# Solved: Help, cannot open folders, HJT included



## bgx9000 (Feb 28, 2005)

I cannot open any folder at all. I have a bunch of virus scanners and spyware sweepers, and most find nothing. Norton found a load of infected files but couldn't do anything about it. I'm pretty computer illiterate, so the easiest directions possible would be great. I have to access my documents to print a report too, which i can't, so i know beggers can't be choosers, but fast help would be great. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 7:36:57 PM, on 2/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nsfgk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nsfgk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nsfgk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - (no file)
O2 - BHO: msrev4l - {31773E49-B09D-A6CA-DC64-D8C1E1F0C61D} - C:\WINDOWS\system32\MSrev4L.dll
O2 - BHO: (no name) - {9CF24D6A-3A15-2290-089B-B2933BE07B82} - C:\WINDOWS\system32\appge32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [update.exe] C:\WINDOWS\System32\update.exe
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [update.exe] C:\WINDOWS\System32\update.exe
O4 - HKLM\..\RunServices: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [bin32hpu] C:\Program Files\ppstub\ppstub.exe -run
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\RunServices: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKCU\..\RunServices: [update.exe] C:\WINDOWS\System32\update.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\repair\imgkb.exe ren my_time:1109550881
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.com/apps/softsearch/trafficvenue_bw_popax_2.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102829289093
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing) (HKLM)
O20 - Winlogon Notify: cmdeula - C:\WINDOWS\msagent\chars\cmdeula.dll (file missing)
O20 - Winlogon Notify: doctcp - C:\WINDOWS\system32\config\doctcp.dll (file missing)
O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mchard - C:\WINDOWS\system32\Com\mchard.dll (file missing)
O20 - Winlogon Notify: tcpras - C:\WINDOWS\inf\tcpras.dll (file missing)
O20 - Winlogon Notify: urlbas - C:\WINDOWS\system32\help\urlbas.dll (file missing)
O20 - Winlogon Notify: vbjava - C:\WINDOWS\REGIST~1\vbjava.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Network Security Service (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\winqw.exe" /s (file missing)
O23 - Service: Network Security Service (NSS) (½O.#õØÂ´â) - Unknown owner - C:\WINDOWS\system32\netnp32.exe (file missing)


----------



## Elvandil (Aug 1, 2003)

What exactly happens when you try to open a folder?


----------



## bgx9000 (Feb 28, 2005)

It loads for a few seconds, which is a bit long, and than everything on the screen dissapears besides my background, and than my icons and all that stuff come back after a second. The folder never comes up though, which it's obviously suppose to do. Sometimes i get a medium risk warning from norton antivirus about random programs trying to connect on my DNS channel or something.


----------



## Elvandil (Aug 1, 2003)

Try running this to return the default folder file associations:

http://www.dougknox.com/xp/fileassoc/folder_reg.zip

And you need to get rid of the infected files that Norton found. Do you know what virus(es) you have?


----------



## bgx9000 (Feb 28, 2005)

I did what you said and i had the same problem. But the norton thing that came up said that comad.exe tried to run through a DNS server. I'm going to scan with norton right now to find the name for the viruses, but there was like 1010 infected files, so ill just look for a common name.

It's scanning now, but if i remember from before, i think they were called backdoor trojan or something like that.

Still scanning but all of the detected files are coming from norton scanning C:/Documents and settings\owner\local settings\temp\(random letters and numbers).tmp


----------



## Elvandil (Aug 1, 2003)

If you don't get rid of the virus, it will continue to spread until you lose everything. It sounds like you have an aggressive one. What did Norton recommend?


----------



## bgx9000 (Feb 28, 2005)

It didn' recommend anything really. It couldn't heal, it couldn't quarantine, and than it couldn't delete. Yeah like i said in the post i edited a second ago, it seems that all of the infected files are from that place, whatever i wrote 1 post back.


----------



## Elvandil (Aug 1, 2003)

That's Norton for you. Do you have 2 AV's running? That could cause problems if both try to access the same files and may even prevent you from being able to remove infected files.

You have a lot of malware. Have you run AdAware and Spybot with recent profiles? If not, do that.


----------



## bgx9000 (Feb 28, 2005)

I just got and rid of AVG free edition today. I ran a fully updated adware and spybot search and destroy today too, but nothing worked.


----------



## bgx9000 (Feb 28, 2005)

Ok i did the scan, and what i got was a bunch of files named agadcup.exe, jawa32.exe, and threats named adware.marq(maybe that q is a g)oc, securityrisk.downldr, adware.ipinsight, adware.betterinternet, spyware.soulseek, and backdoor.trojan. Delete failed on most of them too.


----------



## Elvandil (Aug 1, 2003)

Try an online antivirus scan:

http://housecall.trendmicro.com/

Any luck finding the name of the virus?

If you have Norton AV on CD, your CD should be bootable. You can boot from the CD and do a virus scan. That will allow Norton to remove files that can't be cleaned while Windows is running.


----------



## bgx9000 (Feb 28, 2005)

The scanner you just linked said this..


MALWARE NAME RISK RATING ADVISORY DATE PATTERN FILE 
WORM_MYTOB.A Low Feb 27, 2005 2.449.22 (CPR) 
WORM_ELITPER.A Low Feb 26, 2005 2.449.07 (CPR) 
WORM_MYFIP.A Low Feb 25, 2005 2.221.02 (CPR) 
WORM_KIPIS.O Low Feb 24, 2005 2.442.00 
WORM_STANG.A Low Feb 23, 2005 2.439.03 (CPR) 
WORM_AHKER.E Low Feb 22, 2005 2.438.00 
WORM_BOBAX.AA Low Feb 22, 2005 2.439.04 (CPR) 
WORM_ASSIRAL.A Low Feb 22, 2005 2.427.01 (CPR) 
WORM_MYDOOM.BE Low Feb 21, 2005 2.440.00 
WORM_BROPIA.S Low Feb 21, 2005 2.432.00


----------



## bgx9000 (Feb 28, 2005)

According to norton there are still 35 infections remaining, and i guess the rest are nonviral threats. And the so gracious norton warns me when i exit im still infected with viruses.


----------



## Elvandil (Aug 1, 2003)

You may need to find and delete many of them manually. But before you do that, try booting in Safe Mode and run yoiur spyware cleaners and antivirus, if you can. With much less running, the likelihood of the files being cleanable increases.

Check the Symantec web site, too. They have removal tools for many viruses and instructions for others.


----------



## bgx9000 (Feb 28, 2005)

Im very computer illiterate, so if you can, tell me how to get into and out of safe mode. Im guessing you have to do it sometime when booting up. Plus, i can't delete the stuff manually since i cant get into the folder, do you think running the stuff in safe mode will let me get into my folders?


----------



## Elvandil (Aug 1, 2003)

You may be able to open folders in Safe Mode.

Reboot. Just before Windows starts (and this may require some trial and error), start tapping F8. You should get a screen that has some boot options on it, one being Safe Mode. Few drivers and programs will start and you will get a simplified desktop. Try doing some cleaning in Safe Mode. Then, just reboot to go back to normal mode.


----------



## bgx9000 (Feb 28, 2005)

I went into safe mode and i was able to open folders. I did adaware nd found almost 100 things and rid of them, and then when i restarted my comp, i got 2 beeps once it was fully loaded, weird beeps too, like grinding beeps. I didn't have time to run norton since itll take ike 30 minutes and i gotta sleep soon. Should i go into safe mode and completely clean that temp folder, or could that have bad effects?
And in normal mode, i still cant open folders.


----------



## Elvandil (Aug 1, 2003)

You still need to run Norton. The antispyware won't rid you of those viruses.

After running Norton (in Safe Mode, if possible), boot back into normal mode, go to Start > Run, and type:

sfc /scannow <Enter>
to scan your system files and fix any that are damaged or replaced. Then reboot again.

If you still can't open folders, post a new HJT log and we'll also look at the registry.

Cleaning out temp and temp internet files is a good idea.

Good night.


----------



## bgx9000 (Feb 28, 2005)

Thanks a lot man, i really appreciate the help. I'll be back in say.....15 hoursish, aka 3 eastern and i'll follow those instructions. Thanks a lot.


----------



## bgx9000 (Feb 28, 2005)

For some reason, norton didn't work in safe mode. Well i went into safe mode and got ride of almost everything in my temp folder, and rid of everything in my temp internet folder. Heres my HJK.

Logfile of HijackThis v1.99.1
Scan saved at 3:25:49 PM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nsfgk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nsfgk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nsfgk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: msrev4l - {31773E49-B09D-A6CA-DC64-D8C1E1F0C61D} - C:\WINDOWS\system32\MSrev4L.dll
O2 - BHO: (no name) - {9CF24D6A-3A15-2290-089B-B2933BE07B82} - C:\WINDOWS\system32\appge32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [update.exe] C:\WINDOWS\System32\update.exe
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [update.exe] C:\WINDOWS\System32\update.exe
O4 - HKLM\..\RunServices: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [bin32hpu] C:\Program Files\ppstub\ppstub.exe -run
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\RunServices: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKCU\..\RunServices: [update.exe] C:\WINDOWS\System32\update.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.com/apps/softsearch/trafficvenue_bw_popax_2.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102829289093
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt
O20 - Winlogon Notify: cmdeula - C:\WINDOWS\msagent\chars\cmdeula.dll (file missing)
O20 - Winlogon Notify: doctcp - C:\WINDOWS\system32\config\doctcp.dll (file missing)
O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mchard - C:\WINDOWS\system32\Com\mchard.dll (file missing)
O20 - Winlogon Notify: tcpras - C:\WINDOWS\inf\tcpras.dll (file missing)
O20 - Winlogon Notify: urlbas - C:\WINDOWS\system32\help\urlbas.dll (file missing)
O20 - Winlogon Notify: vbjava - C:\WINDOWS\REGIST~1\vbjava.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Network Security Service (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\winqw.exe" /s (file missing)
O23 - Service: Network Security Service (NSS) (½O.#õØÂ´â) - Unknown owner - C:\WINDOWS\system32\netnp32.exe (file missing)


----------



## bgx9000 (Feb 28, 2005)

Update, i redownloaded AVG free edition and was able to use it and cleaned up most of my virus infected files. Whats left is a virus named Trojan horse PSW.Bispy.B
How do i remove this virus?
Heres my updated HJT

OH and good news, i can now get into my folders, but it seems the virus is still there and i'd like to get rid of it once and for all.

Logfile of HijackThis v1.99.1
Scan saved at 5:55:47 PM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.catlist.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nsfgk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nsfgk.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nsfgk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cnmtl.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: msrev4l - {31773E49-B09D-A6CA-DC64-D8C1E1F0C61D} - C:\WINDOWS\system32\MSrev4L.dll
O2 - BHO: (no name) - {9CF24D6A-3A15-2290-089B-B2933BE07B82} - C:\WINDOWS\system32\appge32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [update.exe] C:\WINDOWS\System32\update.exe
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [update.exe] C:\WINDOWS\System32\update.exe
O4 - HKLM\..\RunServices: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [bin32hpu] C:\Program Files\ppstub\ppstub.exe -run
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\RunServices: [logon.exe] C:\WINDOWS\System32\logon.exe
O4 - HKCU\..\RunServices: [winupdate.exe] C:\WINDOWS\System32\winupdate.exe
O4 - HKCU\..\RunServices: [update.exe] C:\WINDOWS\System32\update.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.com/apps/softsearch/trafficvenue_bw_popax_2.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102829289093
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt
O20 - Winlogon Notify: cmdeula - C:\WINDOWS\msagent\chars\cmdeula.dll (file missing)
O20 - Winlogon Notify: doctcp - C:\WINDOWS\system32\config\doctcp.dll (file missing)
O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mchard - C:\WINDOWS\system32\Com\mchard.dll (file missing)
O20 - Winlogon Notify: tcpras - C:\WINDOWS\inf\tcpras.dll (file missing)
O20 - Winlogon Notify: urlbas - C:\WINDOWS\system32\help\urlbas.dll (file missing)
O20 - Winlogon Notify: vbjava - C:\WINDOWS\REGIST~1\vbjava.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Network Security Service (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\winqw.exe" /s (file missing)
O23 - Service: Network Security Service (NSS) (½O.#õØÂ´â) - Unknown owner - C:\WINDOWS\system32\netnp32.exe (file missing)


----------



## Mosaic1 (Aug 17, 2001)

First you are running two AV's. You cannot do that. It causes conflicts and poor performance. Only allow one AV program to run in the background.

You will be restarting into Safe mode later. 
Go here for directions if you need help:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
--------

Because XP will not always show you hidden files and folders by default. 
Reset your search settings first.

Open Folder Options>view and check your settings: 
Select 
Show hidden files and folders 
Display the contents of system folders 
Uncheck: Hide protected operating system files 
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click. 
Be sure the first three boxes are selected: 
Search System folders 
Search Hidden Files and folders 
Search SubFolders 
--------

Download cwsserviceremove.zip

http://forums.techguy.org/attachment.php?attachmentid=44318

Extract the reg file it contains to your desktop. We'll use it later.
________________________________________________________________________

Download CWShredder from this link:
http://www.intermute.com/spysubtract/cwshredder_download.html

Extract and install it to the desktop. We'll use it later.
____________________________________________________________________

Click: http://www.downloads.subratam.org/AboutBuster.zip to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop. Click the Update Button. Click "Check for Update", download the updates. Click "Exit" because I don't want you to run it yet. Get the updates so it is ready to run later in safe mode. 
_____________________________________________________________________

Sign off the Internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.
______________________________________________________________________

Click Start > Run > and type in:

*services.msc*

Click OK.

In the services window find and double click on *Workstation NetLogon Service* to bring up the properties window.

Click the "Stop" button to stop the service. 
Beside "Startup Type" in the dropdown menu select "Disabled".

Click Apply then OK.

Do the same for this service:
* Network Security Service (NSS)*

Exit the Services utility.

*Restart into Safe mode.*
_____________________________________________________________________
Double click on the cwsserviceemove.reg file you downloaded to the desktop earlier to enter into the registry. Click yes when the confirmation box appears. 
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis.* DO NOT OPEN ANYTHING ELSE!*

Put a check by these entries in Hijack This and click the "Fix Checked" button:

Find and delete these files: ( You may not find all of the files.)

C:\WINDOWS\system32\1042\*fontabr.dll*
C:\WINDOWS\*search.htm*
C:\WINDOWS\system32\*cnmtl.dll*
C:\WINDOWS\system32\*nsfgk.dll*
*fntldr.exe*
C:\WINDOWS\System32\*update.exe*
C:\WINDOWS\System32\*winupdate.exe*
C:\WINDOWS\System32\*logon.exe*

Delete this folder:

C:\Program Files\*ppstub*
-------

Go to Start >Run and type
%TEMP%

Press enter.

When the temp folder opens, select all and delete all. 
---------------------------------

Go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Run AboutBuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Run CWShredder. Click the fix button to clean.
_______________________________________________________________________
Restart into Regular windows Mode.

Go here to perform a free online visrus scan.

http://housecall.trendmicro.com/

Put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

-----------

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster 
http://members.aol.com/toadbee/hoster.zip

UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

--------------------------

If you have Spybot S&D installed you will also need to replace one file. Go to: http://www.spywareinfo.com/~merijn/winfiles.html and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

------------------

Check the C:\Windows\system32 folder and be sure you have this file:
* Shell.dll *

If not there then go to the C:\Windows\system32\dllcache folder.

Find shell.dll and right click on it. Choose Copy from the menu. 
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

-------------------

control.exe may have been deleted

Look forit in C:\windows\system32

If control.exe is not present, go to:

http://www.richardthelionhearted.com/~merijn/winfiles.html#control

Download control.exe per the instructions at the site.

------------

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK. 
Now press "Custom Level." 
In the ActiveX section, set the first two options (Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Reboot and post another Hijack This log please.


----------



## bgx9000 (Feb 28, 2005)

I''ll try that tommorrow morning, thanks a lot.


----------



## Elvandil (Aug 1, 2003)

Do you have problems opening drives, too, or only folders?

If you still don't have access to your folders without that message popping up, go to Start > Run, and type:

regedit

Find:
HKEY_CLASSES_ROOT\Folder

Right-click on "Folder" and choose "Export". Name it whatever you want and send it to your desktop.

Right-click the .reg file on your desktop and choose "Edit". When the Notepad window opens, copy all the text and paste it here. Maybe we can see what is starting problems when you click a folder.


----------



## bgx9000 (Feb 28, 2005)

I can open it all now, but it seems there might be a little hitch. Maybe im just imagening things. Anyway a while ago i got a thing from AVG to get rid of the bispy virus and i think it worked. But im still going to do the directions listed before, if not just to double check and clean my computer.


----------



## Elvandil (Aug 1, 2003)

That's good news. Now just keep cleaning until all the scanners have nothing to report so nothing comes back later to bite you. Good luck.


----------



## bgx9000 (Feb 28, 2005)

Hmm, i did all the steps, but couldn't find that ppstub folder if that matters. And now i'm doing the house fix site thing, the web site that scans my computer. It's been going for at least an hour now, taking a rediculous amount of time, and its' scanned like 65000 files. It's found 2 things and still going, ill post a HJK log when its done.


----------



## bgx9000 (Feb 28, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 6:01:08 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: msrev4l - {31773E49-B09D-A6CA-DC64-D8C1E1F0C61D} - C:\WINDOWS\system32\MSrev4L.dll
O2 - BHO: (no name) - {9CF24D6A-3A15-2290-089B-B2933BE07B82} - C:\WINDOWS\system32\appge32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [bin32hpu] C:\Program Files\ppstub\ppstub.exe -run
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.com/apps/softsearch/trafficvenue_bw_popax_2.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102829289093
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O20 - Winlogon Notify: cmdeula - C:\WINDOWS\msagent\chars\cmdeula.dll (file missing)
O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpras - C:\WINDOWS\inf\tcpras.dll (file missing)
O20 - Winlogon Notify: vbjava - C:\WINDOWS\REGIST~1\vbjava.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Owner\Desktop\cwshredder.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Mosaic1 (Aug 17, 2001)

Down the Killbox here:

http://www.downloads.subratam.org/KillBox.exe

Put killbox.exe on the desktop.

disconnect from the internet.

Run hijackthis and wait.

Run Killbox.exe by double clicking on it.

Select Delete on Reboot.
Select End Explorer Shell while deleting file.

Paste this path into
*Full Path of File to Delete* 
C:\WINDOWS\system32\1042\fontabr.dll
C:\WINDOWS\system32\MSrev4L.dll
C:\Program Files\ppstub\ppstub.exe
C:\Program Files\ppstub

Click the red icon with the white X at the upper right.

You will be prompted to restart. Say no. Do not reboot until you have pasted in all of the following entries one at a time and repeated pressing the button.

Fix these entries using hijackthis and then restart the conputer:*
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O2 - BHO: msrev4l - {31773E49-B09D-A6CA-DC64-D8C1E1F0C61D} - C:\WINDOWS\system32\MSrev4L.dll
O2 - BHO: (no name) - {9CF24D6A-3A15-2290-089B-B2933BE07B82} - C:\WINDOWS\system32\appge32.dll (file missing)
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll
O4 - HKCU\..\Run: [bin32hpu] C:\Program Files\ppstub\ppstub.exe -run
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.com/apps/softsear..._bw_popax_2.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/Dist...r2501031120.EXE
O20 - Winlogon Notify: cmdeula - C:\WINDOWS\msagent\chars\cmdeula.dll (file missing)
O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll
O20 - Winlogon Notify: tcpras - C:\WINDOWS\inf\tcpras.dll (file missing)
O20 - Winlogon Notify: vbjava - C:\WINDOWS\REGIST~1\vbjava.dll (file missing)
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Owner\Desktop\cwshredder.exe (file missing)*

Restart and run Hijackthis again.

Post the results. If this doesn't work, we'll have to dig deeper.


----------



## bgx9000 (Feb 28, 2005)

What exactly is still in my computer? Is it just one virus?


----------



## Mosaic1 (Aug 17, 2001)

Could you please follow my last set of instructions? I won't know until I see if this works. Otherwise we'll have to do more digging.


----------



## bgx9000 (Feb 28, 2005)

Done and done.

Logfile of HijackThis v1.99.1
Scan saved at 8:54:52 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102829289093
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Mosaic1 (Aug 17, 2001)

Run the killbox.. Close up all other windows. Run absolutely no Internet Programs or Internet Explorers of any kind.

In the killbox set it up to delete on Reboot and to kill explorer while deleting file.

Then paste in this path:
C:\WINDOWS\system32\1042\fontabr.dll

But do not press the delete button yet. FIRST look near the bottom right in for the Dropdown named System Process.

Find rundll32.exe on that list (select it) and press the kill button. That's the yellow button.

Then hurry and press the Delete for the file you had set up there.

Restart immediately.

When you get back, go to start >Run and type
hijackthis

Press enter. Do not open anything else.

Fix these entries:
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll

O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll

O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab

Restart the computer.

Run hijackthis again and post the new log.

