Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can You Guys Check this out for me

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can You Guys Check this out for me

Unread postby lhamp » October 16th, 2005, 10:36 pm

Logfile of HijackThis v1.99.1
Scan saved at 9:26:46 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 204.38.36.89:80
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\Documents and Settings\Lavell\Application Data\Mozilla\Profiles\default\36z17xne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lavell\Application Data\Mozilla\Profiles\default\36z17xne.slt\prefs.js)
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Lavell\LOCALS~1\Temp\20051010192212_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Lavell\LOCALS~1\Temp\20051010192212_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [DeleteYahooUninstaller] command /c del C:\PROGRA~1\Yahoo!\Common\UNINST~1.EXE
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /reboot{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD} /z
O4 - HKLM\..\RunOnce: [InstallShieldSetup1] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /reboot{13616DE2-9795-4910-8C93-80D45AF09658} /z
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/L ... ontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 1590254545
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\system32\angelex.exe (file missing)
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm
Advertisement
Register to Remove

Unread postby Piney » October 17th, 2005, 8:45 pm

Hello and welcome to Malware Removal forum, lhamp :)

If you are still in need of assistance, please post a new log to see if any changes have occurred.

I will be assisting you with your problems with the assistance of the experts here.

If, at any time you have questions, don't hesitate to ask.

Before posting the new HJT log, would you download, setup and update these two programs, please?

Download Adaware SE from this tutorial:
Using Ad-aware to remove Spyware, Malware & Hijackers from Your Computer

Download Spybot S&D 1.4 here:
http://safer-networking.org/en/news/2005-05-31.html
or
http://www.majorgeeks.com/download2471.html

Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.

Once each has been downloaded, run each program, letting them "fix" what is found. Reboot between running the programs.

After installing and scanning with both Adaware and Spybot, then open HijackThis, and do a Scan only. Save the log and paste it here by clicking on Add Reply

Please, also include the problems you have been having with your computer.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

please chek this out your reply

Unread postby lhamp » October 17th, 2005, 10:44 pm

Did both scans as you instructed and here are the results please help

Logfile of HijackThis v1.99.1
Scan saved at 9:41:36 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 204.38.36.89:80
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\Documents and Settings\Lavell\Application Data\Mozilla\Profiles\default\36z17xne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lavell\Application Data\Mozilla\Profiles\default\36z17xne.slt\prefs.js)
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Lavell\LOCALS~1\Temp\20051010192212_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Lavell\LOCALS~1\Temp\20051010192212_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /reboot{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD} /z
O4 - HKLM\..\RunOnce: [InstallShieldSetup1] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /reboot{13616DE2-9795-4910-8C93-80D45AF09658} /z
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/L ... ontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 1590254545
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

Unread postby Piney » October 18th, 2005, 1:18 am

Thank you for the log .... I'll be back as soon as possible with information for you:)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Piney » October 18th, 2005, 4:22 pm

Welcome back and thank you for the updated HJT log :)

Question and answer time...

In your very first post (the one without the HJT log), you stated your desktop and taskbar were gone. Is it better now?
What scans did you do, before I gave you information to download and scan with Adaware and Spybot?

I see no mention of a firewall or antivirus scanner in your log. It is almost impossible to surf the net without getting infected unless you are protected with both of these programs. When you appear to be clean, I will give you a list of free and easy firewall and AV scanners.

Was the HijackThis log you posted done in regular mode or safe mode?

The scans did remove a few things. It's up to us to get the rest!

You will want to print this page or copy to your favorite text editor such as notepad. Save to your desktop so you can find it.

I would like for you to download Ewido Security Suite from: http://www.ewido.net/en/download/

This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times

Install Ewido Security Suite
When installing the program, under "Additonal Options"
uncheck:
*Install background guard
*Install scan via context menu


Launch ewido, there should now be an icon on your desktop, double-click it.
The program will now open to the main screen.

When you run ewido for the first time, you will get a warning "Database could not be found!".
Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files:
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")

***If you are having problems with the updater, you can use this link to manually update ewido:****
http://www.ewido.net/en/download/updates/

Once the updates are installed, close Ewido. We will use it in a bit.

Next, we need to stop a couple of Services that are running.

Click Start>>>>Run
type in the box: services.msc
Click OK

In the page that opens, scroll and find:

Network DDE Connections (NETDDEC)
Right click on the name, and choose Properties from the menu
In the box that comes up, under "Startup type" change to Disabled
Under "Service Status" click the "Stop" button.
Click Apply and click OK

The second one to look for is:

Netbios Helper Service
Right click on the name, and choose Properties from the menu
In the box that comes up, under "Startup type" change to Disabled
Under "Service Status" click the "Stop" button.
Click Apply and click OK

You can now close the Services page.

Open HijackThis and scan.
Place a checkmark by these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - (no file)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Lavell\LOCALS~1\Temp\20051010192212_mcinfo.exe /insfin
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\System32\shdocvw.dll
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe


With nothing open except HJT click the Fix Checked button.

Close HJT.

Reboot your computer into Safe Mode
As your computer begins to restart, begin tapping on the F8 key.
You will next see a black screen with a bootup menu.
Use the arrow keys to choose Safe Mode (without Networking!) and hit enter.
Your usual desktop will appear although it will be greatly distorted, with the words 'Safe Mode' in each corner.

Click Start >>> Control Panel and open Add/Remove Programs
Look for and uninstall this:
MBKWBar - Toolbar

You will be prompted to reboot, choose NO
Close Add/Remove Programs.

While still in the Control Panel, we need to open up hidden files and folders.
Double click on Folder Options, then click on View tab.

Look for Hidden Files and Folders
*select (checkmark) Show hidden files and folders.
*uncheck the hide file extensions for known types option.
*uncheck the Hide protected operating system files (recommended) option.
Answer yes to the box that comes up.
Click Apply and then click Close

Click on the Windows key and the E key on your keyboard.
This will open your Windows Explorer
Looking under your main drive (C:\) find and delete the following in bold(if found, make note of those not found)

FILES
C:\WINDOWS\system32\service.exe <<< File Be careful here!! Note the spelling. Services is GOOD.... service.exe is bad
C:\WINDOWS\system32\altsvc.exe <<< File

FOLDERS
C:\PROGRAM FILES\MBKWBar <<< Folder

Close Windows Explorer.

Remaining in Safe Mode and we'll finish this part :)

Now is the time to use Ewido. Open Ewido Security Suite
Click on scanner.
Click on Complete System Scan, the scan will now begin.
While the scan is in progress you will be prompted to clean files, click OK.
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections",
then choose clean and click OK.
Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
Click Save Report.
Now save the report .txt file to your desktop.

Take a deep breath...we are nearly finished with the hard parts :)

Click Start>>>Run
Type into the box: cleanmgr.exe
Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:
Temporary Files
Temporary Internet Files
Recycle Bin


You can now reconnect to the Internet and reboot normally.

Please do an online scan at:

Trend Housecalls Virus Scan

Allow to clean/fix/delete all that is found.

Reboot normally.

Please rescan with HJT and save the log.

Paste the HJT log and the Ewido log (report.txt) to this thread by clicking on Add Reply

I will be watching for your logs and please give me information of any problems you had with the instructions above, as well as the answers to the questions I asked at the beginning of this post.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

im back

Unread postby lhamp » October 18th, 2005, 9:51 pm

Ok the answers to your question are as follows:

1. no still no icons or taskbar
2. i removed both mcafee and yahoo A.V.
3. It was done in regular mode
4. got a error (could not stop network dde connection services on local computer error 123, the file name, directory name or volume label sytex is incorrect. but it seems like it did it anyway.
5. in safe mode the black screen has safe mode in all corners and at the top it states microsoft windows xp build 2600.xpsp_sp2_gdr.050301-1519: service pak 2.
6. i have to ctrl-alt-del. to get to the control panel (windows task manager)
7. did not see mbkwbar-toolbar in add/remove program section.
8. also clicking on the windows key and -e does not work for me
9. could not do a trend house scan (error: your security settings do not allow web sites to use active x controls

here are log files

Logfile of HijackThis v1.99.1
Scan saved at 8:22:19 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 204.38.36.89:80
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\Documents and Settings\Lavell\Application Data\Mozilla\Profiles\default\36z17xne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lavell\Application Data\Mozilla\Profiles\default\36z17xne.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Lavell\LOCALS~1\Temp\20051010192212_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /reboot{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD} /z
O4 - HKLM\..\RunOnce: [InstallShieldSetup1] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /reboot{13616DE2-9795-4910-8C93-80D45AF09658} /z
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/L ... ontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 1590254545
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

i saved the ewido report to me desktop dir. but i dont see it sorry will do again and send it
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

back again

Unread postby lhamp » October 18th, 2005, 10:01 pm

here is the second scan not sure what happen to the first one
and still no icons or task bar on the bottom of screen


--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:00:50 PM, 10/18/2005
+ Report-Checksum: B29FAFB4

+ Scan result:

HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-C1EC-0345-6EC2-4D0300000000} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0007522A-2297-43C1-8EB1-C90B0FF20DA5} -> Spyware.ShopNav : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00320615-B6C2-40A6-8F99-F1C52D674FAD} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} -> Spyware.FindWhateverNow : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D568F0F-8AC9-40AB-88B7-415134C78777} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D60FF48-95BE-4956-B4C6-6BB168A70310} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{89044184-F260-4FDD-8FAB-2662814846E5} -> Spyware.SpectorPro : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BCF96FB4-5F1B-497B-AECC-910304A55011} -> Spyware.HungryHands : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5941EE5-6DFA-11D8-86B0-0002441A9695} -> Spyware.BlazeFind : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1177238915-220523388-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
C:\Documents and Settings\Lavell\Cookies\lavell@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Lavell\Cookies\lavell@e-2dj6wjk4shcjsgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lavell\Cookies\lavell@e-2dj6wjl4ckd5ago.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Lavell\Cookies\lavell@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Lavell\Cookies\lavell@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup


::Report End
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

Unread postby Piney » October 18th, 2005, 10:14 pm

Another quick question, if I may.... what is this program?
C:\Program Files\Trojan Remover
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe

It wasn't showing in your first HJT log, but showed up later.

Thank you for the logs and info, I'll check through all the info and be back as soon as I can.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

im back

Unread postby lhamp » October 18th, 2005, 11:58 pm

Just like it said me listening to idiots who tried to tell me this would work. it did not ,, I Must uninstall it and wait for further instructions from you the only good thing gone for me
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

Unread postby Piney » October 19th, 2005, 12:15 am

Please do nothing more until I can get an expert to look at your logs.

Don't be hard on yourself :) I won't tell you all the silly things I did to 'fix' my computer instead of asking for help.

Hang in there lhamp, we've a great bunch of experts here!
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Piney » October 19th, 2005, 3:41 am

Hi again lhamp:)

From my Guru....you definitely need to get an AV and Firewall on your computer.
There are several free firewall programs and anti-virus programs available:

Free Antivirus Programs
http://www.grisoft.com offers the popular AVG
http://www.avast.com/eng/avast_4_home.html is the site of Avast! AV scanner

Free Firewall Programs
http://www.zonelabs.com ZoneAlarm firewall
http://www.kerio.com Kerio firewall
http://www.sygate.com Sygate firewall

Also, what programs did you scan your computer with before you came to Malware Removal Forums? Do you remember what all was found, fixed, deleted etc?

Did you use Task Manager to do all that I asked of you in my post with all the instructions? Or, do you have a Start button that is visible?

How did you remove McAfee and Yahoo? What prompted you to get rid of them?

I noticed one of the things cleaned by Ewido was SpectorPro. Had you installed that program?

Enough questions for now ( I think ;) ) I'll be back later, but now I need to sleep.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Piney » October 19th, 2005, 11:50 am

Good morning lhamp :)

To continue with fixing after you get an AV and firewall installed.....

Open Task Manager >>> File >>> New Task (Run..)>> type in the box explorer.exe and click OK.
This should open up your Windows Explorer.
Click on "Tools" at the top, scroll down to and choose "Folder Options"

Look for Hidden Files and Folders
*select (checkmark) Show hidden files and folders.
*uncheck the hide file extensions for known types option.
*uncheck the Hide protected operating system files (recommended) option.
Answer yes to the box that comes up.
Click Apply and then click Close to close Folder Options.

Down in Windows Explorer:
click on your C:\ drive, and scroll down to [B]Windows[/B] >>>ServicePackFiles>>>i386 and open the folder (i386 folder)
Scroll down near the bottom, and look for shdocvw.dll Just make sure the file is present.

Next move down to the System32 folder and click to open the folder. Scroll down near the bottom and find the file shdocvw.dll
Right-click on shdocvw.dll scroll the menu that appears and choose Rename
Rename the file to shdocvw.bak

Now move back up to the i386 folder, and find shdocvw.dll. Right-click on the file. From the menu choose Copy
Do NOT choose cut!

Return to the System32 Folder. Inside the folder, again right-click and choose Paste. This will paste a good copy of the shdocvw.dll file.

When finished, reboot your computer. Scan with HJT and paste the log to this thread. Also, please let me know if there is any improvement.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

im back for now

Unread postby lhamp » October 19th, 2005, 7:54 pm

How do i get a AVG serial # I thought this was free
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

Unread postby Piney » October 19th, 2005, 8:10 pm

I thought so also :(

You could do the 30 day, or go for the AVAST! which still offers the free download.

http://www.avast.com/eng/avast_4_home.html

My most sincere apologies, lhamp.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

im back

Unread postby lhamp » October 19th, 2005, 9:04 pm

before i get started with your fix i must say after installing the av after bootup i get unable to load odbcji32.dll what does this mean
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 58 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware