D9E1D20C0C14} - (no file)
O2 - BHO: (no name) - {C6E467B4-FCF4-4407-8C3C-8C244FC49283} - (no file)
O2 - BHO: (no name) - {C82F2718-E958-4244-9735-57E8B18C1574} - \
O2 - BHO: (no name) - {DAA29E8C-370D-4F75-A152-E97AC2BC13A3} - (no file)
O2 - BHO: (no name) - {DFE7D27E-C021-4C72-80F3-254B776E0992} - C:\WINNT\system32\ubbv.dll
O2 - BHO: (no name) - {E57C8438-DFEA-46C8-A920-E25A4BA64B3C} - (no file)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {EC1B360D-2B60-4011-BFAD-FAF5E31C25F9} - (no file)
O2 - BHO: (no name) - {FB112B9D-9CFC-41C0-A5F3-659DE8E138CD} - (no file)
O2 - BHO: (no name) - {FBC4ACF6-D539-485F-B64E-D4B2B4781FB9} - (no file)
O2 - BHO: (no name) - {FCD1E220-7EB4-4F88-93FD-472AE9573870} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {FE18E734-E17C-465B-A92A-629ED66F6BDB} - \

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\system32\WinNB57.dll

O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com

O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/21bef264...p/RdxIE601.cab

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINNT\system32\WinNB57.dll
C:\WINNT\system32\ubbv.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

Please download and install ewido anti-spyware tool

Close all other Applications Select language click Ok
Click I Agree
Click next
Click Install
Click Finish
Wait and Ewido will open to the main screen automatically.
Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
This in very important to get updates
When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear use arrow up to highlight
Select the first option, to run Windows in Safe Mode hit enter.
For additional help in booting into Safe Mode, see the following site: HERE
You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

Open Ewido
Click on scanner top of Ewido sceen
Click on Settings
Under How to Act click on Recommended Action choose Quarantine
Under How to scan all boxes should be selected
Under Possibly unwanted software all boxes should be selected
On right side under Reports: click on Automatically generate report after every scan.
Under What to scan select scan every file
Click On scan Tab
Click on Complete system scan
Let the program scan the machine It can take awhile give it time.
When scan has finished At bottom of screen click Apply all Actions
Click Save report
Click Save Report as (Save as window's screen should pop up.)
Click desktop
Click Save
Exit ewido

Reboot back to normal mode

After rebooting, rescan with hijackthis and post back a new log. Please post the Ewido log also.

crunchie 990 Most Valuable Poster

17 Years Ago

I think we need to get rid of all the malware on your PC before we try to rectify that problem :). You are still badly infected as the steps I asked you to do were preliminary.
Please do all that I asked and post the logs please.

crunchie 990 Most Valuable Poster

17 Years Ago

Can you please do the following.

-

Please go to Jotti's and have this file scanned. Post the results back here.

C:\WINNT\system32\ubbv.dll

===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

Scan with HiJackThis, then check(tick) the following, if present:

O2 - BHO: (no name) - {09F0C717-6ACF-44CC-87A3-856898069F75} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {3E12C92F-5204-4EFD-A1CA-BB811E0D2E55} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {40F3C07B-A69D-42C9-943E-F44B51027D6C} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {47F55CFE-3E3B-426C-9CE9-4ADD348029D3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {6F8736C8-70CE-4620-81CA-21AAAA56D67E} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {8385FDDC-3FBD-409A-AD71-6B3BA622F373} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {917634C0-5CDD-4CB6-A78A-A2647B3EE871} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {943C98C0-3587-4194-B368-4C32B01DB701} - \
O2 - BHO: (no name) - {C4B91D3F-0962-4B62-B536-AC2EB25F7F81} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {CD65EC13-9212-4200-B99F-80F3963EF3C2} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {DDF9195D-3372-4C40-A24E-AE17863E73B1} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {EAAF6E3A-15D6-4FA5-B610-A09944A940FF} - C:\Program Files\Accessories\horejoruj.dll (file missing)

O4 - HKLM\..\Run: [w0fc46dd.dll] RUNDLL32.EXE w0fc46dd.dll,I2 000c8a6200fc46dd
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKCU\..\Run: [faxvie] C:\WINNT\system32\faxvie.exe
O4 - HKCU\..\Run: [wallp2.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\wallp2.exe
O4 - HKCU\..\Run: [VSL13.exe] C:\WINNT\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\1201.exe

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINNT\system32\faxvie.exe
C:\Documents and Settings\Linda Beres\Application Data\System Restore\wallp2.exe
C:\WINNT\system32\VSL13.exe
C:\Documents and Settings\Linda Beres\Application Data\System Restore\1201.exe

Search for...

w0fc46dd.dll

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear use arrow up to highlight

Select the first option, to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

crunchie 990 Most Valuable Poster

17 Years Ago

Doesn't sound good. You may have to get your hands on another PSU and try it.

crunchie 990 Most Valuable Poster

17 Years Ago

They certainly can cause crashes etc., but if the fan is not turning on your psu, I would have to suspect that first :).

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

labber 0 Light Poster · Answer 1 · 2006-08-03T11:08:19+00:00

Thank you for all your help, but do you or anyone know how I can restore the "Administrative Tools" files that were deleted by the viruses/trojans I had? I'm running Win2000 Pro SP4, but my Win2000 CD is SP2...so when I tried to repair, it will not let me do it because I now have SP4 running on my system and the the Win2000 CD is SP2???? Thanks!

labber 0 Light Poster · Answer 2 · 2006-08-04T01:22:12+00:00

Will do as you asked and thank you for your help. I will work on my system in the next several days :)

labber 0 Light Poster · Answer 3 · 2006-08-11T09:55:31+00:00

Here's the results of HijackThis and also Ewido Scan Report. Your help is so appreciated. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:49:44 PM, on 8/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\system32\khooker.exe
C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Linda Beres\Local Settings\Temp\wz1a89\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09F0C717-6ACF-44CC-87A3-856898069F75} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {3E12C92F-5204-4EFD-A1CA-BB811E0D2E55} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {40F3C07B-A69D-42C9-943E-F44B51027D6C} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {47F55CFE-3E3B-426C-9CE9-4ADD348029D3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {6F8736C8-70CE-4620-81CA-21AAAA56D67E} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8385FDDC-3FBD-409A-AD71-6B3BA622F373} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {917634C0-5CDD-4CB6-A78A-A2647B3EE871} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {943C98C0-3587-4194-B368-4C32B01DB701} - \
O2 - BHO: (no name) - {C4B91D3F-0962-4B62-B536-AC2EB25F7F81} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {CD65EC13-9212-4200-B99F-80F3963EF3C2} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {DDF9195D-3372-4C40-A24E-AE17863E73B1} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {EAAF6E3A-15D6-4FA5-B610-A09944A940FF} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [w0fc46dd.dll] RUNDLL32.EXE w0fc46dd.dll,I2 000c8a6200fc46dd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [faxvie] C:\WINNT\system32\faxvie.exe
O4 - HKCU\..\Run: [wallp2.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\wallp2.exe
O4 - HKCU\..\Run: [VSL13.exe] C:\WINNT\system32\VSL13.exe
O4 - HKCU\..\Run: [1201.exe] C:\Documents and Settings\Linda Beres\Application Data\System Restore\1201.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT2Net.lnk = C:\Program Files\BT2Net\bt2net.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin8.dll
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O18 - Filter: text/html - {F8D76886-FA88-4DF6-8FBD-C02CF8C91C94} - C:\WINNT\system32\ubbv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:37:10 PM 8/10/2006

+ Scan result:

C:\WINNT\Downloaded Program Files\APInstall_Tiny.dll -> Adware.AccessMedia : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.1\APInstall_Tiny.dll -> Adware.AccessMedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Local Settings\Temp\mitA.tmp.cab/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Local Settings\Temp\mitA.tmp/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Program Files\Accessories\horejoruj.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\UERS_0001_N82M1105NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.1\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.2\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.3\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.4\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\CONFLICT.5\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@247realmedia[1].txt[/email] -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@2o7[2].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@2o7[3].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@2o7[6].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@rotator.adjuggler[1].txt[/email] -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@advertising[2].txt[/email] -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@mediaplex[2].txt[/email] -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@www.myaffiliateprogram[2].txt[/email] -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@ads.pointroll[2].txt[/email] -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@questionmarket[2].txt[/email] -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@anad.tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@trafficmp[1].txt[/email] -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Linda Beres\Cookies\linda [email]beres@ad.yieldmanager[1].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

::Report end

labber 0 Light Poster · Answer 4 · 2006-08-13T23:52:07+00:00

well I'm unable to do anything now.....the comp boots up and then shuts down completely by itself. It actually powers down (turns off) and then I can't turn it back on for several minutes. I did have the power supply replaced several months ago. I opened up the comp and it looks like the fan on the power supply may not be running???

labber 0 Light Poster · Answer 5 · 2006-08-14T21:50:56+00:00

so you don't think any virus or spyware would physically turn off the computer? I think it does have something to do with the PSU. Thanks!

labber 0 Light Poster · Answer 6 · 2006-08-22T11:31:18+00:00

Well I needed a new power supply. Here's the results of everything you advised. ( Now how do I restore the Administrative Tools missing?)
Results of Jottis and HijackThis:

Online Malware scanJottis Malwarescan 2.99-TRANSITION_TO_3.00-R1 

      Datei, die hochgeladen und gescannt werden soll:         
      Dienst 
      Auslastung: 0%     100% 

      Status: Bitte warten...
      Powered by 

      Disclaimer 
      Durch das Hochladen von Dateien auf diesen Server stimmen Sie zu, dass 
      ihre Dateien lokal gespeichert werden. 

      Ferner: Dieser Dienst ist keineswegs hundertprozentig sicher. Falls der 
      Scanner ein 'OK' gibt, bedeutet das nicht notwendigerweise, dass die Datei 
      sauber ist. Es könnte ein völlig neuer Virus auf freiem Fuß sein! 
      Verlassen Sie sich niemals auf ein einzelnes Produkt alleine, selbst auf 
      diesen Dienst nicht, obwohl er mehrere Produkte einsetzt. Für Schäden, die 
      durch diesen nichtkommerziellen Online-Dienst verursacht wurden, bin ich 
      daher nicht verantwortlich, noch kann ich dafür verantwortlich gemacht 
      werden. 

      Ich bin mir auch über die Folgen einer Einrichtung wie dieser im klaren. 
      Ich bin mir sicher, dass diese ganze Geschichte keinesfalls 
      wissenschaftlich korrekt ist, da dies ein vollautomatischer Dienst ist 
      (obwohl eine manuelle Korrektur möglich ist). Ich bin mir zum Beispiel 
      bewußt, dass "False Positives" (ein Fehlalarm, bei dem eine saubere Datei 
      irrtümlich als Virus detektiert wird) auftreten könnten, trotz der 
      Anstrengungen, diesen proaktiv zu begegnen. Ich halte das nicht für eine 
      große Sache, also schicken Sie mir bitte keine Emails über solche 
      Vorkommnisse. Dies ist ein einfacher Onlinescanner, und nicht die 
      Universität von Magdeburg. 

      Die Virensignaturen werden jede Stunde aktualisiert. Das Dateigrößenlimit 
      beträgt 15 MB pro Datei.
      DIE MISSBRÄUCHLICHE NUTZUNG DIESES DIENSTES (EINSCHLIESSLICH DES 
      HOCHLADENS ABSICHTLICH MODIFIZIERTER 
      -GEPACKTER/VERSCHLÜSSELTER/BYTESWAPPED- VERSIONEN DER GLEICHEN DATEI) HAT 
      ZUR FOLGE, DASS IHRE IP GESPERRT WIRD. 

      Bitte fordern Sie keine dieser Viren an, wenn Sie nicht für Hersteller von 
      Anti-Viren-Software arbeiten. Viren sind nicht zum Tauschen da. 

      Das Scannen kann eine Weile dauern, da mehrere Scanner benutzt werden. 
      Zudem nutzen einige Scanner eine sehr hohe Heuristikstufe (was 
      zeitaufwendig ist). Die benutzten Scanner sind Linuxversionen, und es 
      können sich (oder auch nicht) Unterschiede zu Windowsscannern ergeben. 
      Noch eine Anmerkung: manche Scanner detektieren nur einen Virus, wenn 
      Archive mit mehreren Malwaredateien gescannt werden. 