EDIT: If you still have this entry and file after all that:

O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll

Then I will request you send me a copy of fontabr.dll


----------



## bgx9000 (Feb 28, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 10:53:56 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqDIREC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102829289093
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

That damn persistent thing won't leave i guess. I'll send it to you if you just tell me how, i can send it through aim pretty easily i assume, if you use aim. My aim account is pinatasonparade, or if there are other ways to send it just tell me. I have a yahoo account, and well that's it. Also, i might be completely off since i don't know enough about this stuff, but would it be good for me to find the file itself and delete it? Or would it just come back again?


----------



## Mosaic1 (Aug 17, 2001)

thanks. 
If you would right click on the file abd choose send to >compressed

then send to my email as an attachment.

Katie_3232 @hotmail.com

I added a space to the email address. 

EDIT: Removed download. I'll post back in a while. I have to find the correct tool to remove this from memory.


----------



## Mosaic1 (Aug 17, 2001)

Here's the one I wanted.

Download APM from this page and install it.
http://www.diamondcs.com.au/index.php?page=apm

Let me know when you have it.


----------



## bgx9000 (Feb 28, 2005)

Alright i downloaded it and sent the email.


----------



## bgx9000 (Feb 28, 2005)

I googled it and just so happened to luckily get the one you picked out.


----------



## Mosaic1 (Aug 17, 2001)

Great. Thanks.

Next step. I am uploading a zip file.

Extract the foldwer it contains and then open it.

Double click on *Get multi.bat*

When finsihed it will open a text file named log.txt

Copy and paste the contents of log.txt into your next reply.

If it is too large for the reply, attach it instead.


----------



## bgx9000 (Feb 28, 2005)

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Explorer
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINDOWS\system32\kernel32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 286720 C:\WINDOWS\system32\GDI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDI Client DLL
USER32.dll 77d40000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP USER API Client DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.2573 (xpsp_sp2_gdr.041130-1729) Shell Light-weight Utility Library
SHELL32.dll 7c9c0000 8470528 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.2578 (xpsp_sp2_gdr.041130-1729) Windows Shell Common Dll
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2595 (xpsp_sp2_gdr.041130-1729) Microsoft OLE for Windows
OLEAUT32.dll 77120000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 
BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.2578 (xpsp_sp2_gdr.041130-1729) Shell Browser UI Library
SHDOCVW.dll 77760000 1490944 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.2573 (xpsp_sp2_gdr.041130-1729) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust UI Provider
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 5b860000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Win32 API DLL
WININET.dll 771b0000 679936 C:\WINDOWS\system32\WININET.dll 6.00.2900.2577 (xpsp_sp2_gdr.041130-1729) Internet Extensions for Win32
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
comctl32.dll 773d0000 1056768 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
comctl32.dll 5d090000 618496 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp_sp2_rtm.040803-2158) Common Controls Library
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.258 
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 
themeui.dll 5ba60000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Theme API
Secur32.dll 77fe0000 69632 C:\WINDOWS\System32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
xpsp2res.dll 20000000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
urlmon.dll 77260000 647168 C:\WINDOWS\system32\urlmon.dll 6.00.2900.2574 (xpsp_sp2_gdr.041130-1729) OLE32 Extensions for Win32
NETSHELL.dll 76400000 1728512 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Network Connections Shell
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Credential Manager User Interface
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) IP Helper API
msi.dll 7d1e0000 2826240 C:\WINDOWS\system32\msi.dll 3.0.3790.2180 Windows Installer
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
webcheck.dll 74b30000 286720 C:\WINDOWS\System32\webcheck.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Web Site Monitor
WSOCK32.dll 71ad0000 36864 C:\WINDOWS\System32\WSOCK32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
stobject.dll 76280000 135168 C:\WINDOWS\System32\stobject.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\System32\BatMeter.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\System32\POWRPROF.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
cscui.dll 77a20000 344064 C:\WINDOWS\system32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\system32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
rsaenh.dll ffd0000 163840 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
fontabr.dll 10000000 765952 C:\WINDOWS\system32\1042\fontabr.dll 
shfolder.dll 76780000 36864 C:\WINDOWS\system32\shfolder.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Folder Service
SXS.DLL 75e90000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Fusion 2.5
nview.dll 6c20000 1392640 C:\WINDOWS\system32\nview.dll 6.14.10.6177 NVIDIA nView Desktop and Window Manager 61.77 
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Process Status Helper
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
fxsst.dll 68df0000 577536 C:\WINDOWS\system32\fxsst.dll 5.2.2600.2180 (xpsp_sp2_rtm.040803-2158) Fax Service
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
FXSAPI.dll 5a980000 466944 C:\WINDOWS\system32\FXSAPI.dll 5.2.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Fax API Support DLL
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Client DLL
asOEHook.dll 67330000 192512 C:\PROGRA~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll 2005.1.02.6 AntiSpam OE Hook
MSVCR71.dll 7c340000 352256 C:\WINDOWS\system32\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
WZCSAPI.DLL 73030000 65536 C:\WINDOWS\system32\WZCSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Wireless Zero Configuration service API
wzcdlg.dll 5df10000 385024 C:\WINDOWS\system32\wzcdlg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Wireless Zero Configuration Service UI
WINHTTP.dll 4d4f0000 360448 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows HTTP Services
DHCPCSVC.DLL 76d80000 122880 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) DHCP Client Service
DNSAPI.dll 76f20000 159744 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) DNS Client API DLL
MPRAPI.dll 76d40000 98304 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT MP Router Administration DLL
ACTIVEDS.dll 77cc0000 204800 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ADs LDAP Provider C DLL
rarext.dll f90000 167936 C:\Program Files\WinRAR\rarext.dll 
NavShExt.dll 6fa0000 217088 C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll 11.0.9.16 Norton AntiVirusNAVShellExt Module
ATL71.DLL 7c120000 102400 C:\WINDOWS\system32\ATL71.DLL 7.10.3077.0 ATL Module for Windows (Unicode)
MSVCP71.dll 7c3a0000 503808 C:\WINDOWS\system32\MSVCP71.dll 7.10.3077.0 Microsoft® C++ Runtime Library
ccL30.dll 6af30000 249856 C:\Program Files\Common Files\Symantec Shared\ccL30.dll 103.0.3.8 Symantec Library
browselc.dll 6b80000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Browser UI Library
AcroIEHelper.dll fc0000 49152 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.1.2003110300 Adobe Acrobat IE Helper Version 6.0 for ActivieX
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows DirectUser Engine
MSGINA.dll 75970000 1011712 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
ODBC32.dll 74320000 249856 C:\WINDOWS\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
odbcint.dll 71d0000 94208 C:\WINDOWS\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Multi Language Support DLL
shdoclc.dll 7d30000 557056 C:\WINDOWS\system32\shdoclc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Doc Object and Control Library
nvwddi.dll 7b20000 86016 C:\WINDOWS\system32\nvwddi.dll 6.14.10.6177 NVIDIA nView Display Driver Interface Lib, Version 61.77
dBShell.dll 7320000 114688 C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll 6, 0, 0, 1 dBShell Module
MSISIP.DLL 605f0000 57344 C:\WINDOWS\system32\MSISIP.DLL 3.0.3790.2180 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.8820 Microsoft (r) Shell Extension for Windows Script Host
MFC42.DLL 73dd0000 1040384 C:\WINDOWS\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
ScrTrust.dll 7450000 40960 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrTrust.dll 11.0.9.16 Norton AntiVirus ScripBlocking Trust DLL


pv: No matching processes found

"IEXPLORE.EXE" 

Module information for 'rundll32.exe'
MODULE BASE SIZE PATH
rundll32.exe 1000000 45056 C:\WINDOWS\system32\rundll32.exe 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Run a DLL as an App
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINDOWS\system32\kernel32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
GDI32.dll 77f10000 286720 C:\WINDOWS\system32\GDI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDI Client DLL
USER32.dll 77d40000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP USER API Client DLL
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2595 (xpsp_sp2_gdr.041130-1729) Microsoft OLE for Windows
OLEAUT32.dll 77120000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
SHELL32.dll 7c9c0000 8470528 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.2578 (xpsp_sp2_gdr.041130-1729) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.2573 (xpsp_sp2_gdr.041130-1729) Shell Light-weight Utility Library
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
comctl32.dll 773d0000 1056768 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
comctl32.dll 5d090000 618496 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp_sp2_rtm.040803-2158) Common Controls Library
nview.dll 10000000 1392640 C:\WINDOWS\system32\nview.dll 6.14.10.6177 NVIDIA nView Desktop and Window Manager 61.77 
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Process Status Helper
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT MARTA provider
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
nvwddi.dll aa0000 86016 C:\WINDOWS\system32\nvwddi.dll 6.14.10.6177 NVIDIA nView Display Driver Interface Lib, Version 61.77
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.258 
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 
nvshell.dll b80000 458752 C:\WINDOWS\System32\nvshell.dll 6.14.10.6177 NVIDIA Desktop Explorer, Version 61.77 


Module information for 'winlogon.exe'
MODULE BASE SIZE PATH
winlogon.exe 1000000 524288 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon Application
ntdll.dll 7c900000 720896 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Layer DLL
kernel32.dll 7c800000 999424 C:\WINDOWS\system32\kernel32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
AUTHZ.dll 776c0000 69632 C:\WINDOWS\system32\AUTHZ.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Authorization Framework
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
CRYPT32.dll 77a80000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Crypto API32
USER32.dll 77d40000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP USER API Client DLL
GDI32.dll 77f10000 286720 C:\WINDOWS\system32\GDI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDI Client DLL
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
NDdeApi.dll 75940000 32768 C:\WINDOWS\system32\NDdeApi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Network DDE Share Management APIs
PROFMAP.dll 75930000 40960 C:\WINDOWS\system32\PROFMAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
NETAPI32.dll 5b860000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Win32 API DLL
USERENV.dll 769c0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Process Status Helper
REGAPI.dll 76bc0000 61440 C:\WINDOWS\system32\REGAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Registry Configuration APIs
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Setup API
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 Helper for Windows NT
MSGINA.dll 75970000 1011712 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Logon GINA DLL
SHELL32.dll 7c9c0000 8470528 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.2578 (xpsp_sp2_gdr.041130-1729) Windows Shell Common Dll
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.2573 (xpsp_sp2_gdr.041130-1729) Shell Light-weight Utility Library
COMCTL32.dll 5d090000 618496 C:\WINDOWS\system32\COMCTL32.dll 5.82 (xpsp_sp2_rtm.040803-2158) Common Controls Library
ODBC32.dll 74320000 249856 C:\WINDOWS\system32\ODBC32.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Common Dialogs DLL
comctl32.dll 773d0000 1056768 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
odbcint.dll 20000000 94208 C:\WINDOWS\system32\odbcint.dll 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) Microsoft Data Access - ODBC Resources
SHSVCS.dll 776e0000 143360 C:\WINDOWS\system32\SHSVCS.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Shell Services Dll
sfc.dll 76bb0000 20480 C:\WINDOWS\system32\sfc.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows File Protection
sfc_os.dll 76c60000 172032 C:\WINDOWS\system32\sfc_os.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows File Protection
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2595 (xpsp_sp2_gdr.041130-1729) Microsoft OLE for Windows
Apphelp.dll 77b40000 139264 C:\WINDOWS\system32\Apphelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
WINSCARD.DLL 723d0000 114688 C:\WINDOWS\system32\WINSCARD.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Smart Card API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
sxs.dll 75e90000 720896 C:\WINDOWS\system32\sxs.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Fusion 2.5
uxtheme.dll 5ad70000 229376 C:\WINDOWS\system32\uxtheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Library
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
cscdll.dll 76600000 118784 C:\WINDOWS\system32\cscdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Offline Network Agent
WlNotify.dll 75950000 106496 C:\WINDOWS\system32\WlNotify.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Common DLL to receive Winlogon notifications
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Spooler Driver
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Multiple Provider Router DLL
rsaenh.dll ffd0000 163840 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
msv1_0.dll 77c70000 143360 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) IP Helper API
fontabr.dll 10000000 765952 C:\WINDOWS\system32\1042\fontabr.dll 
shfolder.dll 76780000 36864 C:\WINDOWS\system32\shfolder.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Shell Folder Service
wininet.dll 771b0000 679936 C:\WINDOWS\system32\wininet.dll 6.00.2900.2577 (xpsp_sp2_gdr.041130-1729) Internet Extensions for Win32
OLEAUT32.dll 77120000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 
wsock32.dll 71ad0000 36864 C:\WINDOWS\system32\wsock32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 32-Bit DLL
urlmon.dll 77260000 647168 C:\WINDOWS\system32\urlmon.dll 6.00.2900.2574 (xpsp_sp2_gdr.041130-1729) OLE32 Extensions for Win32
cscui.dll 77a20000 344064 C:\WINDOWS\system32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Client Side Caching UI
xpsp2res.dll 6a30000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Messages
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT MARTA provider
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft MIDI Mapper
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.258


----------



## bgx9000 (Feb 28, 2005)

That is a very ugly post, i wish you luck reading through it. But i got to get to sleep soon, i'll check back a few times, but i won't have anytime to do any long fixes. I'll be back again tommorrow though and hopefully we can get rid of this problem, whatever it actually is. Thanks a lot for all the help, and whatever directions you leave, i'll follow them right when i get a chance tommorrow.


----------



## Mosaic1 (Aug 17, 2001)

It's going to take me a while to look at this and to check my email. Let's call it a night. We can contimue tomorrow. But do disconnect from the internet for the night.


----------



## bgx9000 (Feb 28, 2005)

Is it that important that i disconnect, i'm sorta downloading a huge file, and i want to hopefully finish dling it by the weekend.


----------



## Mosaic1 (Aug 17, 2001)

My email is empty. Would you mind uploading to this forum please?
http://www.thespykiller.co.uk/forum/index.php

Join and then use the Upload Forum. Add a link to this thread and a brief explanation.

Thanks. Sorry. Sometimes hotmail blocks incoming.


----------



## Mosaic1 (Aug 17, 2001)

I don't know. If this is a downloader trojan, you may be extremely infected by the next time we look. When infected, it is best to stay off the internet unless working on the removal.


----------



## bgx9000 (Feb 28, 2005)

Here it is: http://www.thespykiller.co.uk/forum/index.php?topic=65.new#new
Ok i'll disconnect the internet, but that last sentence scared me. If i've had this downloaded for at least a week ,which seems right, could it be that my computer is completely infected? Or did we already clean the possible infections? See, i'm sorta in the blue here, i have an idea of what is going on. A trojan downloader that continually infects my files and when deleted, replaces itself. But if you can tell me, how are these normally fixed, and how serious is this virus? I gotta go for the night, thanks a lot for the help.


----------



## Mosaic1 (Aug 17, 2001)

Don't panic. I am getting some information and we'll go from there. These greedy you know whats want to make it impossible for you to clean up. You had other files on the drive which have beenr emoved. I don't want them back if they were related. It's best to keep your computer as "Secure" as possible until we finish. Get some rest.


----------



## Mosaic1 (Aug 17, 2001)

This is a nasty from what little I can see. However, it is not seen as one by the online scanners yet. So it needs to be sent out and analyzed.


----------



## Mosaic1 (Aug 17, 2001)

Ok you are still there? You want to try to kill this now?


----------



## Mosaic1 (Aug 17, 2001)

It looked like CWShredder was missing. Is it? Does it work? If not there and not working, then download again.

If you do then start 
The Killbox and set it up to end explorer process.

Paste in this path and then just leave it as is. 
*C:\WINDOWS\system32\1042\fontabr.dll*

Close all notepads and other windows. Close Task Manager, all Internet Explorers and all Windows Explorer Window and anything else. Leave only the essentials running in the background. We are going to try and unload this dll from memory and then delete it. Reboot and see.

open APM

Highlight each running process ,one at a time.

Look in the lower pane for fontabr.dll

IF found, right click and choose unload dll.

Wait for the Done Message.

Go to the next process and do this until you have checked every process for the dll and unloaded it.

Use the killbox. Select Standard File kill and End Explorer Process.

Let's see if it does the job. If not, try a delete on reboot and restart right away.

Restart into Safe mode.
go to Start >Run and ypte hijackthis
Press enter
Do not open any Windows at all. 
Fix the entries again. Fix any new Bho's you see.

O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll

O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll

Check to see if the file is still there.
C:\WINDOWS\system32\1042\fontabr.dll

-----------------
Go to Start >Run and type 
%TEMP%
Press enter
Select all files and delete all.

Use Internet Options to delete your Temporary internet files. 
Delete all offline files too.

Run CWShredder. Press the fix button to clean.

Restart into Regular Windows. Run Hijackthis and post the results.


----------



## Bman74 (Mar 2, 2005)

Download this tool and run it. It found stuff my Norton missed.

http://vil.nai.com/vil/stinger/


----------



## dvk01 (Dec 14, 2002)

can you see if there are any other files inside the C:\WINDOWS\system32\1042 folder and upload anything inside that 1042 folder to spykiller please


----------



## dvk01 (Dec 14, 2002)

looking at the fontabr.dll in a hex editor it wants to connect to an Indian site and download a load of other files which I assume will be in the local settings\temp folder 

there are lots of refererences to pop ups and adverts and change home page so I would agree it is definitely bad and has been sent off to all teh AV vendors & anti spyware companies for further analysis


----------



## dvk01 (Dec 14, 2002)

The other thing that would be helpful is that sometimes HJT says a file is mising when it isn't so please check if any of these are still on the computer and if so upload them to Spykiller so we can check them out . It is not beyond the realm of possibility that even though we have stopped the file starting by removing it's registry entry, one of the existing files could still be starting it in the background 

C:\WINDOWS\system32\MSrev4L.dll
C:\WINDOWS\system32\appge32.dll
C:\Program Files\ppstub\ppstub.exe
C:\WINDOWS\msagent\chars\cmdeula.dll
C:\WINDOWS\inf\tcpras.dll
C:\WINDOWS\REGIST~1\vbjava.dll


----------



## Mosaic1 (Aug 17, 2001)

I installed and ran it offline. I was able to get rid of it but it was ugly.

APM hung. It did not give me the repsinses and the hourglass just sat there. However I had killbox set to unregister and remove. It Could not do a standard removal but I set it up to delete on reboot.

I fixed the entries in Hijackthis.

I could not shut down and had to press the button on the case to do so. This is not great.

However, when I returned, I was clean. The Notify entry and the BHO were both gone.


----------



## Mosaic1 (Aug 17, 2001)

Also have a look for this file:
VMDll.dll

It also created a hidden file named rbatnof.ini 

I never let this out on the internet and had more control over what it did that way.


----------



## bgx9000 (Feb 28, 2005)

Heres my HJK, apparently this virus doesn't want to leave .
Logfile of HijackThis v1.99.1
Scan saved at 4:41:08 PM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqDIREC.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102829289093
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Mosaic1 (Aug 17, 2001)

I know my instructions were a bit confusing. Let's try them again.
Close all Internet Explorer windows. Close all Widnows Explorer Windows. 
Go to Start >Run and type
*regsvr32 /u C:\WINDOWS\system32\1042\fontabr.dll*

Press enter

Open the Killbox.

Set it to unregister before removing.

Paste in the path:
C:\WINDOWS\system32\1042\fontabr.dll

Select Delete on reboot. Do not press the button yet! 
Run APM again.

Wait a second. Use task manager >Processes

Find each of these entries if they exist, right click and End Process:

Explorer.exe
Iexplore.exe
Rundll32.exe

Go back to APM again. 
Find Winlogon on the list and highlight it. Look at the dlls listed in the lower pane.

Find fontabr.dll and right click, select unload dll.

It should give you some messages. press yes and wait for the done message. Give it a minute. If it appears to hang then leave it and go to the Killbox inthe next step. If no hang, then let it finish and you will get a series of prompts. Answer yes, and then it will eventually give you a done message.

Use the Killbox. Press the delete file button. Restart immediately. If hung, then press the button on the case to restart.

After you do that get back into windows and run hijackthis again.

Delete the entries as before if they are there.

Post a new hijackthis log.

If still no joy, we'll try another utility.


----------



## bgx9000 (Feb 28, 2005)

I did all you said, and it still didn't work. I even tried it in safe mode. See. when i did that thing with APM, after i got like 4 random messages, i got the done message, clicked, and my computer restarted. And everytime i ended the process EXPLORER.EXE, my icons and all that stuff dissapeared leaving only the APM program. And when i say restarted, i mean it did it on its own without warning, both times.


----------



## Mosaic1 (Aug 17, 2001)

Let's do the APM last then. When you end Explorer.exe, the icons etc do disappear. Since this file runs under explorer, I wnated to dump it from there.

I am going to set up something else. Bear with me and get the downloads.

Click here to download pskill.zip
http://www.sysinternals.com/files/pskill.zip

Extract pskill.exe to your system32 folder. It is a zip and the exe must be extracted to system32 for this to have any chance of working.

Download CopyLock from this page:
http://noeld.com/programs.asp?cat=misc

Extract the contents of the zip to a folder of its own on the C Drive.

Name the folder Copylock.

C:\copylock should end up with 4 files inside. No subfolders.


