Crunchie, can you help me?

Question

SarahH 0 Junior Poster in Training

19 Years Ago

Hi, I saw how you helped someone else in the forums and it seems like you'd be able to help me too!!

I downloaded Spybot and Ad-Aware and I have Norton and ran them all, but they can't get rid of my computer problems! First it started off with just annoying pop-ups, then it got worse. The first thing that went wrong was my windows media player stopped working. I'd click to open it up, and it just wouldn't open. Now my Adobe Photoshop doesn't work. It goes through it's startup process, then as it's about to open, it just crashes. I've even tried uninstalling/reinstalling twice. However, when I reinstall WMP, it works for a while before it stops.

So, I did the Trend Micro scan like you suggested to the other person you helped in the forums, and it came up with this:

(Oh, also, I have Norton Anti-Virus and it didn't detect or remove these. And I've also run Norton and Ad-Aware and Spybot in Safe Mode, and that didn't get rid of the problem either)

JS INOR.M
CHM Psyme.Y
JS IESTART.PS
TROJ REVOP.A
TROJ ISTBAR.DW
TROJ BRISS.H (This appears twice after the scan)
TROJ SMALL.GO
BKDR SANDBOX.A
TROJ STILEN.A (This appears twice after the scan)

Do I have to buy the Trend software to get rid of these, or can you help me? Or can anyone on this forum help? I'd *greatly* appreciate any help!!!

Thanks for reading,
SH

windows-virus

4 Contributors
31 Replies
614 Views
1 Week Discussion Span
Latest Post 19 Years Ago Latest Post by crunchie

All 31 Replies

meabed 37 Junior Poster

19 Years Ago

Really i suggest that you reformat ur pc and then install windows again
it is better:(

crunchie 990 Most Valuable Poster

19 Years Ago

Go here for an on-line scan & set it to autoclean for you. Make SURE that you set it to clean.

Download HijackThis from here & unzip it into it's own, permanent folder, (not a temporary folder & not on the desktop). Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is harmless & even necessary to the running of your system.

crunchie 990 Most Valuable Poster

19 Years Ago

I did the scan you linked to again, and it only came up with 9 viruses this time, but they were all non-cleanable or could not be accessed.
Here are the results of the Hijack this scan, I didn't delete anything like you said:
Logfile of HijackThis v1.97.7
Scan saved at 10:11:48 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\temp\9R.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\BRD\Application Data\ahso.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijack This\HijackThis.exe

That is only half the log. Under what you have here there should also be entries that include R1, RO,01,02,03,04 etc

Do this first though:
Reboot into safe mode following the instructions here & navigate to & delete

C:\windows\temp< entire contents of folder
C:\WINDOWS\system32\pcs< folder
C:\Program Files\Common Files\Dpi< folder
C:\Documents and Settings\BRD\Application Data\ahso.exe< file
C:\WINDOWS\System32\wapisvsu.exe< file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally after doing the above then post a fresh log plz. Please make sure it has the entire log. Check other threads here if you are unsure what it should look like.

crunchie 990 Most Valuable Poster

19 Years Ago

Aha. You have a CWS infection too. More downloading to do. You may want to print this out. Sorry it's quite a bit, but you have a few problems there.
--------------------------------------------------------------------------
Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
--------------------------------------------------------------------------
R3 fix.
Launch Notepad, and copy/paste the bold below into a new text file. Save it as URLRepair.reg (Change the 'Save As Type' to 'All Files'). Save it in C:\ (or on the desktop)

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Locate it (in C:\) and double-click on it (launch it). You'll recieve a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".
--------------------------------------------------------------------------
Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove these>
{4FC95EDD-4796-4966-9049-29649C80111D}_ {5D60FF48-95BE-4956-B4C6-6BB168A70310}_
Notice the underscore at the end.