      Gefördert durch Spenden (in willkürlicher Reihenfolge) von: Stormbyte 
      Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm 
      Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark 
      Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders 
      Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, 
      und einigen Leuten, die es vorziehen, anonym zu bleiben... Vielen Dank an 
      alle! 

      Statistik 
      Zuletzt gefundene Malware war SearchBar.dll, gefunden von:

            Scanner Name der Malware 
            AntiVir Adware-Spyware/Eztrack.C adware 
            ArcaVir X 
            Avast Win32:Spyware-gen. 
            AVG Antivirus Generic.KDL 
            BitDefender X 
            ClamAV X 
            Dr.Web Adware.Softomate 
            F-Prot Antivirus X 
            Fortinet X 
            Kaspersky Anti-Virus not-a-virus:AdWare.Win32.Eztracks.b 
            NOD32 X 
            Norman Virus Control X 
            UNA Adware.Eztracks 
            VirusBuster X 
            VBA32 X 


      Es steht Ihnen frei, diese automatisch generierten, ungültigen Statistiken 
      (falsch) zu interpretieren. Für Vergleichstests von Anti-Viren Software, 
      besuchen Sie AV comparatives. 



Häufig gestellte Fragen (FAQ) - Feedback/Kommentare/Fragen/Fehlalarme (bitte 
ausschließlich auf Englisch)



Logfile of HijackThis v1.99.1
Scan saved at 11:53:31 PM, on 8/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\khooker.exe
C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\mqsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Linda Beres\Local Settings\Temp\wzcbb1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.meloco.com/index.php?i=sm[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {3895E11E-CE70-4177-8748-744999544856} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {3B24C46B-5E6A-49D6-97C7-82CF8AF7A244} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {40A30527-56E4-4187-A60A-6E64FBC3A660} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {4FC26B6B-9FE8-4FFB-85E6-A3C44D65AA2D} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {54B3101D-8128-4FA3-8C78-5FBE8C68C0E3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {621C0B59-885F-44CB-B663-96815DBF6722} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {75BBAF6C-83D3-4DCC-BE70-8C57A0100C14} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7B6E631B-CE92-4353-BA92-74F8C65D49D2} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {A3778469-65F2-4512-8C27-5EB8882174B5} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {AF22A86B-58C7-48EC-8B10-28C5B59862FE} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {C5912007-7F7D-4C63-89E9-8AE32A2B9DF3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {C9E1BFED-F228-460A-9398-6532325FD4A7} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D170BD9E-5D5B-4DDA-A869-F9B25AFB3710} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D24E9E89-EB57-45E4-B971-93303F1A16FD} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D531A7CE-A0D5-43AD-88C3-80264EA73B8C} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin8.dll
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - [url]http://www.sis.com/download/SISTransfer.cab[/url]
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - [url]http://download.movienetworks.com/install/US/altpmtscab.cab[/url]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - [url]http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab[/url]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [url]http://www.nick.com/common/groove/gx/GrooveAX27.cab[/url]
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - [url]http://206.222.26.90/images/PopupSh.ocx[/url]
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O18 - Filter: text/html - {F8D76886-FA88-4DF6-8FBD-C02CF8C91C94} - C:\WINNT\system32\ubbv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 7 · 2006-08-22T15:28:34+00:00

Please disable Ewido before going on with the following. Open Task Manager to make certain it has stopped.

Can you please do the following.

===============

You are still running hijackthis from a temp folder. so let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

Scan with HijackThis and then place a check next to all the following, if present:

O2 - BHO: (no name) - {3895E11E-CE70-4177-8748-744999544856} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {3B24C46B-5E6A-49D6-97C7-82CF8AF7A244} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {40A30527-56E4-4187-A60A-6E64FBC3A660} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {4FC26B6B-9FE8-4FFB-85E6-A3C44D65AA2D} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {54B3101D-8128-4FA3-8C78-5FBE8C68C0E3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {621C0B59-885F-44CB-B663-96815DBF6722} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {75BBAF6C-83D3-4DCC-BE70-8C57A0100C14} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {7B6E631B-CE92-4353-BA92-74F8C65D49D2} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {A3778469-65F2-4512-8C27-5EB8882174B5} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {AF22A86B-58C7-48EC-8B10-28C5B59862FE} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {C5912007-7F7D-4C63-89E9-8AE32A2B9DF3} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {C9E1BFED-F228-460A-9398-6532325FD4A7} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D170BD9E-5D5B-4DDA-A869-F9B25AFB3710} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D24E9E89-EB57-45E4-B971-93303F1A16FD} - C:\Program Files\Accessories\horejoruj.dll (file missing)
O2 - BHO: (no name) - {D531A7CE-A0D5-43AD-88C3-80264EA73B8C} - C:\Program Files\Accessories\horejoruj.dll (file missing)