----------



## Mosaic1 (Aug 17, 2001)

I have to leave now. I hope to get back later.


----------



## bgx9000 (Feb 28, 2005)

Alright. well i did what you asked


----------



## Mosaic1 (Aug 17, 2001)

I have been off installing this mess. It was a killer. Nothing would remove it. I almost had to use the Recovery Console. However, I did manage. Let's hope it wasn't a one time lucky shot.

Do you know how to restart into Safe mode with command prompt?

Use this link for directions, but when it comes time to choose, use the up arrrow to select safe mode with command prompt. This will open a command prompt window on top of another black screen.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
Get familiar before we go to the next step.

I am writing a batch file to hopefully remove this. It 
uses pskill to end the winlogon process but on the same line it removes the entire 1042 folder, so it is very fast. Of course you get an immediate restart and have no choice there.

I then restarted into Windows and ran Hijackthis.

The folder was gone. The Notify entry said file missing.
I fixed that entry and the BHO entry. I am now clean.

Before I give you the final scenario and file, we need to test something.

Go to start >Run and type cmd
Press enter
In the prompt, Type
RD /?

Do you get an error or do directions come up? I want to be sure you can run this command.

Let me know.


----------



## Mosaic1 (Aug 17, 2001)

While you ahve the command open, then also type pskill and press enter. You should get directions and not an error if it is in place.

If RD and pskill are both good, then download the Zip attachment named getout.zip

Extract the file it contains (named getout.bat) to the C:\ drive.

You should now have this file ready for use later.
* C:\getout.bat*

Reboot to *Safe mode with command prompt only*

Not to any other Safe Mode or this won't work.

When the window opens, type

"C:\getout.bat"

Press enter

The batch will run and the computer will restart like before.

When you get back into Windows, run hijackthis.

Fix these two entries: (Hopefully there will be a file missing noted here)

O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll

O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll

Close Hijackthis and run it again. Those two entries should be gone for good. Are they?

There will be more. But let me know how you did and post one more Hijackthis log please.


----------



## bgx9000 (Feb 28, 2005)

I get options in the cmd thing to either /q or /s, ones quiet mode, one removes folders it seems. The pskill works, but when i type in RD, it doesnt recognize it.


----------



## Mosaic1 (Aug 17, 2001)

Excellent. How about pskill? Is that working?


----------



## bgx9000 (Feb 28, 2005)

Yeah, when i restart after running getout, should i restart back into safe mode? Oh and RD/? works, i didn't realize thats what you meant when you said RD, so yeah they both work.


----------



## bgx9000 (Feb 28, 2005)

I figure if this works it won't matter, so ill get to it right now.


----------



## Mosaic1 (Aug 17, 2001)

I didn't. This should have removed the file and its folder.


----------



## Mosaic1 (Aug 17, 2001)

Good luck. See you shortly.


----------



## bgx9000 (Feb 28, 2005)

Sorry, but to no avail.... i saw when it was working though, it said something about fontabr.dll access denied.

Logfile of HijackThis v1.99.1
Scan saved at 8:43:22 PM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\DOCUME~1\Owner\LOCALS~1\Temp\dckn.exe ren my_time:1109814033
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102829289093
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Mosaic1 (Aug 17, 2001)

Shoot. You did boot to Command prompt only? Not to the Windows Shell Safe mode?


----------



## bgx9000 (Feb 28, 2005)

Yeah.


----------



## Mosaic1 (Aug 17, 2001)

Let's have a look at the file. If you have NTFS file system I wonder if there is a file permissions issue in addition to the other.

Look here to take ownership and see if this applies to you. 
http://support.microsoft.com/?kbid=308421


----------



## Mosaic1 (Aug 17, 2001)

Check the ownership situation for both the folder and the files it contains.


----------



## bgx9000 (Feb 28, 2005)

"All the options for this folder are disabled because this folder is used by the operating system." I don't think theres an ownership issue since this is the only account on my computer. But this is one hell of a tricky virus.


----------



## Mosaic1 (Aug 17, 2001)

This thing is brutal.


You are running the NTFS file system and not FAT32?
Do you by any chance have the Recovery Console installed?

If not, do you have a regular XP install CD. Not a recovery CD> A reall Windows XP CD.


----------



## Mosaic1 (Aug 17, 2001)

No. Folder and file permissions exist in all NTFS systems. Even if there is only one account.


----------



## bgx9000 (Feb 28, 2005)

What do you mean by recovery console? And i don't think i still have the windows xp disk.


----------



## Mosaic1 (Aug 17, 2001)

Also, let's try a registry search for

*fontabr*

not fontabr.dll

As for a search of the registry here's a very nice script to help you out.

Download it and run it. When it starts, you will be prompted to enter a search phrase. Do that and go have a cup of coffee.
When you get back, a message box will be there on the desktop. Say yes to open the results. Copy and paste the contents into a reply here. Once you close that file, it will be deleted, so please save it as results.txt. We may need it again.

Here's that link:
http://www.billsway.com/vbspage/
Find Registry Search Tool And download it.


----------



## Mosaic1 (Aug 17, 2001)

If you do;t know, then you do not have it.

Go here to read about it:
http://www.webtree.ca/windowsxp/repair_xp.htm

Find the link named How to Access Recovery Console and click on it.


----------



## bgx9000 (Feb 28, 2005)

Nevermind, apparently the program worked in secret.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "fontabr" 3/2/2005 9:15:37 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED748391-D25B-4A9B-BBD5-9F27E03E4A60}\InprocServer32]
@="C:\\WINDOWS\\system32\\1042\\fontabr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fontabr]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fontabr]
"DllName"="C:\\WINDOWS\\system32\\1042\\fontabr.dll"

[HKEY_USERS\S-1-5-21-809299238-3784137826-972506294-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"a"="C:\\WINDOWS\\system32\\1042\\fontabr.dll"

[HKEY_USERS\S-1-5-21-809299238-3784137826-972506294-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll]
"a"="C:\\WINDOWS\\system32\\1042\\fontabr.dll"

[HKEY_USERS\S-1-5-21-809299238-3784137826-972506294-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"f"="regsvr32 /u C:\\WINDOWS\\system32\\1042\\fontabr.dll\\1"

[HKEY_USERS\S-1-5-21-809299238-3784137826-972506294-1003\Software\WinRAR\DialogEditHistory\ArcName]
"0"="fontabr.rar"


----------



## Mosaic1 (Aug 17, 2001)

Ok Nothing odd there. I was looking at yorulast log again .,This is new:
O4 - HKCU\..\RunOnce: [*WinLogon] C:\DOCUME~1\Owner\LOCALS~1\Temp\dckn.exe ren my_time:1109814033

Do not restart until you Delete the contents of your Temp Folder and fix that entry. See if it reappears.

But first would you upload dckn.exe at the other site again please?


----------



## bgx9000 (Feb 28, 2005)

alright


----------



## Mosaic1 (Aug 17, 2001)

Let's check for ADS (Alternate Data Streams)

Run hijackthis. CLick the Config Button. Then click on Misc Tools.

Click on Open ADs Spy. Remove the check from the Quick "Scan box and let it scan.


When finished, Click the save Log button and post the results.


----------



## Mosaic1 (Aug 17, 2001)

I'll give you time to catch up. It's possible that even though very little is running at Safe Mode Command prompt only, that the file was loaded on your system even though it wasn't on mine. Rundll32 restarts very fast.


----------



## bgx9000 (Feb 28, 2005)

C:\WINDOWS\appaq32.dll : kfnyn (104265 bytes)
C:\WINDOWS\appfd.dll : lrjsn (29911 bytes)
C:\WINDOWS\aqadcup.rcf : vzyjb (11330 bytes)
C:\WINDOWS\atlsc32.dll : bzrovo (11330 bytes)
C:\WINDOWS\atlta32.dll : lajtxy (29911 bytes)
C:\WINDOWS\atlxj.dll : kxtvgv (11592 bytes)
C:\WINDOWS\atlyz.dll : vzxncq (7305 bytes)
C:\WINDOWS\atlzl32.dll : gzptxs (3547 bytes)
C:\WINDOWS\Belt.ini : yaiyzd (68096 bytes)
C:\WINDOWS\crgb32.dll : untle (27570 bytes)
C:\WINDOWS\daemon.dll : fzulz (90624 bytes)
C:\WINDOWS\daemon.dll : gziqq (11330 bytes)
C:\WINDOWS\dirsaver.ini : zasdk (27570 bytes)
C:\WINDOWS\ieey32.dll : ttwla (27570 bytes)
C:\WINDOWS\iefm32.dll : zlevw (104265 bytes)
C:\WINDOWS\ipyx32.dll : cnirh (29911 bytes)
C:\WINDOWS\javayn32.dll : agnfb (27570 bytes)
C:\WINDOWS\ntfv.dll : tswig (27570 bytes)
C:\WINDOWS\ntsi32.dll : tcbze (27570 bytes)
C:\WINDOWS\patchw32.A824.dll : vkjuu (99019 bytes)
C:\WINDOWS\Prefetch\AQADCUP.RCF : VZYJB-2811BA66.pf (8208 bytes)
C:\WINDOWS\Sti_Trace.log : mxmsw (27570 bytes)
C:\WINDOWS\syspq.dll : diilt (27570 bytes)


----------



## bgx9000 (Feb 28, 2005)

I'm all caught up, if we don't find a cure, think an internet fix will come up relatively soon?


----------



## Mosaic1 (Aug 17, 2001)

This is relatively new. and it is a mess. 

Ok. Once again I installed and had a struggle. Booted again into Safe Mode with command prompt. We do not want the windows shell loading.
The batch and command last used didn't work. Access denied.


What to do?

In the prompt I typed:

Start hijackthis
Pressed enter

Scanned with hijackthis.

Selected the two entries. (the BHO and the Notify) Did not press the fix checked button. 
Went over to the prompt again.

Typed:
Start D:\APM\APM.exe
Press enter.

You would type your path to APM.exe

Highlighted Winlogon.exe and then in the lower pane found fontabr.dll and right clicked. Selected unload dll and let it fight it out. It never showed Done but I did get a couple of the initial message boxes. This is good when it does this. I then seem to have better luck. 

Went over to Hijackthis and press the fix checked button.

APM was fighting.

I scanned with HT again. Chose the two entries again and cleaned.
APM continued to run. 

I Cleaned and scanned again. This time Hijackthis did not show the two entries coming back. I quickly went to the command prompt and typed:
pskill Winlogon.exe

Pressed enter.

It was killed and there was a restart.

I am clean again.

This is messy and not reliable, but when APM successfully injects itself and "distracts" the nasty, it seems to do the trick. But you never know if it will do just that. 

(I checked the processes and in Safe Mode with Command Prompt, fontabr.dll is only loaded into Winlogon.exe)


Agaim, this is one on one and instinct. I cannot give you anything more specific because it keeps changing.

Give it a try and see if you can do it.


----------



## bgx9000 (Feb 28, 2005)

I'll go now and try my best.


----------



## bgx9000 (Feb 28, 2005)

It's not working too well. I managed to get the apm to do its thing and the pskill to work, but i don't know how to get into hijackthis. Whats the exact address i have to type to reach hijackthis from command prompt? It's hard to talk through posts, i have a new idea thingy. My apm doesn't stop, it goes from click to click to done. And if im lucky i have just enough time to do pskill winlogon.exe. So when i learn how to reach hijackthis from the command prompt, would i be able to use it before all the other programs? I mean, can i click hijackthis, and than apm and than winlogon, or does hijackthis have to be used after apm? Also, the thing you aren't sure about, are you unsure that if i pull it off it'll work, or are you unsure that it's possible for me to pull off?


----------



## bgx9000 (Feb 28, 2005)

Alright i tried and it didn't work. I think i may try one more time for tonight for good measure. I'll be back tommorrow, thanks again for the time and effort and help.


----------



## Mosaic1 (Aug 17, 2001)

Start Hijackthis

That's all you should need.


----------



## Mosaic1 (Aug 17, 2001)

C:\DOCUME~1\Owner\LOCALS~1\Temp\dckn.exe

It's in your temp folder.

Start>run 
%Temp%
Press enter.


----------



## bgx9000 (Feb 28, 2005)

Yeah i ran all 3 of em and it still didn't work.


----------



## Mosaic1 (Aug 17, 2001)

All I can tell you is it's a matter of timing, and skill + luck. I am able to do it on and off. You have to distract the nasty running under Winlogon with APM, LOL Run HT and scan., Celan Scan clean until it doesn't come back. And all this time let APM do battle. Then when you finally get a clean Hijackthis scan, quickly pskill Winlogon 
We cannot automate this now. 


I have no more helpful general advice at this point. It is very nasty. If you cannot find your Install CD to use Recovery console to remove the file, ask a friend if you can borrow their install CD just so you can access Recovery Console. Or buy one. 


Did you by chance Slipstream SP2 when you installed it to create a new CD?


----------



## Mosaic1 (Aug 17, 2001)

It's been a long hard day on the forums. I am signing off for now.


----------



## Metallica (Jan 28, 2003)

Hi Mo,

What a mess.

About the *Winlogon key. This tool used to work:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html

I am also willing to try Processguard on it, but that would have to wait until the weekend.

Best regards,

Pieter


----------



## Mosaic1 (Aug 17, 2001)

Hi Pieter,
I'll download and have a look at those tools too, thanks. 

I have spent most of that past 24 hours on this.

It also loads acopy of itself into anything mentioned in the run keys. I don't know if there is a limit to how many copies it will inject into the various processes. I load very little. So what's left after that is to kill explorer. However, this file is always loaded into Winlogon. With the exceptoin of my lucky timing, I have yet to have a successful unload so that I can then delete the file.

Neither Copylock nor Killbox works. It is protecting and must remove the Pending.... data. 

So unless you use RC or have another utility, this is just about as nasty as it gets. I tried every combination of commands and process kills. But this is persistent.
Now I never let it out on the internet and have no extra files. This is just the pure he!! of this file and how it works. It has a protect function. It does crash my explorer when I load it. And if I change any of its entries in the registry it puts them all right back again.

This poor commputer has been restarted dozens of times, I would guess in trying to get a smooth and easier removal. So if another tool may help, I am up for it. 


Thanks for the help.


----------



## bgx9000 (Feb 28, 2005)

Yeah thanks. It sucks to think that people would put so much time and effort into making such a mean virus. But let's talk about last ditch efforts. Would a system restore work, or would it still be on my computer? Would the only end all option be to reinstall windows?


----------



## Mosaic1 (Aug 17, 2001)

At this point I have removed it here several times successfully. However I installed a controlled infection. If you have a Restore Point it may be infected. It may not be. 

You can always undo it if no help. A lot of people are working on this at the moment. It's slow going. 

That Runonce I mentioned before is a definite nasty and is a part of this infection.


----------



## bgx9000 (Feb 28, 2005)

I appreciate all of the help. My computer still works even with the virus on it, and if i clean the temp files a lot it can run somewhat managably, and with firefox i don't have to deal with the stupid homesite changes. So i think i'll hold off on a full system restore. If i did a system restore, well last time i did it for a problem, it didn't work, so i don't see it working this time. I mean, i've had this virus for at least 2 weeks, maybe more. But if i restored, it would be a factory restore back to the beginning. I still have faith that the virus can be stopped though.


----------



## Mosaic1 (Aug 17, 2001)

You do not want to run around the internet with a compromised system. 

I was talking about using a system Restore Point if you had one. That is reversible is it doesn't work. Not using the restore disk to go back to the beginning.


----------



## bgx9000 (Feb 28, 2005)

Well, can i go to trusted sites? I won't go running off, but i mean here, maybe ign, pitchfork, yahoo, etc?


----------



## Mosaic1 (Aug 17, 2001)

It's your computer and your decision how you use it. People are working to try and solve this one. How long that will take, I can't say.


----------



## bgx9000 (Feb 28, 2005)

I really really appreciate this. I think it's great that you guys help other people who aren't as good with computers solve problems, it's a really nice thing. I can't keep praising without coming off weird, so i'll just say thank you.


----------



## Mosaic1 (Aug 17, 2001)

I have been at it again this afternoon and my findings are the same. So you likely have files I do not and they are hiding where we do not usually see or look for files.


----------



## bgx9000 (Feb 28, 2005)

I'd look around but i have no clue what to look for. This weekend i'll be up till whenever and i'll do whatever you need me to do in order to make it easier for you to find the problem.


----------



## Mosaic1 (Aug 17, 2001)

Ok I am taking some time too. But I'll see what the latest is and I know some file names and possible locations. This may end up to be a lot of work with no guarantees.
Thanks. I did get your other file.


----------



## Mosaic1 (Aug 17, 2001)

As a start, and this is a work in progress, Please download the zip attachment.

Create a new folder and extract the batch file it contains named
*getfiles.bat*

Double click on getfiles.bat

When it has finsihed it will have crated a large file named files.txt in that same folder. I need to see it, but it is too big to upload here.

Right click on files.txt and choose sendto>Compressed.

Attach the compressed file in your next reply here please.


----------



## bgx9000 (Feb 28, 2005)

I hope i did this right.


----------



## Mosaic1 (Aug 17, 2001)

Yes. You did it exactly right. I have been tied up most of the day. I did look at your report and you have some charming company there. I need until tomorrow to formulate the next step. We will ask for file samples and also for you to run more files to have a closer look at certain areas of your hard drive,

In the meantime also please download a program called AgentRansack:

http://www.mythicsoft.com/agentransack/

We may need to use it to find more files later by searching for certain text inside the files themselves. This is a tedious and slow process, but effective. At least I hope so.


----------



## Mosaic1 (Aug 17, 2001)

It looks like trend Micro and AboutBuster missed a lot and left junk behind. Did you successfully run aboutBuster? I would like you to update the program and then run it again please.


----------



## Mosaic1 (Aug 17, 2001)

This is the first in a series of posts with instructions to be followed.

Before you do anything else, I would like copies of the following files listed in the quote box please. Would you upload them the same as you did before at the other site. Some will be deleted in the next step, so please get me the copies first. You may have to copy to several folders and then zip and upload. There's a size limit. 
http://www.thespykiller.co.uk/forum/index.php


> izgjb.log
> aqadcup.rcf
> CoDUO.INI
> tumai.log
> ...


------------------------------

Next we are going to clean up a lot of leftovers.
Download the zip attachment. Extract the file it contains.
It is named * Windows delete.bat*

Double click on Windows delete.bat

It will delete some junk but not everything. In the next step we will get rid of the 0 byte files.


----------



## Mosaic1 (Aug 17, 2001)

This next zip contains a vbs script. If you have script blocking you will get a warning about a malicious script. Please let it run. It is not malicious. I wrote it.
This is going to go into your Windows and then Windows\system32 folders and create a new folder in each named zeros. Then it will move all those* 0 byte dll files* into the folders. 
When it has finished you will have a folder named zeros in Windows and another in System32 containing the 0 byte dll files.

The script will open a window in Explorer view with the zeros folder highlighted for the two folders: Windows and System32 as its last step.

Look in each to see the zeros folder. Hover your mouse over the zeros folder to see that it is really 0 bytes and that it does contain files. You can choose to delete the entire zeros folder if it is only 0 bytes. Otherwise leave it alone and let me know.

So now hopefully the 0 byte dll files in both windows and system32 will have been dealt with.


----------



## Mosaic1 (Aug 17, 2001)

This next attachment is another batch file. Download and extract it to its own folder. It is going to create a folder named Copies in there. Duplicates of some extremely suspicious files from an assortment of folders will be placed inside.

Please zip and upload it at Spykiller.

If it is too large, break it up.

Be very careful here. These are in my opinion, nasty. We will assess and then have you delete the originals once we are sure. We will be looking at them and sending them out to experts for analysis.


----------



## Mosaic1 (Aug 17, 2001)

Download the attachment and unzip the file it contains to a new folder.

Double click on Get more Dirs.bat to run the batch.

This is going to look into a few more folders to get the files they contain.
when it has finished, it will have created another text file named
more dirs.txt

Attach more dirs.txt to your next reply please.


----------



## Mosaic1 (Aug 17, 2001)

Finally it's time to clean out the Downloaded Programs Folder.

Normally you do not have this kind of access. But by unregistering a dll, you'll be able to go in, see, and clean up. When you finish register the dll again.

Step 1) Go to Start >run 
Copy this command and press enter:

regsvr32 /u occache.dll

After this has been done, go to
C:\windows\downloaded program files

Delete these folders:
CONFLICT.1
CONFLICT.2
CONFLICT.3

Delete these files:
kdx.inf
valent.inf
payload2.inf
QaBar.inf
QaBar.dll
UGO20.exe
ttinst.dll
ttinst.inf
ISTactivex.inf
VwrCtl.inf
gsda.dll
cc.inf
sporder.dll
sporder_.dll

Si.dll
isetup.inf
iSetup.dll
iSetup.exe
146 default.inf

Close the folder.

Go back to Start >Run
Paste in this command and press enter:
*regsvr32 occache.dll*

Now re-open Downloaded Program files. It will look different.

Right click on any of the objects and choose properties. If it says damaged, delete.

The good thing is that if you really need one of these, you will be prompted to download it the next time you visit a web page. *And do be careful not to allow just any object to install.* This is one way Spyware gets in. ActiveX in the DPF.

I'll see you much later. This should keep you busy for a while. Once we see your uploaded files and assess the situation, we can help you better. Go slowly. Read each post and do the task. Don't skip ahead or you'll be overwhelmed. I did it this way on purpose so it would be broken up into easy to digest segments.

Good luck,
Mo


----------



## Mosaic1 (Aug 17, 2001)

Some of the files the batch will try to remove will not delete because they are Alternate Data Streams. We'll get those later.


----------



## bgx9000 (Feb 28, 2005)

I didn't follow the last step yet, but im just going to post the get dirs.txt for you.


----------



## Mosaic1 (Aug 17, 2001)

I just got here and am redding the last file you uploaded. What is SBSI? It looks like that folder in the help folder has to do with training. Is this a legitimate progrqam you have installed on your computer?


----------



## bgx9000 (Feb 28, 2005)

I re-ran about buster and found a lot more stuff. Anyway, i finished all of your directions.


----------



## bgx9000 (Feb 28, 2005)

For all i know it might be, but i don't recall it, maybe if i had what the letters stood for.


----------



## Mosaic1 (Aug 17, 2001)

It looks like it is legitimate. If not, they would have gone to tremendous trouble. However, do a search for it. 
See what you come up with.


I am analyzing and will have someting for you later. I am in the US eastern time zone. I hope to have a plan mid evening.


----------



## bgx9000 (Feb 28, 2005)

I'm in the same time zone(NY) and will be home later from anywhere from 10-1.


----------



## Mosaic1 (Aug 17, 2001)

I am here for a very short time tonight and we may miss each other. Let me give you instructions to prepare for another removal attempt.

I have attached another zip.

It contains a batch file and a Reg file.

Extract out.bat directly to your C:\ drive.

So you will have C:\out.bat

This is very important. We are going to try and run it on reboot after another attempt at using APM and Hijackthis. 

Extract the reg file to your desktop. Its name is Runonceex.reg

Empty the contents of your Temp folder again.

Double click on Runonceex.reg and say yes to the confirmation box. 

Sign off and unplug your modem.
Retry the APM / Hijackthis fix. Be sure to kill Explorer.exe, rundll32.exe and any other process you see other than winlogon under which fontabr.dll is loaded. Then highlight Winlogon, find fontabr on the list and right click. Click unload dll. 

Remember to use Hijackthis to fix the two entries (the notify and BHO)while APM is keeping the dll busy. Do not press the ok button on that last message box until you have successfully used Hijackthis and scanned again to find that the entries have not returned.

During the restart which will happen, a file will run to try and delete the reinstall and other files. 

Back in Windows, shut down the computer entirely.

Restart into Safe Mode. Start APM And see if Winlogon is still loading fontabr.dll

If so see if you can unload it using Hijackthis and APM again. 

Double click on Runonceex.reg again.

Restart into Regular Windows. Reconnect and run hijackthis again.

I am not sure this is going to work. Manipulating APM and Hijackthis is up to you. I can only guide you in that part. 

We may have to go back and find more files later. I am not sure if this will allow us to do it this way. But it's the best I can think of other than booting to Recovery Console and deleting all files by hand and hoping we got them all. And you do have a few other leftovers elsewhere to clean up.

Post back with how you did and a new log.


----------



## Mosaic1 (Aug 17, 2001)

I want to caution you about screensavers. They are executable code and can be a great place from which to execute malicious code. 

Delete these files from the windows directory when you get into Safe mode :
izgjb.log
tumai.log
hmqd.exe.bak
Nbmm.exe.bak
RMAgentOutput.dll


----------



## bgx9000 (Feb 28, 2005)

It didn't work. When i restarted btw, no program ran like you said it would. So what happened is that i foguht with the virus, but everytime in hijackthis, i got the BHO to go away pretty easily but it took a lot of tries to get rid of the notify fontabr. But when i did get rid of it, it always came back in the next hijack this scan. Even when i got rid of it and made it restart right away in safe mode, it didn't work. I guess there is something constantly bringing it back, but what?


----------



## Mosaic1 (Aug 17, 2001)

You wouldn't see it running. However, Instead of having you reboot into safe mode again, let's try regular mode only. Don't go to Safe mode. 


The nasty may be removing the reg key we have added to try and prevent the reinstall. If that's the case, we are in trouble. 

Empty the contents of your Temp folder again.

Double click on Runonceex.reg and say yes to the confirmation box.

Sign off and unplug your modem.
Retry the APM / Hijackthis fix. Be sure to kill Explorer.exe, rundll32.exe and any other process you see other than winlogon under which fontabr.dll is loaded. Then highlight Winlogon, find fontabr on the list and right click. Click unload dll.

Remember to use Hijackthis to fix the two entries (the notify and BHO)while APM is keeping the dll busy. Do not press the ok button on that last message box until you have successfully used Hijackthis and scanned again to find that the entries have not returned.

During the restart which will happen, a file will run to try and delete the reinstall and other files. You will not see any evidence that it is running. 

Back in Windows, shut down the computer entirely.

Restart again. Start APM And see if Winlogon is still loading fontabr.dll

If so see if you can unload it using Hijackthis and APM again.

Double click on Runonceex.reg again.

Restart into Regular Windows again. Reconnect and run hijackthis again.

I am not sure this is going to work. Manipulating APM and Hijackthis is up to you. I can only guide you in that part.

We may have to go back and find more files later. I am not sure if this will allow us to do it this way. But it's the best I can think of other than booting to Recovery Console and deleting all files by hand and hoping we got them all. And you do have a few other leftovers elsewhere to clean up.

Post back with how you did and a new hijackthis log. 


After you do this, I would also like you to run getfiles.bat again and post the results. We may have to resort to using Agent Ransack and try to find more files on the hard drive. 
That will be for tomorrow.


----------



## bgx9000 (Feb 28, 2005)

The problem is, i can never get rid of the 2 things in my hijackthis. Thats my main problem. Everytime i click fix like 10 times, it dissapears for less than a second, when i rescan its back again.


----------



## Mosaic1 (Aug 17, 2001)

Double click on Runonceex.reg and say yes to the confirmation box.

Sign off and unplug your modem.
Retry the APM / Hijackthis fix. Be sure to kill Explorer.exe, rundll32.exe and any other process you see other than winlogon under which fontabr.dll is loaded. Then highlight Winlogon, find fontabr on the list and right click. Click unload dll.

When you run APM There will be several message boxes.

Press each one:

a
b
c, hProc=
p parameters


Do not click ok on any more messages after you have clicked the p parameters. Keep at it with hijackthis

If you manage to get rid of the entries permanently, then press the final one and then you'll get the done and a restart. 


Restart into Regular Windows Mode. If no success, then if you have no access to Recovery Console, at the moment we have no more options. 

Let me know how you do.


----------



## bgx9000 (Feb 28, 2005)

I did that already and i just did it again. Like i said, the 2 files in hijackthis never permanently go away. Even after 30 fix's.


----------



## Mosaic1 (Aug 17, 2001)

That's all I can offer you for now then. this thing is very slick. Short of going to recovery console to remove the file I have no good or helpful advice.

Were you ever able to get a regular install CD to access Recovery Console?


----------



## bgx9000 (Feb 28, 2005)

I might have it, i'm still unsure what recovery console is? Is it anything similar to system restore? Or is it the windows install disk?


----------



## Mosaic1 (Aug 17, 2001)

Check to see if you have a regualr install CD. An MS install CD for windows XP. Not a recovery disk made by your computer Manufacturer. 

IT will allow you to get to Recovery Console, RC is a command line mode and from it, we can delte fontabr.dll

But first we need a disk.


----------



## Mosaic1 (Aug 17, 2001)

Go to this page, find the link named How to Access Recovery Console and click on it. IT will have informaiotn so you are more familiar with the Recovery Console and what it is.

http://www.webtree.ca/windowsxp/repair_xp.htm

Also, are you running XP home or XP Pro?


----------



## bgx9000 (Feb 28, 2005)

I don't see one. Should i try and order one from HP? I'm running xp home edition.


----------



## dvk01 (Dec 14, 2002)

The only other suggestion I have got is that Kapersky 5 seems to about the best at finding and curing many of these deep seated infections so it can't do any harm installing the trial version & tryiong it and see what else it finds and fixes

full instructions for installing and running it are here 
http://www.thespykiller.co.uk/bube.htm

I would be very interested in seeing the KAV log after doing all this as without a RC and a full XP CD I can't see any other reletively easy way


----------



## dvk01 (Dec 14, 2002)

another suggestion has come forward 
it looks like this pest is set to expire on Sat, 04-Jun-2005 00:00:00 GMT so set your computer clock forward to a date after that say 04 JULY 2005 and reboot then it's very possible that the protection will not be there and we can delete all the files normally 

If it thinks taht it's time is up it will hopefully not attempt to download any more oif the files and release it's protection 

also look for any of these files on the computer and try and delete them use killbox on them taht we will have copies and if you can submit the copies it wouldf be very helpful Theya re almost certainly in system32 folder

pem.exe, bakav.dll, xmlc.dll, dckn.exe, fontabr.dll guiplugin.dll, acc.exe, ConMain1.exe, ConMain.exe ConSec.exe, ctts.exe, dck.exe, dckn.exe, edck.exe update.dat


----------



## Mosaic1 (Aug 17, 2001)

If you have an HP then you have a recovery partition and likely no hope of getting a regular install disk from them. You would have to buy one from a computer store.


Also, I had asked you to run get files.bat againcso I could see if those files ahd been successfully deleted and what the current status was. Would you do that please?


----------



## bgx9000 (Feb 28, 2005)

When i ran getfiles.bat, a black command prompt looking thing came up, things ran, and that was it. There was nothing that i knew of that was showable. Also i set the clock later and it didn't do anything. I noticed that all of the number folders in system 32 are empty except 2. 1042 has fontabr.dll, and 1033 has dwintl.dll. Might this mean something?


----------



## bgx9000 (Feb 28, 2005)

Also when i tried to install that virus scan thing, when i ran it, the trial version, it said i needed a key which i didnt have.


----------



## Mosaic1 (Aug 17, 2001)

That's how it should be. Remember last time? It will generate a large file named files.txt

If you would zip that and attach in your next reply along with a new Hijackthis log.


----------



## Mosaic1 (Aug 17, 2001)

dwintl.dll in 1033 is a Microsoft file.


----------



## bgx9000 (Feb 28, 2005)

Here are your requests. By the way, i've tried many many times in and out of safe mode to get rid of those 2 files in hijackthis using hjk and apm, but they never stay gone for more than 1 second.

Logfile of HijackThis v1.99.1
Scan saved at 5:09:54 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: CATLEvents Object - {ED748391-D25B-4A9B-BBD5-9F27E03E4A60} - C:\WINDOWS\system32\1042\fontabr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\Config\comdisk.exe ren my_time:1120766398
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102829289093
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O20 - Winlogon Notify: fontabr - C:\WINDOWS\system32\1042\fontabr.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## Mosaic1 (Aug 17, 2001)

Ok I have a plan. It may or may not work. IT worked here but may not there. But I need to check out your files first.


----------



## Mosaic1 (Aug 17, 2001)

Your zip attachment is corrupt. Please create a new one an attach in your next reply.


----------



## Mosaic1 (Aug 17, 2001)

Alos, please open up APM.exe and highlight rundll32.exe

Look in the lower pane to see if fontabr.dll is listed.


----------



## Mosaic1 (Aug 17, 2001)

The file is good. Can you not go anywhere while I read this? I am going to try and post shortly.


----------



## Mosaic1 (Aug 17, 2001)

Download the attachment named slots.zip and extract slots.bat to your desktop.

I'll try to finish but the site is not allowing my uploads. I am having a lot of trouble doing this.


----------



## Mosaic1 (Aug 17, 2001)

Download the attached again out.zip file. It contains a new out.bat

Go to C: and delete the out.bat you already have in there.

After you do that, extract out.bat from this zip and put it in C:\

Download the second attachment named Runonceex.zip
Extract the *runonceex.reg* file it contains to your desktop.

Follow these directions exactly in the order they are given.

Sign off the internet and UNPLUG YOUR MODEM!

Run APM.exe to find out which processes listed in the upper pane are loading fontabr.dll Leave APM up and running. 
Use Task Manager to kill any processes other than explorer.exe and Winlogon which are loading fontabr.dll Leave Explorer.exe and Winlogon running.

Merge the runonceex.reg you have on the desktop by double clicking on it and saying yes when prompted.

Start the batch to run the loop. Double click on *slots.bat*
It will look weird when you run it. Ignore it. Just minimize it when you start it and let it run.

It is going to kill explorer. Your taskbar and desktop will disappear.

In APM Select Winlogon.exe in the upper pane. Right click on fontabr.dll in the lower pane and click Unload dll

Let it run and do click yes on each message box as it comes up and then it will do its reboot.

When you get back, check the status of the infection using hijackthis and looking for System32\1042\fontabr.dll to see if it is gone. If still infected, repeat. Repeat this a few times. Again, it's a matter of luck and timing.

Do not plug your moden back in until you are either clean or are giving up. 
To try again do all of the steps again. Skip nothing other than re downloading the attachments. LOL

Good luck.

Before you go back on the internet, go to Start >Run and type
%temp%

Press enter
Select all files in your temp folder and delete all.


----------



## bgx9000 (Feb 28, 2005)

HOORAY!

Logfile of HijackThis v1.99.1
Scan saved at 9:01:58 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102829289093
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Is there anyway to gurantee this sucker won't come back anytime soon on it's own?


----------



## bgx9000 (Feb 28, 2005)

But anyway, i ran the slots, it didn't work the first few times. What i learned was, after slots runs, the text moves really fast, it says file removed, than it runs really fast and says file cannot be removed, slows and says file removed, in that pattern. So in apm i got to done right when it says file removed and rid of that nasty virus(i hope). Fontabr.dll is not in apm under winlogon anymore either.


----------



## bgx9000 (Feb 28, 2005)

And fontabr.dll and it's sister files are not in C:\windows\system32\1042 either.


----------



## Mosaic1 (Aug 17, 2001)

YEAH! Keeping fingers crossed!

If you did set your System time and date ahead as Derek had suggested, please let me know. I want to note it. And if you did, then set it back to what it should be.

We have some cleanup to do. You have a lot of leftover junk on your hard drive. I had made files earlier to remove some junk but they didn't seem to get it all or maybe I didn't upload again. At any rate, let's get rid of some orphan nasty files (some mentioned in this file won't be there. That's ok) and then have you go for updates and security. Then do come back for other follow-up.

Once you have run the batch extracted fom this latest attachment, and you have rebooted a time or two, be sure everything is in working order. It is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today.

After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
----------------------------

Then get some security tips and programs inckuding the latest Windows Updates:

Here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html

See you after that.


----------



## Mosaic1 (Aug 17, 2001)

Yup. We killed everything in the 1042 folder during the reboot. 


Exactly. Slots is a reg key remover. fontabr.dll puts those entries back almost as soon as they are deleted. So letting APM unload fontabr while we repeatedly remove those keys and hope the keys are finally gone on reboot so nothing gets reloaded and removing the runonce keys is the trick. It's nerve wracking, but you did it. 

Great work.


----------



## bgx9000 (Feb 28, 2005)

I had it previously set ahead, and i set it back after. I don't know whether or not it affected the removal.


----------



## Mosaic1 (Aug 17, 2001)

According to what the theory is, after a certain date it will not download files again. I am not sure if that is 100% though.


----------



## Mosaic1 (Aug 17, 2001)

I didn't tell you to look at the command screen because I was hoping you would have some luck and that also I wasn't sure if the human eye and reflexes would beat the timing. But you did great. I named it slots for a reason. Like a slot machine it kept rolling.


----------



## Mosaic1 (Aug 17, 2001)

Now that you have resolved this issue there are a few other things in your log we should address. One is Viewpoint Manager. We generally recommend you uninstall it using Add Remove Programs.

And you seem to have an issue with a missing file for your Norton Toolbar. This one:
NavShExt.dll

You may need to reinstall Norton to get that working.

Here are the entries in Hijackthis to fix. I included the Norton Toolbar because of the missing file. A file for your Companion toolbar is missing too. A reinstall there would be easiest, I think.

*O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

*


----------



## bgx9000 (Feb 28, 2005)

Ok i removed all the stuff, and while i was in add/remove programs i did some additional cleaning, mostly old games and such. Anymore clean up on the list?


----------



## Mosaic1 (Aug 17, 2001)

Are there any other profiles aka Users on the computer?


----------



## bgx9000 (Feb 28, 2005)

NAh, just me.


----------



## Mosaic1 (Aug 17, 2001)

Good, if there are entires in the HKCU of other profiles and someone signs in and there is a file leftover, it could start the entire process all over again.

Did you do the restore points yet? Go ahead and finish that and get your security in place for now.

It's 10:00 here and I am going to call it an early night. 

If you also want to be sure your Norton is in working order by doing reinstall, and then update and do a full system scan.

I'll get a few other odds and ends together for you tomorrow when I have a chance and post.


----------



## bgx9000 (Feb 28, 2005)

Awesome, i'll refix norton.


----------



## Mosaic1 (Aug 17, 2001)

How is the computer running?

This attachment will clean up a few orphan registry keys. Extract 
cleanup.reg and double click on it to run. Say yes to the prompt.

If you have any leftover files, they are orphans and not running. Never double click on any file unless you know what it is. Never register any dll or ocx unless you know what it is.


----------



## bgx9000 (Feb 28, 2005)

It's actually running great thanks to you.


----------



## Mosaic1 (Aug 17, 2001)

Thanks. That's good to hear. You did a great job too. Did you have any problems with the restore points or installing any security programs, running AV etc?


----------



## bgx9000 (Feb 28, 2005)

Nope, everything is running top notch.


----------



## bgx9000 (Feb 28, 2005)

Looks like i've found a bump, a big one. I'd assume it's because of all the fixing we did. My graphics card, which i bought like a year ago and had put in, an nvidia geforce 5800, is having trouble. Whenever i try to play games and open it up, i get an error and the thing freezes. Apparently we messed up open gl, it may be easily fixable with a driver update, do you have any experience in this field?


----------



## Mosaic1 (Aug 17, 2001)

Did the card come with an install CD? If so, use that and see if a reinstall of the drivers works. If that doesn't work, what is the exact error message you are getting. Also, this could be a directx problem too.


----------



## Mosaic1 (Aug 17, 2001)

I went back few pages to review what was removed. I don't see anything which would cause this. Did you remove anything other than just games?



> Ok i removed all the stuff, and while i was in add/remove programs i did some additional cleaning, mostly old games and such. Anymore clean up on the list?


 This could be a coincidence and you might have some corrpution.

I would recommend scheduling a chkdsk to run at next boot and then see what, if anything if finds.

Start a command prompt and type in

chkdsk C: /r

You'll be told the current volume cannot be loacked. Then asked if you want to schedule a check at next reboot. Say yes.

After you do that and get back into Windows you can get a summary of the results in Event Viewer

Go to start >run and type eventvwr.msc

Press enter.

Click on Applicatoin in the left pane. Look for Information, Winlogon in the right and to find the results of the chkdsk

Also, you might have a look there for any errors regarding your Video or directx if the driver reinstall doesn't help.


----------



## Mosaic1 (Aug 17, 2001)

Removing games amy have taken someting along with it that it shouldn't have.

Installation hints:

http://www.nvidia.com/object/driver_installation_hints.html


----------



## bgx9000 (Feb 28, 2005)

I don't know the exact message since teh comp freezes when i try to open the game, but its an open gl error.


----------



## Mosaic1 (Aug 17, 2001)

Did you read my other posts? Go ahead and do that. At this point, skip the chkdsk. I am thinking that the uninstall of a game may have taken something else out with it.

Did you find the install CD for your video card?

Here's an nvidia page with drivers for download. But an uninstall and reinstall of your current drivers might be best as step one.

http://www.nvidia.com/object/winxp_2k_66.93

Before you try any install read this page:
http://www.nvidia.com/object/driver_installation_hints.html


----------



## bgx9000 (Feb 28, 2005)

I'm gonna have to wait till saturday to do it, but it'll definetly be done saturday.


----------



## Mosaic1 (Aug 17, 2001)

OK. I have been readng about problems with open gl and nvidia. But before you jump, do the reinstall and if no joy an upgrade of the drivers. If you hate the new drivers, they can be rolled back in Device Manager. 

I am assuming that you were able to use these same games before and they are not new. So that it is not the case that this problem was not evident because it was never tested before.


----------



## Mosaic1 (Aug 17, 2001)

Start out first by creating a system restore point for insurance.


----------



## bgx9000 (Feb 28, 2005)

I've been pretty sick lately, i'll have to hold off the computer fixing for a bit, but from what i know it's most likely a problem that will be fixed with a driver upgrade.


----------



## bgx9000 (Feb 28, 2005)

I did the driver upgrade and everyhting works beautifully. Thanks a lot for all the help.


----------