Right click on each, (not sure if you can do them as one, or if you need to do it one at a time) and select delete.
If you get a confirmation question, respond OK then close out of the program.
--------------------------------------------------------------------------
Once done Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' : (Very important that no other windows are open or they will NOT get fixed)

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O4 - HKLM\..\Run: [9R] C:\windows\temp\9R.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\BRD\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Eitt] C:\Documents and Settings\BRD\Application Data\ahso.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a3224...ip/RdxIE601.cab

Reboot into safe mode following the instructions here & navigate to & delete

C:\Program Files\TV Media< folder
C:\PROGRA~1\Lycos< folder
C:\PROGRA~1\INCRED~1< folder
C:\DOCUME~1\BRD\LOCALS~1\Temp< entire contents of this folder
C:\WINDOWS\system32\pcs< folder
C:\Program Files\Common Files\Dpi< folder
C:\Program Files\LiveUpdate< folder

C:\WINDOWS\alchem.exe< file
C:\Documents and Settings\BRD\Application Data\ahso.exe< file
C:\WINDOWS\System32\wapisvsu.exe< file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Be certain to follow these instructions exactly. If you're not sure, get back here.

Reboot normally after doing the above then post a fresh log plz.

meabed 37 Junior Poster

19 Years Ago

Oh..just try to reformat you HDD. then it will work ;D

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

SarahH 0 Junior Poster in Training · Answer 1 · 2004-05-12T06:37:18+00:00

Oh, sorry, forgot something else it does too. When I try to reboot, it says that the cmd prompt is running and it won't restart unless I close the program. Most of the time it won't let me close the cmd prompt (even though it's not visible) and I just have to manually hit the restart button.

And before Adobe crashed it was randomly changing the icons for the photoshop files I had on my desktop, and as of right now, I can't even click on my desktop until I restart my computer. It's like there is a wall preventing me from clicking on my desktop :(.

SOrry for the extra post, just remembered those few things!

SH

SarahH 0 Junior Poster in Training · Answer 2 · 2004-05-12T10:10:57+00:00

I did the scan you linked to again, and it only came up with 9 viruses this time, but they were all non-cleanable or could not be accessed.

Here are the results of the Hijack this scan, I didn't delete anything like you said:

Logfile of HijackThis v1.97.7
Scan saved at 10:11:48 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\temp\9R.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\BRD\Application Data\ahso.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Hijack This\HijackThis.exe

SarahH 0 Junior Poster in Training · Answer 3 · 2004-05-12T10:24:46+00:00

I just downloaded and installed Zone Alert Firewall and did the free scan. Here is what it came up with:

found the following tracking cookies on your computer.

2o7 - 3rd Party Cookie

URL - Cookie:brd@2o7.net/

Ad-logics - 3rd Party Cookie

URL - Cookie:brd@ad-logics.com/

Addfreestats - 3rd Party Cookie

URL - Cookie:brd@www2.addfreestats.com/cgi-bin

Adserver - 3rd Party Cookie

URL - Cookie:brd@z1.adserver.com/

Advertising - 3rd Party Cookie

URL - Cookie:brd@servedby.advertising.com/

URL - Cookie:brd@advertising.com/

Atdmt - 3rd Party Cookie

URL - Cookie:brd@atdmt.com/

Bluestreak - 3rd Party Cookie

URL - Cookie:brd@bluestreak.com/

Bravenet - 3rd Party Cookie

URL - Cookie:brd@mercury.bravenet.com/rover/

Com - 3rd Party Cookie

URL - Cookie:brd@com.com/

URL - Cookie:brd@msn-cnet.com.com/

URL - Cookie:brd@download.com.com/

Doubleclick - 3rd Party Cookie

URL - Cookie:brd@doubleclick.net/

Edge - 3rd Party Cookie

URL - Cookie:brd@edge.ru4.com/

Euniverseads - 3rd Party Cookie

URL - Cookie:brd@euniverseads.com/

Exitfuel - 3rd Party Cookie

URL - Cookie:brd@exitfuel.com/

Geocities - 3rd Party Cookie

URL - Cookie:brd@geocities.com/

Gorillanation - 3rd Party Cookie

URL - Cookie:brd@ads.gorillanation.com/

Hitbox - 3rd Party Cookie

URL - Cookie:brd@ehg-gigex.hitbox.com/

URL - Cookie:brd@hitbox.com/

Maxserving - 3rd Party Cookie

URL - Cookie:brd@maxserving.com/

Overture - 3rd Party Cookie

URL - Cookie:brd@perf.overture.com/

Questionmarket - 3rd Party Cookie

URL - Cookie:brd@questionmarket.com/

Qksrv - 3rd Party Cookie

URL - Cookie:brd@qksrv.net/

Realmedia - 3rd Party Cookie

URL - Cookie:brd@realmedia.com/

Revenue - 3rd Party Cookie

URL - Cookie:brd@revenue.net/

Serving-sys - 3rd Party Cookie

URL - Cookie:brd@serving-sys.com/

URL - Cookie:brd@bs.serving-sys.com/

Statcounter - 3rd Party Cookie

URL - Cookie:brd@statcounter.com/

Trafficmp - 3rd Party Cookie

URL - Cookie:brd@trafficmp.com/

URL - Cookie:brd@ad.trafficmp.com/tmpad

Zedo - 3rd Party Cookie

SarahH 0 Junior Poster in Training · Answer 4 · 2004-05-12T11:49:48+00:00

Sorry about that! I removed what you said and did the scan again, here is all of it this time :rolleyes: Stupid me!!!

Logfile of HijackThis v1.97.7
Scan saved at 11:50:04 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [9R] C:\windows\temp\9R.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\BRD\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKCU\..\Run: [Eitt] C:\Documents and Settings\BRD\Application Data\ahso.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07a3224205185c5ce406/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again SO MUCH for your help!!!!!

SarahH 0 Junior Poster in Training · Answer 5 · 2004-05-12T12:40:46+00:00

I ran virus scan again from that link you gave me, and I'm posting the name and path here for you. The information you gave me above may fix these, but I just wanted to make sure:

TROJ REVOP.A C:/Documents and settings/BRD/Local settings/Temporary Internet Files/content.IE5/PR7BLHWE/bdl14025(1).exe

TROJ ISTBAR.DW C:/Windows/Downloaded Program Files/ISTactivex.dll

TROJ REVOP.A C:/Windows/System32/0021-bdl94126.EXE

TROJ BRISS.H C:/Windws/System32/a.exe

TROJ BRISS.H C:/Windows/System32/bridge.dll

TROJ SMALL.GO C:/Windows/System32/CS4P028.exe

BKDR SANDBOX.A C:/Windows/System32/Lkyqfy.exe

TROJ STILEN.A C:/Windows/System32/silent.exe

These were all NonCleanable by the scan. I'll get right on fixing those other things!!!

SarahH 0 Junior Poster in Training · Answer 6 · 2004-05-12T22:50:21+00:00

--------------------------------------------------------------------------

--------------------------------------------------------------------------
R3 fix.
Launch Notepad, and copy/paste the bold below into a new text file. Save it as URLRepair.reg (Change the 'Save As Type' to 'All Files'). Save it in C:\ (or on the desktop)

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Locate it (in C:\) and double-click on it (launch it). You'll recieve a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".

I must be doing something wrong on this part, because I can't get it to ask me the Merge question. I created the Text Document, copied everything above into it, then clicked save as All files. When I clicked save as All Files, it asked me if I wanted to replace the existing one, so I said yes. However, when I moved the URLRepair.reg file to C:\ and opened it, nothing happened. It just opened like any other text document file.
I didn't want to do anything below this, I wasn't sure if all these needed to be done in this specific order. :( So, that's where I am...I made the file, copied the info, opened it, and nothing happened, didn't ask me to merge. What did I do wrong?

SH

STP72 0 Light Poster · Answer 7 · 2004-05-12T23:23:08+00:00

I dont know if I can help but I had a problem close to yours and I tried Spybot Search and Destroy and it fixed my computer perfectly.

SarahH 0 Junior Poster in Training · Answer 8 · 2004-05-13T01:31:48+00:00

I dont know if I can help but I had a problem close to yours and I tried Spybot Search and Destroy and it fixed my computer perfectly.

Yes, that and Ad-Aware were the first things I tried, but they couldn't get rid of the problems. A lot of the things that Crunchie has told me have already helped a lot. Thanks anyways, STP72!

SH

SarahH 0 Junior Poster in Training · Answer 9 · 2004-05-13T05:15:37+00:00

I still don't understand about the Merging URLRepair, but I checked the boxes you told me to in the Hijackthis. I deleted the files in Safe Mode, and here is what I have now:

Logfile of HijackThis v1.97.7
Scan saved at 5:16:08 PM, on 5/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Hijack This\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

This any better? Thanks so much again!

SH

SarahH 0 Junior Poster in Training · Answer 10 · 2004-05-13T09:42:13+00:00

Oh, and I still have those 8 viruses when I scan my computer on Trend Micro. Evil buggers :evil:

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 11 · 2004-05-13T09:48:44+00:00

Thats a lot better. With that R3 entry try this:

Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove this one & any others with that underscore at the end or beginning>

{CFBFAE00-17A6-11D0-99CB-00C04FD64497}_
Notice the underscore at the end.

Right click on each, and select delete.
If you get a confirmation question, respond OK then close out of the program.

Let me know if this fixes it, it should do.

SarahH 0 Junior Poster in Training · Answer 12 · 2004-05-13T21:20:50+00:00

Hey Crunchie, I did what you said and ran Hijack again, here is what it came up with:

Logfile of HijackThis v1.97.7
Scan saved at 9:19:05 AM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Avant Browser\iexplore.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
F:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

However, I ran the free virus scan again from your link, and it says I still have these viruses on my computer:

TROJ REVOP.A C:/Documents and settings/BRD/Local settings/Temporary Internet Files/content.IE5/PR7BLHWE/bdl14025(1).exe

TROJ ISTBAR.DW C:/Windows/Downloaded Program Files/ISTactivex.dll

TROJ REVOP.A C:/Windows/System32/0021-bdl94126.EXE

TROJ BRISS.H C:/Windws/System32/a.exe

TROJ BRISS.H C:/Windows/System32/bridge.dll

TROJ SMALL.GO C:/Windows/System32/CS4P028.exe

BKDR SANDBOX.A C:/Windows/System32/Lkyqfy.exe

TROJ STILEN.A C:/Windows/System32/silent.exe

Thanks so much again! Your help has already fixed my Windows Media Player, and I have a lot less pop ups. The only major problem that I can see is my Photoshop files I have on my desktop keep randomly changing icons, and my Adobe Photoshop still crashes when I try and open it. :o

SarahH 0 Junior Poster in Training · Answer 13 · 2004-05-13T21:25:26+00:00

For those viruses, do I just go in safe mode and find and delete them? I was looking in my System32 folder, and I found silent.exe and a.exe, so I wasn't sure if that's what I'm supposed to do. Thought I'd wait for the expert to tell me!

Thanks again!

SH

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 14 · 2004-05-13T21:43:55+00:00

Hi. Those virus' that the scan show usually show in the hjt log (or at least some of them do).

Clean out all those in your last post by going into safe mode. Reboot back in to normal mode & then disable system restore temporarily.
Post a new hjt log then we can enable system restore again. Just note that all previous restore points will be lost.
Check how photoshop is after removing those virus', although it may be necessary to uninstall it & then reinstall.
The log you posted looks clean now, but I wnt to be sure after you remove those items.

How to disable system restore: Here.

SarahH 0 Junior Poster in Training · Answer 15 · 2004-05-13T23:06:24+00:00

Well, I got most of those viruses, but there was one I couldn't find. It was the C:/Windows/System32/Lqkfy.exe virus. I looked and it just wasn't there when I went searching. I also checked the box to show hidden and extensions. I saw no Lqkfy.exe.

I also deleted the bridge.dll file, but I kept it in the recycle bin just in case. I saw a few other posts about how people said that when they started their computer that it couldn't find the bridge.dll, so I didn't know if this was important to the running of the computer?

I'm going to re scan my computer and see what it finds, then I'll post back the Hijack log.

SH

SarahH 0 Junior Poster in Training · Answer 16 · 2004-05-13T23:52:44+00:00

I tried to put the virus name in the address bar, and when I did, the firewall stopped it. I put in C:\WINDOWS\system32\Lkyqfy.exe, and the firewall stopped something called Kern32. I looked and there is a Kernel32.dll and a krnl386.exe, but still no sign of the Lkyqfy.exe virus. I re-scanned with Trend Micro, and now I have these viruses. I don't understand the silentone, because I deleted that in safe mode, now it's back.

TROJ BRISS.H C:\RECYCLER\S-1-5-21-602162358-583907252-725345543-1003\Dc13.dll
(I think this one might be the bridge.dll that's in the recycle bin right now, since I wasn't sure if I should delete it)

BKDR SANDBOX.A C:\WINDOWS\system32\Lkyqfy.exe
(Just cannot find this thing)

TROJ STILEN.A C:\WINDOWS\system32\silent.exe
(This one I know I deleted, I don't know why it's back)

However, good news is I'm down from 8 to 3!!! I'm going to close this window and do the Hijack now, and post that back for you.

