Jump to content
Sign in to follow this  
AmoLaZucca

Ceres ABI Network - Need Help To Remove, Please!

Recommended Posts

Something called "Ceres ABI Network" has attached itself to my PC this morning - and after trying Adaware, Spybot S&D, Spyware Blaster and visiting a ton of sites, including PC Hell - I've failed to remove this horrible thing - or even find solid information about it. When I tried to remove it through my add/remove programs menu - it directed me to a site to remove it - I don't think that would be safe. Whatever this "Ceres ABI Network" is - it's HORRIBLE! :mrsgreen:

 

Any help would be greatly appreciated. Thank you in advance!

 

Here is my HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 2:17:04 PM, on 7/10/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,[email protected]

O4 - HKLM\..\Run: [uawpxm] c:\windows\system\uawpxm.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\ujrlhm.exe reg_run

O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [LTIP95] C:\WINDOWS\SYSTEM\LTIP95.exe

O4 - HKCU\..\RunOnce: [LTIP95] C:\WINDOWS\SYSTEM\LTIP95.exe

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx

Edited by AmoLaZucca

Share this post


Link to post
Share on other sites

Hi AmoLaZucca

 

The HJT.LOG you posted was from safemode, Please allways post a HJT.log done in normal-mode.

 

Please read through the instructions before you start (you may want to print this out).

 

Please set your system to show all files; please see here if you're unsure how to do this.

 

Please download and install AD-Aware.

Check Here on how setup and use it - please make sure you update it first. Don't run yet.

 

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

 

Please download SpyBot V1.4 http://www.majorgeeks.com/download2471.html Update the program then run it.

 

Reboot into Safe Mode: please see here if you are not sure how to do this.

 

Run Ad-aware se let remove all it finds

 

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,[email protected]

O4 - HKLM\..\Run: [uawpxm] c:\windows\system\uawpxm.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\ujrlhm.exe reg_run

O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKCU\..\Run: [LTIP95] C:\WINDOWS\SYSTEM\LTIP95.exe

O4 - HKCU\..\RunOnce: [LTIP95] C:\WINDOWS\SYSTEM\LTIP95.exe

O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx

Click on Fix Checked when finished and exit HijackThis.

 

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

C:\WINDOWS\CERES.DLL

C:\Program Files\E2G\IeBHOs.dll

C:\WINDOWS\SYSTB.DLL

C:\WINDOWS\CFGMGR52.DLL

C:\WINDOWS\CFGMGR52.DLL,DllRun

C:\WINDOWS\SYSTEM\exp.exe

C:\WINDOWS\AUNPS2.DLL,[email protected]

c:\windows\system\uawpxm.exe

C:\WINDOWS\ujrlhm.exe reg_run

C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart

C:\WINDOWS\wupdt.exe

C:\WINDOWS\SYSTEM\LTIP95.exe

Let the system reboot.

 

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.stevengould.org/cleanup/CleanUp40.exe

It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingcomputer.com/forums/tutorial93.html

Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button

When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

 

Please run the following free, online virus scans.

http://www.pandasoftware.com/activescan/co...n_principal.htm

Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

 

Kc :tup:

Share this post


Link to post
Share on other sites

Thanks for all of your help so far, thatman! I'm seeing positive changes already! Sorry about posting the HJT log in safe mode - I had no idea - this is all new to me.

 

I cannot use Ewido, because I'm still using Windows ME (I know... :blink: ) and it doesn't support it.

 

I did everything else as you advised though, and here are my results:

 

Logfile of HijackThis v1.99.1

Scan saved at 12:48:47 AM, on 7/12/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\WINDOWS\UJRLHM.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\RunDLL.exe

C:\CRUYSC.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.EXE

C:\PROGRAM FILES\PALMONE\HOTSYNC.EXE

C:\PROGRAM FILES\UTHM\AREA.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

C:\WINDOWS\SYSTEM\HPOIPM07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! Dial

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\ujrlhm.exe reg_run

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [Zlupfnm] \cruysc.exe

O4 - HKCU\..\Run: [uate] C:\Program Files\uthm\area.exe

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O4 - Startup: cknu.exe

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

 

 

PANDA:

 

Incident Status Location

 

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\CPRYNUC.DLL

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\UJRLHM.EXE

Adware:Adware/CWS.AAA No disinfected C:\CRUYSC.EXE

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\UJRLHM.EXE

Adware:Adware/CWS.AAA No disinfected \CRUYSC.EXE

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\Start Menu\Programs\StartUp\cknu.exe

Adware:Adware/SaveNow No disinfected Windows Registry

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe

Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe

Adware:Adware/Superbar No disinfected Windows Registry

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll

Spyware:Spyware/Bridge No disinfected Windows Registry

Adware:Adware/SideSearch No disinfected C:\WINDOWS\Application Data\Lycos

Adware:Adware/BlazeFind No disinfected Windows Registry

Adware:Adware/WUpd No disinfected C:\Program Files\Media Access

Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exul?.exe

Adware:Adware/MyWebSearch No disinfected Windows Registry

Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???

Adware:Adware/P2PNetworking No disinfected Windows Registry

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\Start Menu\Programs\StartUp\cknu.exe

Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.dll

Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\jao.dll

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe

Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\uawpxm.exe

Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe

Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exul1.exe

Adware:Adware/Midaddle No disinfected C:\WINDOWS\SYSTEM\area.exe

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\supdate.dll

Adware:Adware/QoolAid No disinfected C:\WINDOWS\qnbxdoq.exe

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\vwugi.dll

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\yapgw.dat

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\tbzxkovq.exe

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\xkuzqtem.exe

Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe

Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\cprynuc.dll

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\ujrlhm.exe

Adware:Adware/CWS.AAA No disinfected C:\cruysc.exe

 

I hope I did this right. Does it look less messed up than before? Thanks again - I'll check in again tomorrow. :)

Edited by AmoLaZucca

Share this post


Link to post
Share on other sites

Hi AmoLaZucca

 

Please read through the instructions before you start (you may want to print this out).

 

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet, though.

 

Please set your system to show all files; please see here if you're unsure how to do this.

 

Reboot into Safe Mode: please see here if you are not sure how to do this.

 

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\ujrlhm.exe reg_run

O4 - HKCU\..\Run: [Zlupfnm] \cruysc.exe

O4 - HKCU\..\Run: [uate] C:\Program Files\uthm\area.exe

O4 - Startup: cknu.exe

Click on Fix Checked when finished and exit HijackThis.

 

Run CWShredder to fix your CWS problem.

 

Using Windows Explorer, locate the following files/folders, and delete them:

C:\PROGRAM FILES\UTHM<--Delete the whole folder

C:\Program Files\Media Access<--Delete the whole folder

C:\WINDOWS\Application Data\Lycos<--Delete the whole folder

C:\WINDOWS\SYSTEM\exul?.exe<--Delete this file

Exit Explorer.

 

Run Ad-aware se let it remove all it find's

 

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

C:\WINDOWS\CPRYNUC.DLL

C:\WINDOWS\UJRLHM.EXE

C:\CRUYSC.EXE

C:\WINDOWS\UJRLHM.EXE

C:\WINDOWS\Start Menu\Programs\StartUp\cknu.exe

C:\WINDOWS\Buddy.exe

C:\WINDOWS\unstall.exe

C:\WINDOWS\cfgmgr52.dll

C:\WINDOWS\Downloaded Program Files\YSBactivex.exe

C:\WINDOWS\Start Menu\Programs\StartUp\cknu.exe

C:\WINDOWS\Downloaded Program Files\ysbactivex.dll

C:\WINDOWS\Downloaded Program Files\jao.dll

C:\WINDOWS\SYSTEM\uawpxm.exe

C:\WINDOWS\SYSTEM\Shex.exe

C:\WINDOWS\SYSTEM\exul1.exe

C:\WINDOWS\SYSTEM\area.exe

C:\WINDOWS\SYSTEM\supdate.dll

C:\WINDOWS\qnbxdoq.exe

C:\WINDOWS\vwugi.dll

C:\WINDOWS\yapgw.dat

C:\WINDOWS\tbzxkovq.exe

C:\WINDOWS\xkuzqtem.exe

C:\WINDOWS\ru.exe

C:\WINDOWS\unstall.exe

C:\WINDOWS\cfgmgr52.dll

C:\WINDOWS\cprynuc.dll

C:\WINDOWS\ujrlhm.exe

C:\cruysc.exe

Let the system reboot.

 

Please run the following free, online virus scans.

http://www.pandasoftware.com/activescan/co...n_principal.htm

Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

 

Kc :tup:

Share this post


Link to post
Share on other sites

Thank you once again for all of your help! I followed your advice and hopefully I did everything correctly. I had NO IDEA there was so much on my PC. :mrsgreen:

 

OK - here are my new reports:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:58:17 AM, on 7/12/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\WINDOWS\RunDLL.exe

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.EXE

C:\PROGRAM FILES\UTHM\AREA.EXE

C:\WINDOWS\SYSTEM\HPOIPM07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! Dial

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [uate] C:\Program Files\uthm\area.exe

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

 

 

PANDA SCAN

 

Incident Status Location

 

Virus:Trj/Agent.ABH Disinfected Operating system

Adware:Adware/SaveNow No disinfected Windows Registry

Adware:Adware/PurityScan No disinfected C:\WINDOWS\TEMP\!update.exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe

Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe

Adware:Adware/Superbar No disinfected Windows Registry

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll

Adware:Adware/Apropos No disinfected Windows Registry

Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???

Adware:Adware/P2PNetworking No disinfected Windows Registry

Adware:Adware/PurityScan No disinfected C:\WINDOWS\TEMP\!update.exe

Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.dll

Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\jao.dll

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe

Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\uawpxm.exe

Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\supdate.dll

Adware:Adware/Envolo No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\AutoUpdaterInstaller[1].exe

Adware:Adware/QoolAid No disinfected C:\WINDOWS\qnbxdoq.exe

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\vwugi.dll

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\yapgw.dat

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\tbzxkovq.exe

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\xkuzqtem.exe

Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe

Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\cprynuc.dll

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\ujrlhm.exe

Adware:Adware/AdBehavior No disinfected C:\unzipped\hijackthis\backups\backup-20050712-105652-142-cknu.exe

Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll

Adware:Adware/CWS.AAA No disinfected C:\cruysc.exe

 

Does it seem to be working? My PC is running much more smoothly - faster. I still get pop-us and my Quicktime program seems to not be working properly. I don't know if it has anything to do with these infections though. I'll check in again soon to see the next steps. THANK YOU! :)

Share this post


Link to post
Share on other sites

Hi AmoLaZucca

 

Please read through the instructions before you start (you may want to print this out).

 

Please set your system to show all files; please see here if you're unsure how to do this.

 

Use windows add remove program file's uninstall the following:

C:\Program Files\uthm\area.exe

C:\Program Files\Aprps\ProxyStub.dll

 

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:

O4 - HKCU\..\Run: [uate] C:\Program Files\uthm\area.exe

Click on Fix Checked when finished and exit HijackThis.

 

Reboot into Safe Mode: please see here if you are not sure how to do this.

 

Using Windows Explorer, locate the following files/folders, and delete them:

C:\Program Files\uthm\area.exeExit Explorer.Reboot as normal.

 

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

C:\WINDOWS\TEMP\!update.exe

C:\WINDOWS\Buddy.exe

C:\WINDOWS\unstall.exe

C:\WINDOWS\cfgmgr52.dll

C:\WINDOWS\Downloaded Program Files\YSBactivex.exe

C:\WINDOWS\TEMP\!update.exe

C:\WINDOWS\Downloaded Program Files\ysbactivex.dll

C:\WINDOWS\Downloaded Program Files\jao.dll

C:\WINDOWS\Buddy.exe

C:\WINDOWS\SYSTEM\uawpxm.exe

C:\WINDOWS\SYSTEM\Shex.exe

C:\WINDOWS\SYSTEM\supdate.dll

C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\AutoUpdaterInstaller[1].exe

C:\WINDOWS\qnbxdoq.exe

C:\WINDOWS\vwugi.dll

C:\WINDOWS\yapgw.dat

C:\WINDOWS\tbzxkovq.exe

C:\WINDOWS\xkuzqtem.exe

C:\WINDOWS\ru.exe

C:\WINDOWS\unstall.exe

C:\WINDOWS\cfgmgr52.dll

C:\WINDOWS\cprynuc.dll

C:\WINDOWS\ujrlhm.exe

C:\Program Files\Aprps\ProxyStub.dll

C:\cruysc.exe

Let the system reboot.

 

Please run the following free, online virus scans.

http://www.pandasoftware.com/activescan/co...n_principal.htm

Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

 

Kc

:)

Share this post


Link to post
Share on other sites

Hi thatman,

 

:( Oh no. After completeing the last set of instructions, I've been getting A LOT of pop-ups. Something called "Ad Destroyer" is now on my PC and something else called "Virtual Bouncer". Also, Ceres is back. Panda Scan was doing fine - everything seemed to be getting removed - but this time the scan found even more viruses - so many in fact, that I can not post both reports on this thread. :mrsgreen: I can't believe people put this horrible junk on other people's computers. :angry:

 

I'm sure I followed the directions as you requested - I don't know what happened. I'm sorry to be causing so much trouble, and I sincerely thank you for your help, thatman. Am I doing something wrong? Here is my new HJT log - the new Panda log follows in my next post:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 2:12:06 PM, on 7/12/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\AREA.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.EXE

C:\PROGRAM FILES\PALMONE\HOTSYNC.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.EXE

C:\WINDOWS\SYSTEM\HPOIPM07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! Dial

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

 

 

Please read my following post for my new Panda scan. Thank you.

Share this post


Link to post
Share on other sites

PLEASE NOTICE: This log is in two parts as it was too large for one post. Here is HALF of my new Panda log:

 

Incident Status Location

 

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\CFGMGR52.DLL

Virus:Trj/Imiserv.D Disinfected Operating system

Adware:Adware/VirtualBouncer No disinfected C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE

Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\UAWPXM.EXE

Virus:Trj/Downloader.AYV Disinfected Operating system

Adware:Adware/VirtualBouncer No disinfected C:\PROGRA~1\VBOUNCER\VIRTUA~1.EXE

Adware:Adware/Twain-Tech No disinfected c:\WINDOWS\SYSTEM\UAWPXM.EXE

Virus:Trj/Imiserv.D Disinfected Operating system

Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\Start Menu\Programs\StartUp\AdDestroyer.lnk

Adware:Adware/eZula No disinfected Windows Registry

Adware:Adware/PurityScan No disinfected C:\WINDOWS\TEMP\!update.exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL

Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM\AUNPS2.dll

Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe

Adware:Adware/Superbar No disinfected Windows Registry

Adware:Adware/AdDestroyer No disinfected C:\Program Files\AdDestroyer

Adware:Adware/SideSearch No disinfected Windows Registry

Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll

Adware:Adware/MyWebSearch No disinfected Windows Registry

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\CFGMGR52.DLL

Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???

Adware:Adware/Transponder No disinfected Windows Registry

Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\CERES.INF

Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\Start Menu\Programs\StartUp\AdDestroyer.lnk

Adware:Adware/PurityScan No disinfected C:\WINDOWS\TEMP\!update.exe

Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\TEMP\wrapperouter.exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.cab

Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.cab[ceres.inf]

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.cab[ceres.dll]

Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.inf

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.dll

Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\TEMP\wupdt.exe

Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.dll

Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\jao.dll

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe

Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\uawpxm.exe

Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\Shex.exe

Virus:Trj/Clicker.DJ Disinfected C:\WINDOWS\SYSTEM\AUNPS2.dll

Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\SYSTEM\SWLAD2.dll

Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\SYSTEM\PopOops2.dll

Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\SYSTEM\PopOops.dll

To be continued in following thread.

Share this post


Link to post
Share on other sites

Here is the remaining Panda scan log:

 

 

 

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\SYSTEM\supdate.dll

Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\SYSTEM\SWLAD1.dll

Adware:Adware/Midaddle No disinfected C:\WINDOWS\SYSTEM\area.exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\09EBGTUV\AppWrap[1].exe

Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\wupdt[1].exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\abiuninst[1].exe

Adware:Adware/Envolo No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\AutoUpdaterInstaller[1].exe

Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\polall5c[1].exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\ceres[1].cab

Adware:Adware/Transponder No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\ceres[1].cab[ceres.inf]

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\ceres[1].cab[ceres.dll]

Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\polall5c[1].exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\thnall5c[1].exe

Adware:Adware/PortalScan No disinfected C:\WINDOWS\Temporary Internet Files\InstallAPS.exe

Adware:Adware/QoolAid No disinfected C:\WINDOWS\qnbxdoq.exe

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\vwugi.dll

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\yapgw.dat

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\tbzxkovq.exe

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\xkuzqtem.exe

Adware:Adware/Midaddle No disinfected C:\WINDOWS\ru.exe

Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.dll

Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\cprynuc.dll

Adware:Adware/AdBehavior No disinfected C:\WINDOWS\ujrlhm.exe

Adware:Adware/AdBehavior No disinfected C:\unzipped\hijackthis\backups\backup-20050712-105652-142-cknu.exe

Adware:Adware/Apropos No disinfected C:\Recycled\Dc7\ProxyStub.dll

Adware:Adware/AdDestroyer No disinfected C:\Program Files\VBouncer\BundleOuter.EXE

Adware:Adware/VirtualBouncer No disinfected C:\Program Files\VBouncer\VBouncerInner.EXE

Adware:Adware/AdDestroyer No disinfected C:\Program Files\VBouncer\AdDestroyerInner.EXE

Adware:Adware/VirtualBouncer No disinfected C:\Program Files\VBouncer\VirtualBouncer.exe

Adware:Adware/AdDestroyer No disinfected C:\Program Files\AdDestroyer\AdDestroyer.exe

Adware:Adware/CWS.AAA No disinfected C:\cruysc.exe

 

Thank you SO MUCH for your time. I'm sorry to cause so much trouble. I'll check in again soon.

 

Thank you,

Amo

Share this post


Link to post
Share on other sites

Hi AmoLaZucca

 

Please read through the instructions before you start (you may want to print this out).

 

Download Pocket Killbox and unzip it; save it to your Desktop.

 

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

C:\WINDOWS\CERES.DLL

C:\WINDOWS\CFGMGR52.DLL

C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE

C:\WINDOWS\SYSTEM\UAWPXM.EXE

C:\PROGRA~1\VBOUNCER\VIRTUA~1.EXE

c:\WINDOWS\SYSTEM\UAWPXM.EXE

C:\WINDOWS\Start Menu\Programs\StartUp\AdDestroyer.lnk

C:\WINDOWS\TEMP\!update.exe

C:\WINDOWS\CERES.DLL

C:\WINDOWS\SYSTEM\AUNPS2.dll

C:\WINDOWS\unstall.exe

C:\Program Files\AdDestroyer

C:\WINDOWS\systb.dll

C:\WINDOWS\CFGMGR52.DLL

C:\WINDOWS\Downloaded Program Files\YSBactivex.???

C:\WINDOWS\INF\CERES.INF

C:\WINDOWS\Start Menu\Programs\StartUp\AdDestroyer.lnk

C:\WINDOWS\TEMP\!update.exe

C:\WINDOWS\TEMP\wrapperouter.exe

C:\WINDOWS\TEMP\DrTemp\ceres.cab

C:\WINDOWS\TEMP\DrTemp\ceres.cab[ceres.inf]

C:\WINDOWS\TEMP\DrTemp\ceres.cab[ceres.dll]

C:\WINDOWS\TEMP\DrTemp\ceres.inf

C:\WINDOWS\TEMP\DrTemp\ceres.dll

C:\WINDOWS\TEMP\wupdt.exe

C:\WINDOWS\Downloaded Program Files\ysbactivex.dll

C:\WINDOWS\Downloaded Program Files\jao.dll

C:\WINDOWS\CERES.DLL

C:\WINDOWS\Buddy.exe

C:\WINDOWS\SYSTEM\uawpxm.exe

C:\WINDOWS\SYSTEM\Shex.exe

C:\WINDOWS\SYSTEM\SWLAD2.dll

C:\WINDOWS\SYSTEM\PopOops2.dll

C:\WINDOWS\SYSTEM\PopOops.dll

C:\WINDOWS\SYSTEM\supdate.dll

C:\WINDOWS\SYSTEM\SWLAD1.dll

C:\WINDOWS\SYSTEM\area.exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\09EBGTUV\AppWrap[1].exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\abiuninst[1].exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\AutoUpdaterInstaller[1].exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\polall5c[1].exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\ceres[1].cab

C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\ceres[1].cab[ceres.inf]

C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\ceres[1].cab[ceres.dll]

C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\polall5c[1].exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\thnall5c[1].exe

C:\WINDOWS\Temporary Internet Files\InstallAPS.exe

C:\WINDOWS\qnbxdoq.exe

C:\WINDOWS\vwugi.dll

C:\WINDOWS\yapgw.dat

C:\WINDOWS\tbzxkovq.exe

C:\WINDOWS\xkuzqtem.exe

C:\WINDOWS\ru.exe

C:\WINDOWS\unstall.exe

C:\WINDOWS\cfgmgr52.dll

C:\WINDOWS\cprynuc.dll

C:\WINDOWS\ujrlhm.exe

C:\unzipped\hijackthis\backups\backup-20050712-105652-142-cknu.exe

C:\Recycled\Dc7\ProxyStub.dll

C:\Program Files\VBouncer\BundleOuter.EXE

C:\Program Files\VBouncer\VBouncerInner.EXE

C:\Program Files\VBouncer\AdDestroyerInner.EXE

C:\Program Files\VBouncer\VirtualBouncer.exe

C:\Program Files\AdDestroyer\AdDestroyer.exe

C:\cruysc.exe

C:\WINDOWS\SYSTEM\AREA.EXE

Let the system reboot.

