Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can You Guys Check this out for me

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

back

Unread postby lhamp » October 19th, 2005, 9:17 pm

it wont let me rename shdocvw.dll states its being used by another program what do i do
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm
Advertisement
Register to Remove

back again

Unread postby lhamp » October 19th, 2005, 9:30 pm

ok sorry bout that i did the rename and paste still have that error messeg on bootup (odb...) heres the new scan

Logfile of HijackThis v1.99.1
Scan saved at 8:24:43 PM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\ServerFirewall\srvfw.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 204.38.36.89:80
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\Documents and Settings\Lavell\Application Data\Mozilla\Profiles\default\36z17xne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lavell\Application Data\Mozilla\Profiles\default\36z17xne.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Lavell\LOCALS~1\Temp\20051010192212_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /reboot{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD} /z
O4 - HKLM\..\RunOnce: [InstallShieldSetup1] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /reboot{13616DE2-9795-4910-8C93-80D45AF09658} /z
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/L ... ontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 1590254545
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio ServerFirewall (KerioServerFirewall) - Kerio Technologies - C:\Program Files\Kerio\ServerFirewall\srvfw.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

Unread postby Piney » October 19th, 2005, 10:15 pm

Let me check on that missing file for you.

Did the install of the AV and Firewall go without problems? Do you have a desktop/task bar yet? Did you scan your computer with the Avast? Any results to tell us about?
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Piney » October 20th, 2005, 1:22 am

Hello again, lhamp

Let me paste some of the questions you haven't answered:

1. What scans did you do, before I gave you information to download and scan with Adaware and Spybot?

2. what programs did you scan your computer with before you came to Malware Removal Forums?
2a. Do you remember what all was found, fixed, deleted etc?

3. Did you use Task Manager to do all that I asked of you in my post with all the instructions?
3a. Or, do you have a Start button that is visible?

4. How did you remove McAfee and Yahoo? (delete the folders, uninstall from Add/Remove, or?)
4a. What prompted you to get rid of them?

5. I noticed one of the things cleaned by Ewido was SpectorPro. Had you installed that program?

6. Did the install of the AV and Firewall go without problems?

7. Do you have a desktop/task bar yet?

8. Did you scan your computer with the Avast?
8a. Any results to tell us about?


There really is a good reason for all of the questions I'm asking.
We need to know what was tried, what was found, what the major infection was.

Another question for you, actually 2 questions....
** When did your problems begin?
** Have you turned OFF System Restore? If not, DON'T! We need a point to return to, even if infected.

I'm glad you got the file renamed, and the good one pasted in the System32 folder.

The file you get the warning about is one we can replace later.
For now, let's be concerned with getting you up and running.
You can best help that by answering the above questions.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

back again

Unread postby lhamp » October 20th, 2005, 6:42 am

my scans ai used were ,
1. Cleanmypc regisrty cleaner
2. CWShedder
3. REgistry Mechanic

not sure was found or repaired or deleted

I used task manager for everything

add/remove programs was used to uninstall both A.V.

Spector pro was sometime ago to monitor my system until I found out snapshots of my system were sent somewhere else

not sure about the firewall but when i try to run avast error message
(unable to load odbcji32.dll)

no desktop/taskbar yet

will talk later on my way 2 work
thanks for all your help and i will respond later good luck
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

Unread postby Piney » October 20th, 2005, 12:20 pm

A new question for you... Do you have the winXP cd?

I'll wait to give you more, when all answers are in and I can chat with my Guru :)
[edit with more questions]

Alright, I'm back with a few more questions....

1. What was the last thing you did before your taskbar and icons disappeared?

2. Describe exactly how your desktop looks in Normal Mode...Color of the screen, is the Start button there?

3. Describe exactly how your desktop looks in Safe Mode

4. You used registry cleaning programs, did either of those make backups of the registry?
4a. Did either of the programs make backups of what was removed?

5. If yes to either 4/4a, did you try to restore the backups?

6. Did you update Avast definitions before trying to use it?

Here is a link to Trend that doesn't use ActiveX:
http://fr.trendmicro-europe.com/consumer/housecall/housecall_scan.php
Please scan your computer using that link.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

im back

Unread postby lhamp » October 20th, 2005, 11:52 pm

sorry it took so long work long hours

ran trend housecall and removal of infection failed and they are as follows

troj_vb.av , tspy_vb.ho , troj_vb.ck , bkdr_sub7.21a , troj_joiner.I ,
bkdr_dtv.a , bkdr_delf.ax not sure what this means but it looks bad.
Now the answer to your questions:

1. last thing i did was upgrade my sbcyahoo browers and add sbcyahoo protection.

2. I have a blank screen with the windows logo as background nothing else on the screen

3. the safe mode screen has safe mode in all corners and across the top states - microsoft(r)windowsxp(r)(build 2600.xp.sp_sp2_gdr.050301:service pack2

4. does not apply

5. same

6. no i did nothing to avast but install

7. I have my winxppro disc

8, did not rescan through hijackthis because i was not able to remove the above invections,,,,,,........
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

Unread postby Piney » October 21st, 2005, 1:55 am

I'm sorry for your long work days

Those files found by Trend were trojan (troj) with at least one being a keylogger...similar to the the ''Spectre Pro'' you had on your system. Do you remember 'where' those files were located? eg C:Windows\System32 or C:\Windows\Archive or some other path? Was there a logfile from Trend?

I want you to know you are not being ignored. My Guru is talking to his Guru ;) One of us will get back to you as soon as we can.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Piney » October 21st, 2005, 4:20 am

Ready for the next round? Open HJT, scan and put a check/tick next to:
F2 - REG:system.ini: Shell=

With nothing open except HJT, click the Fix Checked button.
Close HJT.