SarahH 0 Junior Poster in Training · Answer 17 · 2004-05-13T23:56:00+00:00

Logfile of HijackThis v1.97.7
Scan saved at 11:57:10 AM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Avant Browser\iexplore.exe
F:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Here you go!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 18 · 2004-05-14T08:52:33+00:00

That log is clean. Try goinghere for another scan & see how that works. If there is an option to clean, select that too. Are your own virus definitions up-to-date?
You can also try TROJANHUNTER to weed out those trojans.
Delete bridge.dll from the recycle bin, empty your temporary internet files & include offline files, empty any other temp folder (there is one where you will have to show hidden folders).
Your restore point is disabled? Yes.

SarahH 0 Junior Poster in Training · Answer 19 · 2004-05-19T03:03:10+00:00

That log is clean. Try goinghere for another scan & see how that works. If there is an option to clean, select that too. Are your own virus definitions up-to-date?
You can also try TROJANHUNTER to weed out those trojans.
Delete bridge.dll from the recycle bin, empty your temporary internet files & include offline files, empty any other temp folder (there is one where you will have to show hidden folders).
Your restore point is disabled? Yes.

Thanks, Crunchie! The TrojanHunter made the Lkqyfy.exe visible so I could delete it. However the TrojanHunter said one of these files *MIGHT* be a Trojan, so I wanted to post it on here first and see what you thought before I went and deleted it:

Found possible trojan file: C:\Documents and Settings\BRD\Local Settings\Temp\optimize.exe/MkkuZz.exe (SDBot)

On your NoAdware scan, it came up with this:

HKEY_LOCAL_MACHINE\software\clRegKey Danger: Severe

And here is my newest Hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 3:04:49 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
F:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I think it's finally looking good other than those two problems!!! Oh, and ofcourse if there's anything new in the Hijack log :P

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 20 · 2004-05-19T11:33:02+00:00

That log looks good. Boot into safe mode & clear out the contents of that Temp folder that the MkkuZz.exe is in. Show hidden files/folders to view it. Boot back to normal. Run TrojanHunter again & see if it sniffs out anything else.
You can clear this key too. HKEY_LOCAL_MACHINE\software\clRegKey Danger: Severe

SarahH 0 Junior Poster in Training · Answer 21 · 2004-05-19T11:57:51+00:00

That log looks good. Boot into safe mode & clear out the contents of that Temp folder that the MkkuZz.exe is in. Show hidden files/folders to view it. Boot back to normal. Run TrojanHunter again & see if it sniffs out anything else.
You can clear this key too. HKEY_LOCAL_MACHINE\software\clRegKey Danger: Severe

How do I find the reg key? With reg lite?

Update:
I put in HKEY_LOCAL_MACHINE\software\clRegKey into Reglit, and it gave me a big list of things. How do I know what to delete?

P.S. Thanks again for everything!!!

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 22 · 2004-05-19T12:16:02+00:00

I presumed that you found that key with Adaware? If so, run Adaware again & have it fix it.

SarahH 0 Junior Poster in Training · Answer 23 · 2004-05-19T12:25:03+00:00

I presumed that you found that key with Adaware? If so, run Adaware again & have it fix it.

No, I found it with another link you posted called NoAdware v2.01. The only way I can fix it with that is if I pay $30.00. I was hoping you might know how to get rid of it without going that route :). I've run AdAware and Spybot several times, and the key still shows up :(.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 24 · 2004-05-19T13:08:59+00:00

I've just gone through my previous posts & there is no mention of Noadware that I can see. I wondered why I had not heard of it?? I think perhaps you may have got it somewhere else??
I can almost guarantee you though that the program is junk. There are a lot of programs that offer a free download then tell you that you have to pay to remove what it finds. I have never recommended a program that works that way. Just a rip off & what they find is probably already written into the program to come up automatically. As soon as you pay, voila, gone. Nothing wrong to start with. You know what I mean??
If Adaware & spybot never found it, I would feel pretty secure. There is nothing in your log either, so trash the program.
Reset your system restore point & you'll be sweet.

Go & have a read here. http://www.netrn.net/archives2/000499.html

Crunchie, can you help me?

Recommended Answers Collapse Answers

All 31 Replies

Recommended Answers