 

Please run the following free, online virus scans.

http://www.pandasoftware.com/activescan/co...n_principal.htm

http://housecall.trendmicro.com/housecall/start_corp.asp

Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

 

Kc

:)

Share this post


Link to post
Share on other sites

OK - I found out that one file called "uawpxm.exe" is causing a BUNCH of trouble for me. I cannot delete this file, because it says it's "Currenty in use in Windows." However, when I tried to remove it from my running programs I saw it actually create a NEW exact match file before deleting the original! I tried to delete this file three times, only to watch it regenerate itself! :blink:

 

I am almost POSITIVE that this file is causing all of my grief - but it refuses to budge. I'm still infected with ceres - so I think the uawpxm.exe file is allowing this.

 

Housecall found six items on my PC. It allowed me to delete three items.

 

Housecall cannot delete the files below - and says they are “currently in use.”

 

 

TROJ DLOADER Non Cleanable C:\WINDOWS\SYSTEM\uawpxm.exe

 

TROJ CLICKER.AD Non Cleanable C:\_RESTORE\TEMP\AUNPS2.0

 

TROJ REVOP.F Non Cleanable C:\RESTORE\ARCHIVE\FS453.CAB*W0065530.CPY*

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 4:56:10 PM, on 7/13/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.EXE

C:\WINDOWS\SYSTEM\HPOIPM07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\WUAUCLT.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\UAWPXM.EXE

C:\WINDOWS\SYSTEM\HIDSERV.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! Dial

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [uawpxm] c:\windows\system\uawpxm.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKLM\..\RunServices: [panda cleaner] %SystemRoot%\pavdr.exe

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

PANDA SCAN:

 

Incident Status Location

 

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL

Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\UAWPXM.EXE

Adware:Adware/Twain-Tech No disinfected c:\WINDOWS\SYSTEM\UAWPXM.EXE

Adware:Adware/eZula No disinfected Windows Registry

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL

Adware:Adware/Superbar No disinfected Windows Registry

Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\All Users\Application Data\VBouncer

Adware:Adware/SideSearch No disinfected Windows Registry

Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???

Adware:Adware/Transponder No disinfected Windows Registry

Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\TEMP\wrapperouter.exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL

Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.dll

Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\jao.dll

Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\uawpxm.exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\thnall5c[1].exe

Adware:Adware/PortalScan No disinfected C:\WINDOWS\Temporary Internet Files\InstallAPS.exe

Adware:Adware/AdBehavior No disinfected C:\unzipped\hijackthis\backups\backup-20050712-105652-142-cknu.exe

Spyware:Spyware/BetterInet No disinfected C:\unzipped\hijackthis\backups\backup-20050713-122525-493.dll

Adware:Adware/BookedSpace No disinfected C:\unzipped\hijackthis\backups\backup-20050713-122525-447.dll

Spyware:Spyware/BetterInet No disinfected C:\Recycled\Dc47.exe

Spyware:Spyware/BetterInet No disinfected C:\Recycled\Dc48.cab

Adware:Adware/Transponder No disinfected C:\Recycled\Dc48.cab[ceres.inf]

Spyware:Spyware/BetterInet No disinfected C:\Recycled\Dc48.cab[ceres.dll]

Adware:Adware/Transponder No disinfected C:\Recycled\Dc49.inf

Spyware:Spyware/BetterInet No disinfected C:\Recycled\Dc50.dll

Adware:Adware/Transponder No disinfected C:\Recycled\Dc51.INF

Adware:Adware/AdDestroyer No disinfected C:\Recycled\Dc53.dll

Adware:Adware/AdDestroyer No disinfected C:\Recycled\Dc54.dll

 

 

Thanks once again thatman, and I'll log in again soon to see the next steps. :)

Share this post


Link to post
Share on other sites

Hi AmoLaZucca

 

If this file come back C:\WINDOWS\SYSTEM\uawpxm.exe we will need a bigger hammer

 

Please read through the instructions before you start (you may want to print this out).

 

Please set your system to show all files; please see here if you're unsure how to do this.

 

Reboot into Safe Mode: please see here if you are not sure how to do this.

 

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL

O4 - HKLM\..\Run: [uawpxm] c:\windows\system\uawpxm.exe

Click on Fix Checked when finished and exit HijackThis.

 

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

C:\WINDOWS\SYSTEM\UAWPXM.EXE

C:\WINDOWS\All Users\Application Data\VBouncer

C:\WINDOWS\Downloaded Program Files\YSBactivex.inf

C:\WINDOWS\Downloaded Program Files\YSBactivex.dat

C:\WINDOWS\TEMP\wrapperouter.exe

C:\WINDOWS\CERES.DLL

C:\WINDOWS\Downloaded Program Files\ysbactivex.dll

C:\WINDOWS\Downloaded Program Files\jao.dll

C:\WINDOWS\SYSTEM\uawpxm.exe

C:\WINDOWS\Buddy.exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\thnall5c[1].exe

C:\WINDOWS\Temporary Internet Files\InstallAPS.exe

Let the system reboot.

 

Please run the following free, online virus scans.

http://www.pandasoftware.com/activescan/co...n_principal.htm

Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

 

Kc

:P

Share this post


Link to post
Share on other sites

It seems that for everything we get rid of, 200 new bad files show up. :huh:

Totally unfair. I'm going to start looking for a good firewall - if I install one, will it affect what we're doing here? I'll check back with you before I install one. My new Panda scan was too large for one post (again) and follows this post. Here is my new HJT log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 10:42:57 AM, on 7/14/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\WINDOWS\RunDLL.exe

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! Dial

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKLM\..\RunServices: [panda cleaner] %SystemRoot%\pavdr.exe

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

 

I can never say thank you enough. :)

Share this post


Link to post
Share on other sites

Here's the first half: :rolleyes:

 

PANDA SCAN:

 

Incident Status Location

 

Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM\MSCB.DLL

Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\NVMS.DLL

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\MSBE.DLL

Virus:Trj/Imiserv.D Disinfected Operating system

Adware:Adware/ExactSearch No disinfected C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE

Adware:Adware/eZula No disinfected Windows Registry

Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe

Adware:Adware/Superbar No disinfected Windows Registry

Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\All Users\Application Data\VBouncer

Adware:Adware/SideSearch No disinfected Windows Registry

Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll

Adware:Adware/WUpd No disinfected Windows Registry

Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\nvms.dll

Adware:Adware/MyWebSearch No disinfected Windows Registry

Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\CERES.INF

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\upd208.exe

Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\TEMP\wrapperouter.exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.cab

Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.cab[ceres.inf]

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.cab[ceres.dll]

Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.inf

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.dll

Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\jao.dll

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exdl.exe

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mqexdlm.srg

Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exul.exe

Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\javexulm.vxd

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\bbchk.exe

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exclean.exe

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\msbe.dll

Adware:Adware/ExactSearch No disinfected

 

 

Continued in next reply...

Share this post


Link to post
Share on other sites

And the second half:

 

 

C:\WINDOWS\SYSTEM\nvms.dll

Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM\mscb.dll

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exdl3.exe

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exdl2.exe

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exdl1.exe

Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exul3.exe

Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exul1.exe

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\09EBGTUV\webservice[3].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\09EBGTUV\webservice[4].htm

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\ceres[1].cab

Adware:Adware/Transponder No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\ceres[1].cab[ceres.inf]

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\ceres[1].cab[ceres.dll]

Adware:Adware/Look2Me No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\upd208[1].exe

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\webservice[3].htm

Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\thnall5c[1].exe

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\webservice[4].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\webservice[5].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\webservice[3].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\webservice[4].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\webservice[5].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\installer_MARKETING58.exe

Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.dll

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\exdl.exe

Spyware:Spyware/BetterInet No disinfected C:\unzipped\hijackthis\backups\backup-20050714-103657-833.dll

Spyware:Spyware/BetterInet No disinfected C:\unzipped\hijackthis\backups\backup-20050713-122525-493.dll

Adware:Adware/BookedSpace No disinfected C:\unzipped\hijackthis\backups\backup-20050713-122525-447.dll

Adware:Adware/ExactSearch No disinfected C:\Program Files\NaviSearch\bin\nls.exe

Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network\bin\adv.exe

Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network\bin\adx.exe

Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_click_wider.swf

Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_auto_wider.swf

Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_welcome.html

Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_welcome1.swf

Spyware:Spyware/BargainBuddy No disinfected C:\Temp\icon.gif

Spyware:Spyware/BargainBuddy No disinfected C:\Temp\logo.gif

Adware:Adware/Twain-Tech No disinfected

C:\! Submit\UAWPXM.EXE

 

THANKS AGAIN, thatman! I'll check back in again soon to see what's next. :)

Edited by AmoLaZucca

Share this post


Link to post
Share on other sites

Hi AmoLaZucca

 

Sorry for my delay in replying to you, My mother board failed had to get a new computer.

 

Please read through the instructions before you start (you may want to print this out).

 

Please set your system to show all files; please see here if you're unsure how to do this.

 

Please download the following program:http://downloads.subratam.org/FINDnFIX.exe Don't run it yet

 

Please download : Zone Alarm free firewall Now run the program and install the firewall on to your system. It will ask you to reboot

 

Reboot into Safe Mode: please see here if you are not sure how to do this.

 

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

Click on Fix Checked when finished and exit HijackThis.

 

Using Windows Explorer, locate the following files/folders, and delete them:

C:\PROGRAM FILES\NAVISEARCH<--Delete the whole folder

C:\Program Files\BullsEye Network<--Delete the whole folder

Exit Explorer.Reboot as normal.

 

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

C:\WINDOWS\SYSTEM\MSCB.DLL

C:\WINDOWS\SYSTEM\NVMS.DLL

C:\WINDOWS\SYSTEM\MSBE.DLL

C:\WINDOWS\Buddy.exe

C:\WINDOWS\All Users\Application Data\VBouncer

C:\WINDOWS\systb.dll

C:\WINDOWS\SYSTEM\nvms.dll

C:\WINDOWS\INF\CERES.INF

C:\WINDOWS\TEMP\upd208.exe

C:\WINDOWS\TEMP\wrapperouter.exe

C:\WINDOWS\TEMP\DrTemp\ceres.cab

C:\WINDOWS\TEMP\DrTemp\ceres.cab

C:\WINDOWS\TEMP\DrTemp\ceres.cab

C:\WINDOWS\TEMP\DrTemp\ceres.inf

C:\WINDOWS\TEMP\DrTemp\ceres.dll

C:\WINDOWS\Downloaded Program Files\jao.dll

C:\WINDOWS\SYSTEM\exdl.exe

C:\WINDOWS\SYSTEM\mqexdlm.srg

C:\WINDOWS\SYSTEM\exul.exe

C:\WINDOWS\SYSTEM\javexulm.vxd

C:\WINDOWS\SYSTEM\bbchk.exe

C:\WINDOWS\SYSTEM\exclean.exe

C:\WINDOWS\SYSTEM\msbe.dll

C:\WINDOWS\SYSTEM\nvms.dll

C:\WINDOWS\SYSTEM\mscb.dll

C:\WINDOWS\SYSTEM\exdl3.exe

C:\WINDOWS\SYSTEM\exdl2.exe

C:\WINDOWS\SYSTEM\exdl1.exe

C:\WINDOWS\SYSTEM\exul3.exe

C:\WINDOWS\SYSTEM\exul1.exe

C:\WINDOWS\Buddy.exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\09EBGTUV\webservice[3].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\09EBGTUV\webservice[4].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\ceres[1].cab

C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\ceres[1].cab[ceres.inf]

C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\ceres[1].cab[ceres.dll]

C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\upd208[1].exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\webservice[3].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\thnall5c[1].exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\webservice[4].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\webservice[5].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\webservice[3].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\webservice[4].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\webservice[5].htm

C:\WINDOWS\Temporary Internet Files\installer_MARKETING58.exe

C:\WINDOWS\exdl.exe

C:\Program Files\NaviSearch\bin\nls.exe

C:\Program Files\BullsEye Network\bin\adv.exe

C:\Program Files\BullsEye Network\bin\adx.exe

C:\Temp\bb_click_wider.swf

C:\Temp\bb_auto_wider.swf

C:\Temp\bb_welcome.html

C:\Temp\bb_welcome1.swf

C:\Temp\icon.gif

C:\Temp\logo.gif

Let the system reboot.

 

Please run FINDnFIX.exe and post the log.

 

Please post the logs From FINDnFIX.exe and HJT.log

 

Kc

:tup:

Share this post


Link to post
Share on other sites

Hi, thatman!

 

I, too, apologize - I have not been online for a few days. Thanks so much for getting back to me - and I am sorry to hear you've had PC troubles. :(

 

I tried going to http://downloads.subratam.org/FINDnFIX.exe - but I only get a "Page not found" warning. I did download and install ZoneAlarm - thank you! :) I also removed all files that you asked me to. Here is my new HJT log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 12:06:40 AM, on 7/21/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE

C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\RunDLL.exe

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.EXE

C:\WINDOWS\SYSTEM\HPOIPM07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! Dial

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL (file missing)

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe

O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe

O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe

O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKLM\..\RunServices: [panda cleaner] %SystemRoot%\pavdr.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL

 

I'll check back ASAP to see what the next step is. THANK YOU! :)

Share this post


Link to post
Share on other sites

Hi AmoLaZucca

 

Please read through the instructions before you start (you may want to print this out).

 

Please set your system to show all files; please see here if you're unsure how to do this.

 

Reboot into Safe Mode: please see here if you are not sure how to do this.

 

Use windows add remove uninstall the following programs

C:\Program Files\BullsEye Network

C:\Program Files\NaviSearch

C:\Program Files\CashBack

C:\Program Files\Cas

 

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL (file missing)

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL (file missing)

O4 - HKLM\..\Run: [bullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe

O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe

O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe

O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE

O4 - HKLM\..\RunServices: [panda cleaner] %SystemRoot%\pavdr.exe

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL

Click on Fix Checked when finished and exit HijackThis.

 

 

Using Windows Explorer, locate the following files/folders, and delete them:

C:\Program Files\BullsEye Network<--Delete the whole folder

C:\Program Files\NaviSearch<--Delete the whole folder

C:\Program Files\CashBack<--Delete the whole folder

C:\WINDOWS\SYSTEM\nsvsvc<--Delete the whole folder

C:\WINDOWS\SYSTEM\VIDCTRL<--Delete the whole folder

C:\Program Files\Cas<--Delete the whole folder

Exit Explorer.

 

Reboot as normal.

 

Please run the following free, online virus scans.

http://www.pandasoftware.com/activescan/co...n_principal.htm

Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

 

Kc ;)

Share this post


Link to post
Share on other sites

Hi, thatman!

 

OK - I ran tha Panda Scan and manually removed as much as I possibly could. I also downloaded McAfee, let it scan and remove corrupt files, ran AdAware and Spybot S&D and let them remove corrupt files. These files, however, are corrupt and REFUSE to be removed:

 

C:\_RESTORE\TEMP\SYSTB.0

C:\_RESTORE\TEMP\SYSTB.1

C:\_RESTORE\TEMP\SYSTB.2

C:\_RESTORE\ARCHIVE\F5453.CAB

C:\_RESTORE\ARCHIVE\F5463.CAB

 

After all that, I did the Panda Scan again - and my new Panda scan log follows in the next posts. This is my new HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 5:07:35 PM, on 7/21/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\RunDLL.exe

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.EXE

C:\WINDOWS\SYSTEM\HPOIPM07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE ANTISPYWARE\MSSCLI.EXE

C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE

C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDASH.EXE

C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! Dial

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL (file missing)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe

O4 - HKLM\..\Run: [_AntiSpyware] C:\PROGRAM FILES\MCAFEE\MCAFEE ANTISPYWARE\MssCli.exe

O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\MCAFEE.COM\SHARED\MCAPPINS.EXE /v=3 /cleanup

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [surfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

 

PANDA SCAN FOLLOWS...

Edited by AmoLaZucca

Share this post


Link to post
Share on other sites

FIRST HALF OF PANDA SCAN:

 

Incident Status Location

 

Adware:adware/ncase No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\clientax.dll

Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\TEMPORARY INTERNET FILES\Ssk.log

Adware:adware/delfinmedia No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DISPLAYUTILITY

Spyware:spyware/rxtoolbar No disinfected HKEY_CURRENT_USER\SOFTWARE\RX TOOLBAR

Adware:adware/consumeralertsystemNo disinfected HKEY_CURRENT_USER\SOFTWARE\CAS

Adware:adware/savenow No disinfected HKEY_CURRENT_USER\SOFTWARE\MVU

Adware:adware/p2pnetworking No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\P2P NETWORKING

Adware:adware/apropos No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\APRPS

Spyware:spyware/bargainbuddy No disinfected HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavB2B3.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavB2D0.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7054.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7155.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7164.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7264.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav72E3.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav7367.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8091.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav80E1.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8123.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8130.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8294.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav8394.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9105.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9111.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9116.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9122.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9125.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9131.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9132.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9264.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9265.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9270.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9271.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9272.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9273.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9274.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9275.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9280.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9282.TMP

 

SECOND HALF IN NEXT POST:

Edited by AmoLaZucca

Share this post


Link to post
Share on other sites

SECOND HALF OF PANDA SCAN:

 

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9283.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9284.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9286.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9290.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9292.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9294.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9296.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92A1.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92B0.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92B4.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92B2.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92B5.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92C1.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92C3.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92C5.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav92D1.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9319.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9320.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9322.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9323.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9325.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9331.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav9333.TMP

Adware:Adware/PurityScan No disinfected C:\WINDOWS\TEMP\pav3274.TMP

Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\upd209.exe

Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\TEMP\i4085.TMP

Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\clientax.dll

Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\jao.dll

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\MGVIDC32.DLL

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\09EBGTUV\webservice[3].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\webservice[3].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\webservice[5].htm

Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\cassetup[1].exe

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\webservice[3].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\webservice[5].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\RMKJVPCT\webservice[1].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\KX0ZGZSN\webservice[1].htm

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\Temporary Internet Files\installer_MARKETING58.exe

Spyware:Spyware/BetterInet No disinfected C:\unzipped\hijackthis\backups\backup-20050714-103657-833.dll

Spyware:Spyware/BetterInet No disinfected C:\unzipped\hijackthis\backups\backup-20050713-122525-493.dll

Adware:Adware/BookedSpace No disinfected C:\unzipped\hijackthis\backups\backup-20050713-122525-447.dll

Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe

Spyware:Spyware/SurfSideKick No disinfected C:\SSK39.exe

I know I deleted so much of that stuff manually. It seems that most things just keep coming back. The SurfSideKick, Look2Me and the Bargain Buddy files - I deleted them all! I don't understand. :mrsgreen:

 

Thank you for your help! :) I'll check in again soon...

Edited by AmoLaZucca

Share this post


Link to post
Share on other sites

When I click on this link ( http://downloads.subratam.org/FINDnFIX.exe ) or manually type it in my browser, I get a blank page that says the "page cannot be found....The page you are looking for might have been removed, had its name changed, or is temporarily unavailable."

 

When I try going to ( downloads.subratam.org ) I get a blank page that says "Forbidden You don't have permission to access / on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/1.3.33 Server at downloads.subratam.org Port 80."

 

 

 

Is all hope gone?? :bawling:

 

If I could only get my hands on the people responsible for infecting my PC.....

:bang:

 

Thanks so much for your help, thatman! :) I don't want to trouble you anymore with this if you think there's no hope. You've devoted so much time to helping me - and I truly appreciate that! Just seems that I have some nasty infections on here that refuse to go away. :(

Edited by AmoLaZucca

Share this post


Link to post
Share on other sites

Hi AmoLaZucca

 

Hey don't give up on me now.

 

File's in system restore we will sort them after

 

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer (Yes.)

C:\WINDOWS\Downloaded Program Files\clientax.dll

C:\WINDOWS\Downloaded Program Files\jao.dll

C:\WINDOWS\SYSTEM\MGVIDC32.DLL

C:\WINDOWS\Temporary Internet Files\Content.IE5\09EBGTUV\webservice[3].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\Z0YUUJFQ\webservice[3].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\webservice[5].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\A186JL8W\cassetup[1].exe

C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\webservice[3].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\O78RATCV\webservice[5].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\RMKJVPCT\webservice[1].htm

C:\WINDOWS\Temporary Internet Files\Content.IE5\KX0ZGZSN\webservice[1].htm

C:\WINDOWS\Temporary Internet Files\installer_MARKETING58.exe

C:\unzipped\hijackthis\backups\backup-20050714-103657-833.dll

C:\unzipped\hijackthis\backups\backup-20050713-122525-493.dll

C:\unzipped\hijackthis\backups\backup-20050713-122525-447.dll

C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe

C:\SSK39.exe

C:\WINDOWS\DOWNLOADED PROGRAM FILES\clientax.dll

C:\WINDOWS\TEMPORARY INTERNET FILES\Ssk.log

 

Let the system reboot as normal.

 

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.stevengould.org/cleanup/CleanUp40.exe

It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingcomputer.com/forums/tutorial93.html

Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin XP ONLY. When the scan has finnished click the close button

When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

 

Please run the following free, online virus scans.

http://www.pandasoftware.com/activescan/co...n_principal.htm

Please post the logs From Panda, Ewido and HJT.log. We will need them to remove previous infections that have left files on your system.

 

Kc :tup:

Share this post


Link to post
Share on other sites

Not giving up on you, thatman! It was a phase - I'm better now! LOL :rolleyes:

 

Here are my new scans:

 

Logfile of HijackThis v1.99.1

Scan saved at 5:33:42 PM, on 7/24/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE

C:\PROGRAM FILES\MCAFEE\MCAFEE ANTISPYWARE\MSSCLI.EXE

C:\WINDOWS\UJRLHM.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\RunDLL.exe

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.EXE

C:\WINDOWS\SYSTEM\HPOIPM07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! Dial

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL (file missing)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE

O4 - HKLM\..\Run: [_AntiSpyware] C:\PROGRAM FILES\MCAFEE\MCAFEE ANTISPYWARE\MssCli.exe

O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\ujrlhm.exe reg_run

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [surfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe

O4 - Startup: cknu.exe

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

 

PANDA SCAN FOLLOWS:

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...