O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL (file missing)
O18 - Filter: text/html - {F8D76886-FA88-4DF6-8FBD-C02CF8C91C94} - C:\WINNT\system32\ubbv.dll

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINNT\system32\ubbv.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

Download VirtumundoBeGone by secured2k

Save the file to your desktop
Close all running programs (including your Internet Browser)
Double-click VirtumundoBeGone.exe on the desktop
Read the introductory information, and then click Continue
Click Start
When asked if you want to continue, click Yes to run the fix
Click "Save Log"

==

Please post that log and a log from Hijackthis.

labber 0 Light Poster · Answer 8 · 2006-08-23T07:19:41+00:00

Here's the logs for VirtumundoBeGone and HijackThis.

[08/22/2006, 20:14:02] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Linda Beres\Desktop\VirtumundoBeGone.exe" )
[08/22/2006, 20:14:04] - Detected System Information:
[08/22/2006, 20:14:04] - Windows Version: 5.0.2195, Service Pack 4
[08/22/2006, 20:14:04] - Current Username: Linda Beres (Admin)
[08/22/2006, 20:14:04] - Windows is in NORMAL mode.
[08/22/2006, 20:14:04] - Searching for Browser Helper Objects:
[08/22/2006, 20:14:04] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[08/22/2006, 20:14:04] - BHO 2: {0CF0B8EE-6596-11D5-A98E-0003470BB48E} (CCHelper Class)
[08/22/2006, 20:14:04] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/22/2006, 20:14:04] - Finished Searching Browser Helper Objects
[08/22/2006, 20:14:04] - Finishing up...
[08/22/2006, 20:14:04] - Nothing found! Exiting...

Logfile of HijackThis v1.99.1
Scan saved at 8:17:18 PM, on 8/22/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\khooker.exe
C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\mqsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Linda Beres\Local Settings\Temp\wz46f9\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141787050\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin8.dll
O12 - Plugin for .m4v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90/images/PopupSh.ocx
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 9 · 2006-08-23T15:56:23+00:00

Try this please.

Right-click the Start button, and then click Properties. On the Start Menu tab, click Customize. On the Advanced tab, under Start menu items, click System Administrative Tools. Click to select either the Display on the All Programs menu or the Display on the All Programs menu and the Start menu option. Click OK , and OK again to save the change.

If that does not work and if you have your installation disc available, put the CD in the drive then go to Start|Run and type in sfc /scannow and hit ok. This will replace any corrupt files.

labber 0 Light Poster · Answer 10 · 2006-08-24T06:14:05+00:00

When I right click the Start button there is no Properties selection???
I tried your 2nd option by inserting my installation CD and click start/run and typed in sfc/scannow and i get the following error: Cannot find the file sfc/scannow (or one of its components). Make sure the path and filename are correct and that all required libraries are available.

Now what do you think? Thanks!!!

labber 0 Light Poster · Answer 11 · 2006-08-29T23:18:30+00:00

I'm not sure if you saw my latest post from about a week ago, but here it is again. Any help you can give is always appreciated. I did get a suggestion to do a Slip Stream to restore any corrupt files, but I was hoping there was an easier solution. Any suggestions?

When I right click the Start button there is no Properties selection???
I tried your 2nd option by inserting my installation CD and click start/run and typed in sfc/scannow and i get the following error: Cannot find the file sfc/scannow (or one of its components). Make sure the path and filename are correct and that all required libraries are available.

Now what do you think? Thanks!!!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 12 · 2006-08-30T15:48:23+00:00

Did you include the space before the switch? Like this; sfc /scannow not this; sfc/scannow how you showed it above.

Hijack This Log Attached

Recommended Answers Collapse Answers

All 17 Replies

Recommended Answers