Open your Task Manager select > File > New Task and when the window pops up, type in explorer (no .exe this time, just explorer) and then click on "OK."
Next, go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab.
Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK.

Then, right click on the desktop, select > "Arrange Icons By" > select "Show Desktop Icons."

Next, go to this site: http://www.kellys-korner-xp.com/xp_tweaks.htm
Click on #164
Download it to your desktop. Double-click on it to run.
***If you get a warning from your firewall about a script wanting to run, allow it to run.

When finished, reboot normally.

Download Silentrunners.zip from http://tinyurl.com/8bmsr
unzip it to a new folder on your desktop.
Run the SilentRunners.vbs file.

You will receive a prompt: "Do you want to skip supplementary searches?" - click NO

If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run.
This script is not malicious so please allow it.

A text file will appear in the folder - it's not done, let it run (it won't appear to be doing anything!)

Once the "All Done!" prompt flashes up, open the text file and copy & paste it in your next reply.

And finally, return to TrendMicro http://fr.trendmicro-europe.com/consumer/housecall/housecall_scan.php and rescan. Save the information or a log of what was found. We need the full path of items not cleaned or deleted.

So, your next post will be
1. HJT log
2. Silent Runners log
3. TrendMicro's log
Plus let us know of problems or successes :)
NOTE you will probably need to use more than one post...put the HJT and the Trend and how things are progressing in one, and put the Silent Runners in another one. We know it will be a long one :)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

im back

Unread postby lhamp » October 21st, 2005, 11:08 pm

Ok. Hello long day again but hope your doing fine want to thank you for all your help so far and many thanks to your guru's .

Ok my desktop and taskbar are back, but:

those files from the housecall scan are in c:\documents & settings\lavell\local settings\temporary internet files

was not able to do a rescan on housecalls so therefore no log to send

did the silentrunner scan but not sure where the txt went its not in the new folder i created on my desktop that screen blinks to fast for me to see location of txt.

on bootup i still get that odbcji32.dll error must use task manager to end task in order for the desktop to boot up

not sure if it would help you but here is my hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 10:08:34 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\ServerFirewall\srvfw.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 204.38.36.89:80
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\Documents and Settings\Lavell\Application Data\Mozilla\Profiles\default\36z17xne.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lavell\Application Data\Mozilla\Profiles\default\36z17xne.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/L ... ontrol.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 1590254545
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio ServerFirewall (KerioServerFirewall) - Kerio Technologies - C:\Program Files\Kerio\ServerFirewall\srvfw.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

Unread postby Piney » October 21st, 2005, 11:58 pm

While we check over the latest information, why don't you do a SilentRunners.vbs run again, this time, once the "All Done!" prompt flashes up, open the text file, click on File...Save as... give it a name, and the Save to will be in that folder you created. Then come here and paste it to this thread :)

What happened when you tried to do the Trend scan?

yayyyyyyyyyy the desktop is back! wheeeeeeee the taskbar is back!

This is called progress :)

I am fine, and will pass on the TY TY to the Gurus :)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

im back

Unread postby lhamp » October 22nd, 2005, 12:14 am

Ok hello again yes progress in the making

tend gave me the same as i stated earlier wont clean

here is the what your waiting on and ill still work on trend also the error odbcji32.dll i got rid of it by uninstalling the avast av and now im running avg working just fine and zonealarm firewall also working just fine thanks again,

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}\(Default) = "AOL Toolbar Launcher" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{0873D142-79EF-49fa-81B5-211AAC0B0A7F}" = "Target Finder Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\TargetFinder.dll" [empty string]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll" ["Sonic Solutions"]
"{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}" = "RXDCExtShlExt extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Disc Image Loader\DC_ShellExt.dll" ["Sonic Solutions"]
"{B1816445-A3ED-11D3-B2B3-00104B4C6B08}" = "Evidence Eliminator Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Eeshellx.dll" ["evidence-eliminator.com"]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Evidence Eliminator\(Default) = "{B1816445-A3ED-11D3-B2B3-00104B4C6B08}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Eeshellx.dll" ["evidence-eliminator.com"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Evidence Eliminator\(Default) = "{B1816445-A3ED-11D3-B2B3-00104B4C6B08}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Eeshellx.dll" ["evidence-eliminator.com"]
Library\(Default) = "{54F51408-DD44-4a12-82EF-519AD2A80DE9}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\mlibrary\MLShell.dll" ["ATI Technologies Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{44226DFF-747E-4EDC-B30C-78752E50CD0C}\ = "&ATI TV"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL" ["ATI Technologies Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

{44226DFF-747E-4EDC-B30C-78752E50CD0C}\
"ButtonText" = "ATI TV"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}" = "AOL Search"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Kerio ServerFirewall, KerioServerFirewall, ""C:\Program Files\Kerio\ServerFirewall\srvfw.exe"" ["Kerio Technologies"]
ScsiAccess, ScsiAccess, "C:\WINDOWS\system32\ScsiAccess.EXE" [null data]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 88 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 38 seconds.
---------- (total run time: 169 seconds)
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

Unread postby Piney » October 22nd, 2005, 12:23 am

Thank you for the SilentRunners log. So you uninstalled both Avast and Kerio (firewall) and installed AVG and ZoneAlarm?

With AVG fully installed and updated, why don't you scan with it, see what it finds?

It is getting late for you. I may have more for you when you get up :)
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

im back

Unread postby lhamp » October 22nd, 2005, 1:05 am

trend did a scan a confirm that my system is clean could not retrieve a log file for you sorry
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm

im back

Unread postby lhamp » October 22nd, 2005, 1:07 am

ill be up for a while thanks again for your help time to come out of training and get your guru award
lhamp
Regular Member
 
Posts: 18
Joined: October 16th, 2005, 7:48 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware